Peer dependency vulnerability : express 5.1.0 #462

dacloutier-logmein · 2025-05-08T00:35:52Z

Describe the bug
Our CI scans raised a potential vulnerability via peer dependency express 5.1.0

citing the following issues:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-10491
https://cwe.mitre.org/data/definitions/23.html

To Reproduce
Steps to reproduce the behavior:

execute a vulnerability scan (this was caught as part of our CI process)

Expected behavior
Try to not have potential peer dependency vulnerability, if it can be avoided.

Logs
see screenshot attached.

Additional context
By reverting to a previous version of eslint that was not pulling on mcp-sdk, the issue isn't present.

➜ pnpm why express 5.1.0
Legend: production dependency, optional only, dev only

devDependencies:
eslint 9.26.0
└─┬ @modelcontextprotocol/sdk 1.11.0
├── express 5.1.0
└─┬ express-rate-limit 7.5.0
└── express 5.1.0 peer
eslint-config-prettier 10.1.2
└─┬ eslint 9.26.0 peer
└─┬ @modelcontextprotocol/sdk 1.11.0
├── express 5.1.0
└─┬ express-rate-limit 7.5.0
└── express 5.1.0 peer
eslint-plugin-playwright 2.2.0
└─┬ eslint 9.26.0 peer
└─┬ @modelcontextprotocol/sdk 1.11.0
├── express 5.1.0
└─┬ express-rate-limit 7.5.0
└── express 5.1.0 peer
typescript-eslint 8.32.0
├─┬ @typescript-eslint/eslint-plugin 8.32.0
│ ├─┬ @typescript-eslint/parser 8.32.0 peer
│ │ └─┬ eslint 9.26.0 peer
│ │ └─┬ @modelcontextprotocol/sdk 1.11.0
│ │ ├── express 5.1.0
│ │ └─┬ express-rate-limit 7.5.0
│ │ └── express 5.1.0 peer
│ ├─┬ @typescript-eslint/type-utils 8.32.0
│ │ ├─┬ @typescript-eslint/utils 8.32.0
│ │ │ └─┬ eslint 9.26.0 peer
│ │ │ └─┬ @modelcontextprotocol/sdk 1.11.0
│ │ │ ├── express 5.1.0
│ │ │ └─┬ express-rate-limit 7.5.0
│ │ │ └── express 5.1.0 peer
│ │ └─┬ eslint 9.26.0 peer
│ │ └─┬ @modelcontextprotocol/sdk 1.11.0
│ │ ├── express 5.1.0
│ │ └─┬ express-rate-limit 7.5.0
│ │ └── express 5.1.0 peer
│ ├─┬ @typescript-eslint/utils 8.32.0
│ │ └─┬ eslint 9.26.0 peer
│ │ └─┬ @modelcontextprotocol/sdk 1.11.0
│ │ ├── express 5.1.0
│ │ └─┬ express-rate-limit 7.5.0
│ │ └── express 5.1.0 peer
│ └─┬ eslint 9.26.0 peer
│ └─┬ @modelcontextprotocol/sdk 1.11.0
│ ├── express 5.1.0
│ └─┬ express-rate-limit 7.5.0
│ └── express 5.1.0 peer
├─┬ @typescript-eslint/parser 8.32.0
│ └─┬ eslint 9.26.0 peer
│ └─┬ @modelcontextprotocol/sdk 1.11.0
│ ├── express 5.1.0
│ └─┬ express-rate-limit 7.5.0
│ └── express 5.1.0 peer
├─┬ @typescript-eslint/utils 8.32.0
│ └─┬ eslint 9.26.0 peer
│ └─┬ @modelcontextprotocol/sdk 1.11.0
│ ├── express 5.1.0
│ └─┬ express-rate-limit 7.5.0
│ └── express 5.1.0 peer
└─┬ eslint 9.26.0 peer
└─┬ @modelcontextprotocol/sdk 1.11.0
├── express 5.1.0
└─┬ express-rate-limit 7.5.0
└── express 5.1.0 peer

The text was updated successfully, but these errors were encountered:

dacloutier-logmein added the bug Something isn't working label May 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Peer dependency vulnerability : express 5.1.0 #462

Peer dependency vulnerability : express 5.1.0 #462

dacloutier-logmein commented May 8, 2025

Peer dependency vulnerability : express 5.1.0 #462

Peer dependency vulnerability : express 5.1.0 #462

Comments

dacloutier-logmein commented May 8, 2025