From e200576d081c34697413203b0f3b5d21c7ef5c86 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Tue, 2 Dec 2025 11:33:16 +0000 Subject: [PATCH 1/5] Update express version Update to pick up new version with CVE fixes CVE: cve-2024-51999 --- package.json | 2 +- packages/node_modules/@node-red/editor-api/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index d09aa1378..6e25c2d23 100644 --- a/package.json +++ b/package.json @@ -42,7 +42,7 @@ "cors": "2.8.5", "cronosjs": "1.7.1", "denque": "2.1.0", - "express": "4.21.2", + "express": "4.22.0", "express-session": "1.18.2", "form-data": "4.0.4", "fs-extra": "11.3.0", diff --git a/packages/node_modules/@node-red/editor-api/package.json b/packages/node_modules/@node-red/editor-api/package.json index b0f29491b..82b2674ac 100644 --- a/packages/node_modules/@node-red/editor-api/package.json +++ b/packages/node_modules/@node-red/editor-api/package.json @@ -23,7 +23,7 @@ "clone": "2.1.2", "cors": "2.8.5", "express-session": "1.18.2", - "express": "4.21.2", + "express": "4.22.0", "memorystore": "1.6.7", "mime": "3.0.0", "multer": "2.0.2", From 724eafe2d3480e14bb0fc858b63f8d97cf98ea20 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Tue, 2 Dec 2025 11:38:02 +0000 Subject: [PATCH 2/5] Make runtime version match --- packages/node_modules/@node-red/runtime/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/node_modules/@node-red/runtime/package.json b/packages/node_modules/@node-red/runtime/package.json index 40aca07aa..b5761ca6e 100644 --- a/packages/node_modules/@node-red/runtime/package.json +++ b/packages/node_modules/@node-red/runtime/package.json @@ -21,7 +21,7 @@ "async-mutex": "0.5.0", "clone": "2.1.2", "cronosjs": "1.7.1", - "express": "4.21.2", + "express": "4.22.0", "fs-extra": "11.3.0", "got": "12.6.1", "json-stringify-safe": "5.0.1", From a79284ca0fff83134c4560412fef1f0972d8425e Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Tue, 2 Dec 2025 11:43:10 +0000 Subject: [PATCH 3/5] Missed one --- packages/node_modules/node-red/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/node_modules/node-red/package.json b/packages/node_modules/node-red/package.json index e85deba92..05487073c 100644 --- a/packages/node_modules/node-red/package.json +++ b/packages/node_modules/node-red/package.json @@ -38,7 +38,7 @@ "basic-auth": "2.0.1", "bcryptjs": "3.0.2", "cors": "2.8.5", - "express": "4.21.2", + "express": "4.22.0", "fs-extra": "11.3.0", "node-red-admin": "^4.1.2", "nopt": "5.0.0", From a06dbb9f4626b4976d88f80b76ebb9484b074c95 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Tue, 2 Dec 2025 12:03:35 +0000 Subject: [PATCH 4/5] Fix tests --- .../editor-api/lib/admin/index_spec.js | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/test/unit/@node-red/editor-api/lib/admin/index_spec.js b/test/unit/@node-red/editor-api/lib/admin/index_spec.js index 294737762..168fe9346 100644 --- a/test/unit/@node-red/editor-api/lib/admin/index_spec.js +++ b/test/unit/@node-red/editor-api/lib/admin/index_spec.js @@ -357,7 +357,8 @@ describe("api/admin/index", function() { permissionChecks.should.have.property('context.read',1); lastRequest.params.should.have.property('scope','global'); lastRequest.params.should.have.property(0,'key'); - lastRequest.query.should.have.property('store','memory'); + const query = { ...lastRequest.query }; + query.should.have.property('store','memory'); done(); }); }); @@ -383,7 +384,8 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','flow'); lastRequest.params.should.have.property('id','1234'); lastRequest.params.should.have.property(0,'key'); - lastRequest.query.should.have.property('store','memory'); + const query = { ...lastRequest.query }; + query.should.have.property('store','memory'); done(); }); }); @@ -409,7 +411,8 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','node'); lastRequest.params.should.have.property('id','5678'); lastRequest.params.should.have.property(0,'foo'); - lastRequest.query.should.have.property('store','memory'); + const query = { ...lastRequest.query }; + query.should.have.property('store','memory'); done(); }); }); @@ -422,7 +425,8 @@ describe("api/admin/index", function() { permissionChecks.should.have.property('context.write',1); lastRequest.params.should.have.property('scope','global'); lastRequest.params.should.have.property(0,'key'); - lastRequest.query.should.have.property('store','memory'); + const query = { ...lastRequest.query }; + query.should.have.property('store','memory'); done(); }); }); @@ -436,7 +440,8 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','flow'); lastRequest.params.should.have.property('id','1234'); lastRequest.params.should.have.property(0,'key'); - lastRequest.query.should.have.property('store','memory'); + const query = { ...lastRequest.query }; + query.should.have.property('store','memory'); done(); }); }); @@ -450,7 +455,8 