From 07da3870cea809565d78b5dbe687e8f38c93b6db Mon Sep 17 00:00:00 2001
From: Socket Bot <94589996+socket-bot@users.noreply.github.com>
Date: Thu, 6 Nov 2025 00:21:01 +0000
Subject: [PATCH] fix: GHSA-rv95-896h-c2vc - Express.js Open Redirect in
 malformed URLs

---
 .../commands/scan/reach/npm/package-lock.json | 34 +++++++++----------
 .../commands/scan/reach/npm/package.json      |  2 +-
 .../fixtures/commands/scan/reach/package.json |  2 +-
 .../commands/scan/reach/pnpm/package.json     |  2 +-
 .../commands/scan/reach/yarn/package.json     |  2 +-
 pnpm-lock.yaml                                | 10 ++----
 6 files changed, 24 insertions(+), 28 deletions(-)

diff --git a/packages/cli/test/fixtures/commands/scan/reach/npm/package-lock.json b/packages/cli/test/fixtures/commands/scan/reach/npm/package-lock.json
index 4a5038f4d..afdc8e9d9 100644
--- a/packages/cli/test/fixtures/commands/scan/reach/npm/package-lock.json
+++ b/packages/cli/test/fixtures/commands/scan/reach/npm/package-lock.json
@@ -9,7 +9,7 @@
       "version": "1.0.0",
       "dependencies": {
         "axios": "1.4.0",
-        "express": "4.18.2",
+        "express": "4.19.2",
         "lodash": "4.17.21"
       },
       "devDependencies": {
@@ -1311,13 +1311,13 @@
       }
     },
     "node_modules/body-parser": {
-      "version": "1.20.1",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz",
-      "integrity": "sha512-jWi7abTbYwajOytWCQc37VulmWiRae5RyTpaCyDcS5/lMdtwSz5lOpDE67srw/HYe35f1z3fDQw+3txg7gNtWw==",
+      "version": "1.20.2",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
+      "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==",
       "license": "MIT",
       "dependencies": {
         "bytes": "3.1.2",
-        "content-type": "~1.0.4",
+        "content-type": "~1.0.5",
         "debug": "2.6.9",
         "depd": "2.0.0",
         "destroy": "1.2.0",
@@ -1325,7 +1325,7 @@
         "iconv-lite": "0.4.24",
         "on-finished": "2.4.1",
         "qs": "6.11.0",
-        "raw-body": "2.5.1",
+        "raw-body": "2.5.2",
         "type-is": "~1.6.18",
         "unpipe": "1.0.0"
       },
@@ -1639,9 +1639,9 @@
       "license": "MIT"
     },
     "node_modules/cookie": {
-      "version": "0.5.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz",
-      "integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==",
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
+      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
       "license": "MIT",
       "engines": {
         "node": ">= 0.6"
@@ -1983,17 +1983,17 @@
       }
     },
     "node_modules/express": {
-      "version": "4.18.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
-      "integrity": "sha512-5/PsL6iGPdfQ/lKM1UuielYgv3BUoJfz1aUwU9vHZ+J7gyvwdQXFEBIEIaxeGf0GIcreATNyBExtalisDbuMqQ==",
+      "version": "4.19.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz",
+      "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==",
       "license": "MIT",
       "dependencies": {
         "accepts": "~1.3.8",
         "array-flatten": "1.1.1",
-        "body-parser": "1.20.1",
+        "body-parser": "1.20.2",
         "content-disposition": "0.5.4",
         "content-type": "~1.0.4",
-        "cookie": "0.5.0",
+        "cookie": "0.6.0",
         "cookie-signature": "1.0.6",
         "debug": "2.6.9",
         "depd": "2.0.0",
@@ -3861,9 +3861,9 @@
       }
     },
     "node_modules/raw-body": {
-      "version": "2.5.1",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz",
-      "integrity": "sha512-qqJBtEyVgS0ZmPGdCFPWJ3FreoqvG4MVQln/kCgF7Olq95IbOp0/BWyMwbdtn4VTvkM8Y7khCQ2Xgk/tcrCXig==",
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
+      "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
       "license": "MIT",
       "dependencies": {
         "bytes": "3.1.2",
diff --git a/packages/cli/test/fixtures/commands/scan/reach/npm/package.json b/packages/cli/test/fixtures/commands/scan/reach/npm/package.json
index 04a8273d3..70876a7cf 100644
--- a/packages/cli/test/fixtures/commands/scan/reach/npm/package.json
+++ b/packages/cli/test/fixtures/commands/scan/reach/npm/package.json
@@ -6,7 +6,7 @@
   "main": "index.js",
   "dependencies": {
     "lodash": "4.17.21",
-    "express": "4.18.2",
+    "express": "4.19.2",
     "axios": "1.4.0"
   },
   "devDependencies": {
diff --git a/packages/cli/test/fixtures/commands/scan/reach/package.json b/packages/cli/test/fixtures/commands/scan/reach/package.json
index 04a8273d3..70876a7cf 100644
--- a/packages/cli/test/fixtures/commands/scan/reach/package.json
+++ b/packages/cli/test/fixtures/commands/scan/reach/package.json
@@ -6,7 +6,7 @@
   "main": "index.js",
   "dependencies": {
     "lodash": "4.17.21",
-    "express": "4.18.2",
+    "express": "4.19.2",
     "axios": "1.4.0"
   },
   "devDependencies": {
diff --git a/packages/cli/test/fixtures/commands/scan/reach/pnpm/package.json b/packages/cli/test/fixtures/commands/scan/reach/pnpm/package.json
index 04a8273d3..70876a7cf 100644
--- a/packages/cli/test/fixtures/commands/scan/reach/pnpm/package.json
+++ b/packages/cli/test/fixtures/commands/scan/reach/pnpm/package.json
@@ -6,7 +6,7 @@
   "main": "index.js",
   "dependencies": {
     "lodash": "4.17.21",
-    "express": "4.18.2",
+    "express": "4.19.2",
     "axios": "1.4.0"
   },
   "devDependencies": {
diff --git a/packages/cli/test/fixtures/commands/scan/reach/yarn/package.json b/packages/cli/test/fixtures/commands/scan/reach/yarn/package.json
index 04a8273d3..70876a7cf 100644
--- a/packages/cli/test/fixtures/commands/scan/reach/yarn/package.json
+++ b/packages/cli/test/fixtures/commands/scan/reach/yarn/package.json
@@ -6,7 +6,7 @@
   "main": "index.js",
   "dependencies": {
     "lodash": "4.17.21",
-    "express": "4.18.2",
+    "express": "4.19.2",
     "axios": "1.4.0"
   },
   "devDependencies": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 317fe2104..2c7535aa6 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -2705,7 +2705,6 @@ packages:
   '@sindresorhus/chunkify@2.0.0':
     resolution: {integrity: sha512-srajPSoMTC98FETCJIeXJhJqB77IRPJSu8g907jLuuioLORHZJ3YAOY2DsP5ebrZrjOrAwjqf+Cgkg/I8TGPpw==}
     engines: {node: '>=18'}
-    deprecated: 'Renamed to chunkify: https://www.npmjs.com/package/chunkify'
 
   '@sindresorhus/df@1.0.1':
     resolution: {integrity: sha512-1Hyp7NQnD/u4DSxR2DGW78TF9k7R0wZ8ev0BpMAIzA6yTQSHqNb5wTuvtcPYf4FWbVse2rW7RgDsyL8ua2vXHw==}
@@ -2910,7 +2909,6 @@ packages:
 
   '@types/ink@2.0.3':
     resolution: {integrity: sha512-DYKIKEJqhsGfQ/jgX0t9BzfHmBJ/9dBBT2MDsHAQRAfOPhEe7LZm5QeNBx1J34/e108StCPuJ3r4bh1y38kCJA==}
-    deprecated: This is a stub types definition. ink provides its own type definitions, so you do not need this installed.
 
   '@types/js-yaml@4.0.9':
     resolution: {integrity: sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==}
@@ -3336,7 +3334,6 @@ packages:
 
   acorn-import-assertions@1.9.0:
     resolution: {integrity: sha512-cmMwop9x+8KFhxvKrKfPYmN6/pKTYYHBqLa0DfvVZcKMJWNyWLnaqND7dx/qn66R7ewM1UX5XMaDVP5wlVTaVA==}
-    deprecated: package has been renamed to acorn-import-attributes
     peerDependencies:
       acorn: ^8
 
@@ -3539,7 +3536,6 @@ packages:
 
   boolean@3.2.0:
     resolution: {integrity: sha512-d0II/GO9uf9lfUHH2BQsjxzRJZBdsjgsBiW4BvhWk/3qoKwQFjIDVN19PfX8F2D/r9PCMTtLWjYVCFrpeYUzsw==}
-    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
 
   brace-expansion@2.0.2:
     resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==}
@@ -8634,10 +8630,10 @@ snapshots:
 
   '@types/yargs-parser@21.0.3': {}
 
-  '@typescript-eslint/eslint-plugin@8.44.1(@typescript-eslint/parser@8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.3))(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)':
+  '@typescript-eslint/eslint-plugin@8.44.1(@typescript-eslint/parser@8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2))(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)':
     dependencies:
       '@eslint-community/regexpp': 4.12.2
-      '@typescript-eslint/parser': 8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.3)
+      '@typescript-eslint/parser': 8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)
       '@typescript-eslint/scope-manager': 8.44.1
       '@typescript-eslint/type-utils': 8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)
       '@typescript-eslint/utils': 8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)
@@ -12286,7 +12282,7 @@ snapshots:
 
   typescript-eslint@8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2):
     dependencies:
-      '@typescript-eslint/eslint-plugin': 8.44.1(@typescript-eslint/parser@8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.3))(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)
+      '@typescript-eslint/eslint-plugin': 8.44.1(@typescript-eslint/parser@8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2))(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)
       '@typescript-eslint/parser': 8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)
       '@typescript-eslint/typescript-estree': 8.44.1(typescript@5.9.2)
       '@typescript-eslint/utils': 8.44.1(eslint@9.35.0(jiti@2.6.1))(typescript@5.9.2)