Express dependency needs upgrade in @nestjs/platform-express

[mo-alaa]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

The express dependency depends on the cookie package which has a security vulnerability: CVE-2024-47764
This is solved in cookie version 0.7.0, i.e. express upgrade to the latest version: 4.21.1 which is why this dependency needs updating.

Minimum reproduction code

https://www.mend.io/vulnerability-database/CVE-2024-47764

Steps to reproduce

No response

Expected behavior

According to your policy security vulnerabilities should be sent via email, but I sent an email but got no response. That's why I opened this ticket.

Thank you :)

Package

• I don't know. Or some 3rd-party package
• @nestjs/common
• @nestjs/core
• @nestjs/microservices
• @nestjs/platform-express
• @nestjs/platform-fastify
• @nestjs/platform-socket.io
• @nestjs/platform-ws
• @nestjs/testing
• @nestjs/websockets
• Other (see below)

Other package

No response

NestJS version

10.4.4

Packages versions

"@nestjs/common": "^10.4.4",
"@nestjs/core": "^10.4.4",
"@nestjs/platform-express": "^10.4.4",

Node.js version

No response

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

No response

[ezintz]

Hello, I already created a pull request for those: #14060