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','node'); lastRequest.params.should.have.property('id','5678'); lastRequest.params.should.have.property(0,'foo'); - lastRequest.query.should.have.property('store','memory'); + const query = { ...lastRequest.query }; + query.should.have.property('store','memory'); done(); }); }); From ddff7c3170cd46f8ae340679c253dacfe644c509 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Tue, 2 Dec 2025 19:57:52 +0000 Subject: [PATCH 5/5] Bump to 4.22.1 --- package.json | 2 +- .../@node-red/editor-api/package.json | 2 +- .../@node-red/runtime/package.json | 2 +- packages/node_modules/node-red/package.json | 2 +- .../editor-api/lib/admin/index_spec.js | 18 ++++++------------ 5 files changed, 10 insertions(+), 16 deletions(-) diff --git a/package.json b/package.json index 6e25c2d23..137849ef6 100644 --- a/package.json +++ b/package.json @@ -42,7 +42,7 @@ "cors": "2.8.5", "cronosjs": "1.7.1", "denque": "2.1.0", - "express": "4.22.0", + "express": "4.22.1", "express-session": "1.18.2", "form-data": "4.0.4", "fs-extra": "11.3.0", diff --git a/packages/node_modules/@node-red/editor-api/package.json b/packages/node_modules/@node-red/editor-api/package.json index 82b2674ac..fdff50fe2 100644 --- a/packages/node_modules/@node-red/editor-api/package.json +++ b/packages/node_modules/@node-red/editor-api/package.json @@ -23,7 +23,7 @@ "clone": "2.1.2", "cors": "2.8.5", "express-session": "1.18.2", - "express": "4.22.0", + "express": "4.22.1", "memorystore": "1.6.7", "mime": "3.0.0", "multer": "2.0.2", diff --git a/packages/node_modules/@node-red/runtime/package.json b/packages/node_modules/@node-red/runtime/package.json index b5761ca6e..5ebd2f60b 100644 --- a/packages/node_modules/@node-red/runtime/package.json +++ b/packages/node_modules/@node-red/runtime/package.json @@ -21,7 +21,7 @@ "async-mutex": "0.5.0", "clone": "2.1.2", "cronosjs": "1.7.1", - "express": "4.22.0", + "express": "4.22.1", "fs-extra": "11.3.0", "got": "12.6.1", "json-stringify-safe": "5.0.1", diff --git a/packages/node_modules/node-red/package.json b/packages/node_modules/node-red/package.json index 05487073c..915f403fb 100644 --- a/packages/node_modules/node-red/package.json +++ b/packages/node_modules/node-red/package.json @@ -38,7 +38,7 @@ "basic-auth": "2.0.1", "bcryptjs": "3.0.2", "cors": "2.8.5", - "express": "4.22.0", + "express": "4.22.1", "fs-extra": "11.3.0", "node-red-admin": "^4.1.2", "nopt": "5.0.0", diff --git a/test/unit/@node-red/editor-api/lib/admin/index_spec.js b/test/unit/@node-red/editor-api/lib/admin/index_spec.js index 168fe9346..294737762 100644 --- a/test/unit/@node-red/editor-api/lib/admin/index_spec.js +++ b/test/unit/@node-red/editor-api/lib/admin/index_spec.js @@ -357,8 +357,7 @@ describe("api/admin/index", function() { permissionChecks.should.have.property('context.read',1); lastRequest.params.should.have.property('scope','global'); lastRequest.params.should.have.property(0,'key'); - const query = { ...lastRequest.query }; - query.should.have.property('store','memory'); + lastRequest.query.should.have.property('store','memory'); done(); }); }); @@ -384,8 +383,7 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','flow'); lastRequest.params.should.have.property('id','1234'); lastRequest.params.should.have.property(0,'key'); - const query = { ...lastRequest.query }; - query.should.have.property('store','memory'); + lastRequest.query.should.have.property('store','memory'); done(); }); }); @@ -411,8 +409,7 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','node'); lastRequest.params.should.have.property('id','5678'); lastRequest.params.should.have.property(0,'foo'); - const query = { ...lastRequest.query }; - query.should.have.property('store','memory'); + lastRequest.query.should.have.property('store','memory'); done(); }); }); @@ -425,8 +422,7 @@ describe("api/admin/index", function() { permissionChecks.should.have.property('context.write',1); lastRequest.params.should.have.property('scope','global'); lastRequest.params.should.have.property(0,'key'); - const query = { ...lastRequest.query }; - query.should.have.property('store','memory'); + lastRequest.query.should.have.property('store','memory'); done(); }); }); @@ -440,8 +436,7 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','flow'); lastRequest.params.should.have.property('id','1234'); lastRequest.params.should.have.property(0,'key'); - const query = { ...lastRequest.query }; - query.should.have.property('store','memory'); + lastRequest.query.should.have.property('store','memory'); done(); }); }); @@ -455,8 +450,7 @@ describe("api/admin/index", function() { lastRequest.params.should.have.property('scope','node'); lastRequest.params.should.have.property('id','5678'); lastRequest.params.should.have.property(0,'foo'); - const query = { ...lastRequest.query }; - query.should.have.property('store','memory'); + lastRequest.query.should.have.property('store','memory'); done(); }); });