[Snyk] Security upgrade express from 4.21.2 to 4.22.0#48
[Snyk] Security upgrade express from 4.21.2 to 4.22.0#48
Conversation
…emote-mcp-server-express-fly/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-14724253
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| 🔵 In progress View logs |
weather-mcp-server | b52b75d | Jan 05 2026, 10:03 AM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| 🔵 In progress View logs |
brave-search-mcp-server | b52b75d | Jan 05 2026, 10:03 AM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
remote-mcp-server-bearer-auth | b52b75d | Jan 05 2026, 10:04 AM |
✅ Deploy Preview for express-mcp-server canceled.
|
✅ Deploy Preview for mcp-example-oauth canceled.
|
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Express framework from version 4.21.2 to 4.22.0 to address a critical security vulnerability (SNYK-JS-QS-14724253) related to "Allocation of Resources Without Limits or Throttling" in the qs package. The vulnerability has a severity score of 828/1000.
Key changes:
- Express dependency upgraded from ^4.21.2 to ^4.22.0 in package.json
- Express 4.22.0 uses the patched qs version 6.14.1 instead of vulnerable 6.13.0
- Dependency version ranges updated from exact to tilde (~) notation in the new express version
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| examples/remote-mcp-server-express-fly/package.json | Updates express dependency from ^4.21.2 to ^4.22.0 |
| examples/remote-mcp-server-express-fly/package-lock.json | Locks express to version 4.22.0, updates transitive dependencies including qs to 6.14.1, and introduces a nested express 4.21.2 under @descope/mcp-express due to version conflicts |
Files not reviewed (1)
- examples/remote-mcp-server-express-fly/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "node_modules/@descope/mcp-express/node_modules/express": { | ||
| "version": "4.21.2", | ||
| "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz", | ||
| "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "accepts": "~1.3.8", | ||
| "array-flatten": "1.1.1", | ||
| "body-parser": "1.20.3", | ||
| "content-disposition": "0.5.4", | ||
| "content-type": "~1.0.4", | ||
| "cookie": "0.7.1", | ||
| "cookie-signature": "1.0.6", | ||
| "debug": "2.6.9", | ||
| "depd": "2.0.0", | ||
| "encodeurl": "~2.0.0", | ||
| "escape-html": "~1.0.3", | ||
| "etag": "~1.8.1", | ||
| "finalhandler": "1.3.1", | ||
| "fresh": "0.5.2", | ||
| "http-errors": "2.0.0", | ||
| "merge-descriptors": "1.0.3", | ||
| "methods": "~1.1.2", | ||
| "on-finished": "2.4.1", | ||
| "parseurl": "~1.3.3", | ||
| "path-to-regexp": "0.1.12", | ||
| "proxy-addr": "~2.0.7", | ||
| "qs": "6.13.0", | ||
| "range-parser": "~1.2.1", | ||
| "safe-buffer": "5.2.1", | ||
| "send": "0.19.0", | ||
| "serve-static": "1.16.2", | ||
| "setprototypeof": "1.2.0", | ||
| "statuses": "2.0.1", | ||
| "type-is": "~1.6.18", | ||
| "utils-merge": "1.0.1", | ||
| "vary": "~1.1.2" | ||
| }, | ||
| "engines": { | ||
| "node": ">= 0.10.0" | ||
| }, | ||
| "funding": { | ||
| "type": "opencollective", | ||
| "url": "https://opencollective.com/express" | ||
| } | ||
| }, |
There was a problem hiding this comment.
The security fix is incomplete. While the main express dependency has been upgraded to 4.22.0 (which uses qs 6.14.1), a nested express 4.21.2 is being introduced under @descope/mcp-express/node_modules/express that still uses the vulnerable qs 6.13.0 (see line 95). This happens because @descope/mcp-express version 1.0.3 requires exactly express 4.21.2, which conflicts with the upgraded version.
To fully address the vulnerability SNYK-JS-QS-14724253, the @descope/mcp-express package should be upgraded to a version that supports express 4.22.0 or later. If such a version doesn't exist, consider reaching out to the package maintainers or temporarily forking/patching the dependency.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
examples/remote-mcp-server-express-fly/package.jsonexamples/remote-mcp-server-express-fly/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-14724253
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling