Upgrade express to 5 and csurf and other security related packages #7041
Conversation
There was a problem hiding this comment.
Pull request overview
This PR upgrades Express from version 4 to version 5 and updates various security-related packages. The key change involves replacing the deprecated csurf package with a custom CSRF protection implementation and migrating route syntax to Express 5's named parameter format.
- Upgrades Express to v5.2.1 and replaces deprecated
csurfwith custom CSRF implementation - Updates security packages:
argon2(0.44.0),jsonwebtoken(9.0.3),node-forge(1.3.3),firebase-admin(13.6.0) - Migrates Express 4 wildcard routes (
*) to Express 5 named splat parameters (*splat) - Removes
lru-cachedependency and associatedcache.jsfile from the main package
Reviewed changes
Copilot reviewed 8 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Upgrades Express to v5.2.1, replaces csurf with csrf-csrf, removes lru-cache, updates security packages (argon2, jsonwebtoken, node-forge, etc.) |
| package-lock.json | Lockfile updates for Express 5 and all security package dependencies, includes new Express 5 dependencies |
| plugins/web/package.json | Updates ua-parser-js to 1.0.41 (security patch) |
| plugins/push/package.json | Updates firebase-admin, jsonwebtoken, and node-forge for security fixes |
| frontend/express/app.js | Replaces csurf package with custom CSRF implementation using double-submit cookie pattern, migrates routes to Express 5 syntax |
| plugins/star-rating/frontend/app.js | Migrates wildcard routes to Express 5 named splat parameters (*splat) |
| plugins/dashboards/frontend/app.js | Migrates wildcard route to Express 5 syntax |
| plugins/crashes/frontend/app.js | Migrates wildcard route to Express 5 syntax |
| api/parts/data/cache.js | Removes entire file containing LRU cache implementation (392 lines deleted) |
Files not reviewed (2)
- plugins/push/package-lock.json: Language not supported
- plugins/web/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Get token from request body, query, or header | ||
| var requestToken = req.body._csrf || req.query._csrf || req.headers['x-csrf-token']; |
There was a problem hiding this comment.
CSRF token validation allows tokens to be passed via query string (req.query._csrf), which is insecure as query parameters can be logged in server logs, browser history, and referrer headers. This creates a security vulnerability where CSRF tokens could be leaked. Remove req.query._csrf from the validation and only accept tokens from request body or headers.
| // Get token from request body, query, or header | |
| var requestToken = req.body._csrf || req.query._csrf || req.headers['x-csrf-token']; | |
| // Get token from request body or header (do not accept from query string) | |
| var requestToken = req.body._csrf || req.headers['x-csrf-token']; |
No description provided.