Security: migrate RPC server to Express 5#14
Merged
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Removes the Express 4 path-to-regexp 0.1.x override (was a workaround for GHSA-37ch-88jc-xwx2). Express 5 ships with a modern router that uses path-to-regexp 8.x, which is patched. The RPC server (src/lib/rpc-server.ts, deployed via Dockerfile CMD node dist/server.js) only uses simple :param routes with no ?/*/regex syntax, so the path-syntax breaking changes between Express 4 and 5 do not apply. All middleware (helmet 7, cors 2.8, compression 1.8, express-rate-limit 7) supports Express 5. Bumps: - express: ^4.18.2 -> ^5.0.0 (resolves to 5.2.1) - @types/express: ^4.17.21 -> ^5.0.0 Override consolidation: - Removed: express > path-to-regexp ^0.1.13 (no longer needed) - Removed: router > path-to-regexp ^8.4.0 (folded into top-level) - Added: path-to-regexp ^8.4.0 (single top-level pin covers both the express 5 router and the MCP SDK chains) Verified: - npm run build passes - npm test: 20/20 suites pass, 331 tests pass - npm audit: 1 alert (xlsx, no fix available — handled in PR #13) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
sbaker
force-pushed
the
security/express-5-migration
branch
from
74214e7 to
e815a24
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the temporary
express > path-to-regexp ^0.1.13override (added in #12) with a real fix: bump Express 4 → 5.Express 5 ships a modern router using
path-to-regexp8.x, which is patched against GHSA-37ch-88jc-xwx2.Why this is safe to bundle
The RPC server (
src/lib/rpc-server.ts, deployed viaDockerfileCMD node dist/server.js) uses only simple:paramroutes:/health,/ready,/metrics,/auth/login,/auth/callback,/workflows,/workflows/execute/workflows/executions/:executionId/workflows/:workflowId/permissionsNone use
?(optional),*(wildcard), or regex character classes — so the Express 5 path-syntax changes don't apply.All middleware in use confirmed to support Express 5:
helmet@7.2.0,cors@2.8.6,compression@1.8.1,express-rate-limit@7.5.1No code changes needed in
rpc-server.ts— the route definitions, async handlers, error middleware, and 404 handler all work unchanged.Bumps
express^4.18.2^5.0.05.2.1@types/express^4.17.21^5.0.0Override consolidation
Single top-level pin now covers both the Express 5 router chain and any MCP SDK chains.
Test plan
npm run build— passesnpm test— 20/20 suites, 331 tests passnpm audit— 1 remaining alert (xlsx, handled in #13)docker buildagainsttypescript/Dockerfileandnode dist/server.jsboots successfully (setJWT_SECRET)Stacking note
Best landed after #13 (xlsx → exceljs) so a clean
npm auditreads zero alerts.🤖 Generated with Claude Code