Skip to content

[Snyk] Security upgrade express from 4.21.2 to 4.22.0#72

Open
omercnet wants to merge 1 commit intomainfrom
snyk-fix-3acf8fb049efe138fb697ee0e4e611ce
Open

[Snyk] Security upgrade express from 4.21.2 to 4.22.0#72
omercnet wants to merge 1 commit intomainfrom
snyk-fix-3acf8fb049efe138fb697ee0e4e611ce

Conversation

@omercnet
Copy link
Member

@omercnet omercnet commented Feb 17, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

  • examples/express-mcp-server/package.json
  • examples/express-mcp-server/pnpm-lock.yaml

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Allocation of Resources Without Limits or Throttling
SNYK-JS-QS-15268416		   708  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

@snyk-bot
fix: examples/express-mcp-server/package.json & examples/express-mcp-…
2b5b971 
…server/pnpm-lock.yaml to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-QS-15268416
Copilot AI review requested due to automatic review settings February 17, 2026 13:59
@vercel
Copy link
Contributor

vercel bot commented Feb 17, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ai Ready Ready Preview, Comment Feb 17, 2026 1:59pm
nextjs-descope-mcp-server Ready Ready Preview, Comment Feb 17, 2026 1:59pm

Request Review

@netlify
Copy link

netlify bot commented Feb 17, 2026
edited
Loading

Deploy Preview for mcp-example-oauth canceled.

Name Link
🔨 Latest commit 2b5b971
🔍 Latest deploy log https://app.netlify.com/projects/mcp-example-oauth/deploys/69947433756c630008a6ac1c

@netlify
Copy link

netlify bot commented Feb 17, 2026
edited
Loading

Deploy Preview for express-mcp-server failed. Why did it fail? →

Name Link
🔨 Latest commit 2b5b971
🔍 Latest deploy log https://app.netlify.com/projects/express-mcp-server/deploys/69947433a225700008054cfe

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 17, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 brave-search-mcp-server 2b5b971 Feb 17 2026, 01:59 PM

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 17, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 remote-mcp-server-bearer-auth 2b5b971 Feb 17 2026, 01:59 PM

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 17, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 weather-mcp-server 2b5b971 Feb 17 2026, 01:59 PM

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 17, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 brave-search-mcp-server 2b5b971 Feb 17 2026, 01:59 PM

Copilot AI reviewed Feb 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the examples/express-mcp-server example’s Express dependency to address a Snyk-reported vulnerability (via Express’s qs dependency), and refreshes the pnpm lockfile accordingly.

Changes:

  • Bump express dependency range in examples/express-mcp-server/package.json.
  • Update examples/express-mcp-server/pnpm-lock.yaml to resolve express to 4.22.1 and add its new snapshot/package entries.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
examples/express-mcp-server/package.json Updates the direct express dependency version range.
examples/express-mcp-server/pnpm-lock.yaml Updates the resolved Express version and lockfile entries for the new version.
Files not reviewed (1)
  • examples/express-mcp-server/pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

examples/express-mcp-server/package.json
"cors": "^2.8.5",
"dotenv": "^16.4.7",
"express": "^4.21.2",
"express": "^4.22.0",
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency range for express in this package.json (^4.22.0) does not match the specifier recorded for express in pnpm-lock.yaml (^4.22.1). This indicates the lockfile was generated from a different package.json state and pnpm install will likely rewrite the lockfile. Align the version range (either update package.json to match the lock, or regenerate the lockfile from the current package.json).

Suggested change
"express": "^4.22.0",
"express": "^4.22.1",

Copilot uses AI. Check for mistakes.
examples/express-mcp-server/pnpm-lock.yaml
Comment on lines 26 to +28
express:
specifier: ^4.21.2
version: 4.21.2
specifier: ^4.22.1
version: 4.22.1
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although the importer now resolves express to 4.22.1, this lockfile still includes and uses express@4.21.2 (e.g., via @descope/mcp-express), which in turn pulls qs@6.13.0. If the goal is to remediate the Snyk qs vulnerability, the fix may be incomplete as long as express@4.21.2 remains in the dependency graph. Regenerate the lockfile and/or update/override dependencies so no package installs express@4.21.2 (and thus qs@6.13.0).

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gaokevin1 gaokevin1 Awaiting requested review from gaokevin1 gaokevin1 is a code owner

@anvibanga anvibanga Awaiting requested review from anvibanga anvibanga is a code owner

@mrunankpawar mrunankpawar Awaiting requested review from mrunankpawar mrunankpawar is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@omercnet @snyk-bot

Comments