Vulnerable dependency send < 19.0 being pulled in via express@4.17.21.

[davidsyckle]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Vulnerable dependency send < 19.0 being pulled in via express@4.17.21. Please consider updating package.json and package-lock.json to specify a version of at least "@types/express": "^4.21.0" for express to mitigate the possibility of the vulnerable transitive dependency.

├─┬ jwks-rsa@3.1.0
│ ├─┬ @types/express@4.17.21
│ │ ├─┬ @types/body-parser@1.19.5
│ │ │ ├─┬ @types/connect@3.4.38
│ │ │ │ └── @types/node@22.5.5 deduped
│ │ │ └── @types/node@22.5.5 deduped
│ │ ├─┬ @types/express-serve-static-core@4.19.5
│ │ │ ├── @types/node@22.5.5 deduped
│ │ │ ├── @types/qs@6.9.16 deduped
│ │ │ ├── @types/range-parser@1.2.7
│ │ │ └─┬ @types/send@0.17.4 Here
│ │ │ ├── @types/mime@1.3.5
│ │ │ └── @types/node@22.5.5 deduped
│ │ ├── @types/qs@6.9.16
│ │ └─┬ @types/serve-static@1.15.7
│ │ ├── @types/http-errors@2.0.4
│ │ ├── @types/node@22.5.5 deduped
│ │ └── @types/send@0.17.4 deduped Here

Reproduction

Scan installed project with dependency-check. Review results.

Additional context

Please consider updating express-serve-static-core and serve-static to current versions to mitigate this vulnerable dependency.

https://ossindex.sonatype.org/vulnerability/CVE-2024-43799?component-type=npm&component-name=send&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.2

GHSA-m6fv-jmcg-4jfg

https://www.npmjs.com/package/send

jwks-rsa version

3.1.0

Node.js version

18.20.3