feat(node): upgrade express to v4.21.2 to address security vulnerabil…

…ities (#29419)

<!-- Please make sure you have read the submission guidelines before
posting an PR -->
<!--
https://github.com/nrwl/nx/blob/master/CONTRIBUTING.md#-submitting-a-pr
-->

<!-- Please make sure that your commit message follows our format -->
<!-- Example: `fix(nx): must begin with lowercase` -->

<!-- If this is a particularly complex change or feature addition, you
can request a dedicated Nx release for this pull request branch. Mention
someone from the Nx team or the `@nrwl/nx-pipelines-reviewers` and they
will confirm if the PR warrants its own release for testing purposes,
and generate it for you if appropriate. -->

## Current Behavior
<!-- This is the behavior we have today -->

## Expected Behavior
<!-- This is the behavior we should expect with the changes in this PR
-->
Nx should install and depend on a version of express without security
vulnerabilities.

## Related Issue(s)
<!-- Please link the issue being fixed so it gets closed when this is
merged. -->

Fixes #

Co-authored-by: Igor Loskutov <[email protected]>
Co-authored-by: Colum Ferry <[email protected]>

package.json

@@ -129,7 +129,7 @@
     "@types/ejs": "3.1.2",
     "@types/eslint": "~8.56.10",
     "@types/eslint__js": "^8.42.3",
-    "@types/express": "4.17.14",
+    "@types/express": "^4.17.21",
     "@types/flat": "^5.0.1",
     "@types/fs-extra": "^11.0.0",
     "@types/is-ci": "^3.0.0",
@@ -193,7 +193,7 @@
     "eslint-plugin-react": "7.35.0",
     "eslint-plugin-react-hooks": "5.0.0",
     "eslint-plugin-storybook": "^0.8.0",
-    "express": "^4.19.2",
+    "express": "^4.21.2",
     "fast-xml-parser": "^4.2.7",
     "figures": "3.2.0",
     "file-type": "^16.2.0",

packages/angular/src/utils/backward-compatible-versions.ts

@@ -35,8 +35,8 @@ export const backwardCompatibleVersions: VersionMap = {
     tsLibVersion: '^2.3.0',
     corsVersion: '~2.8.5',
     typesCorsVersion: '~2.8.5',
-    expressVersion: '~4.18.2',
-    typesExpressVersion: '4.17.14',
+    expressVersion: '^4.21.2',
+    typesExpressVersion: '^4.17.21',
     browserSyncVersion: '^3.0.0',
     moduleFederationNodeVersion: '~2.3.0',
     moduleFederationEnhancedVersion: '~0.2.3',
@@ -62,8 +62,8 @@ export const backwardCompatibleVersions: VersionMap = {
     tsLibVersion: '^2.3.0',
     corsVersion: '~2.8.5',
     typesCorsVersion: '~2.8.5',
-    expressVersion: '~4.18.2',
-    typesExpressVersion: '4.17.14',
+    expressVersion: '^4.21.2',
+    typesExpressVersion: '^4.17.21',
     browserSyncVersion: '^3.0.0',
     moduleFederationNodeVersion: '~2.5.0',
     moduleFederationEnhancedVersion: '0.6.9',

packages/angular/src/utils/versions.ts

@@ -11,8 +11,8 @@ export const tsLibVersion = '^2.3.0';
 
 export const corsVersion = '~2.8.5';
 export const typesCorsVersion = '~2.8.5';
-export const expressVersion = '~4.18.2';
-export const typesExpressVersion = '4.17.14';
+export const expressVersion = '^4.21.2';
+export const typesExpressVersion = '^4.17.21';
 export const browserSyncVersion = '^3.0.0';
 export const moduleFederationNodeVersion = '^2.6.21';
 export const moduleFederationEnhancedVersion = '^0.8.8';

packages/express/package.json

@@ -36,7 +36,7 @@
     "tslib": "^2.3.0"
   },
   "peerDependencies": {
-    "express": "^4.18.1"
+    "express": "^4.21.2"
   },
   "peerDependenciesMeta": {
     "express": {

packages/express/src/utils/versions.ts

@@ -1,4 +1,4 @@
 export const nxVersion = require('../../package.json').version;
 
-export const expressVersion = '^4.18.1';
-export const expressTypingsVersion = '4.17.13';
+export const expressVersion = '^4.21.2';
+export const expressTypingsVersion = '^4.17.21';

packages/module-federation/package.json

@@ -34,7 +34,7 @@
     "@module-federation/enhanced": "^0.8.8",
     "@module-federation/node": "^2.6.21",
     "@module-federation/sdk": "^0.8.8",
-    "express": "^4.19.2",
+    "express": "^4.21.2",
     "http-proxy-middleware": "^3.0.3"
   },
   "peerDependencies": {},

packages/node/migrations.json

@@ -37,6 +37,14 @@
         "@fastify/sensible": {
           "version": "~6.0.2",
           "alwaysAddToPackageJson": false
+        },
+        "express": {
+          "version": "^4.21.2",
+          "alwaysAddToPackageJson": false
+        },
+        "@types/express": {
+          "version": "^4.17.21",
+          "alwaysAddToPackageJson": false
         }
       }
     }

packages/node/src/utils/versions.ts

@@ -4,8 +4,8 @@ export const tslibVersion = '^2.3.0';
 
 export const typesNodeVersion = '~18.16.9';
 
-export const expressVersion = '~4.18.1';
-export const expressTypingsVersion = '~4.17.13';
+export const expressVersion = '^4.21.2';
+export const expressTypingsVersion = '^4.17.21';
 
 export const koaVersion = '~2.14.1';
 export const koaTypingsVersion = '~2.13.5';

packages/react/package.json

@@ -43,7 +43,7 @@
     "@nx/eslint": "file:../eslint",
     "@nx/web": "file:../web",
     "@nx/module-federation": "file:../module-federation",
-    "express": "^4.19.2",
+    "express": "^4.21.2",
     "http-proxy-middleware": "^3.0.3",
     "semver": "^7.6.3"
   },

packages/react/src/utils/versions.ts

@@ -53,8 +53,8 @@ export const tailwindcssVersion = '3.4.3';
 export const autoprefixerVersion = '10.4.13';
 
 // SSR and Module Federation
-export const expressVersion = '~4.18.2';
-export const typesExpressVersion = '4.17.17';
+export const expressVersion = '^4.21.2';
+export const typesExpressVersion = '^4.17.21';
 export const isbotVersion = '^3.6.5';
 export const corsVersion = '~2.8.5';
 export const typesCorsVersion = '~2.8.12';

packages/rspack/package.json

@@ -36,7 +36,7 @@
     "browserslist": "^4.21.4",
     "css-loader": "^6.4.0",
     "enquirer": "~2.3.6",
-    "express": "^4.19.2",
+    "express": "^4.21.2",
     "fork-ts-checker-webpack-plugin": "7.2.13",
     "http-proxy-middleware": "^3.0.3",
     "less-loader": "11.1.0",