chore(deps): replace express-xml-bodyparser with body-parser-xml

`express-xml-bodyparser` was last updated 8 years ago and currently depends on a version of `xml2js` which contains a vulnerability. This change will swap it out in favor of `body-parser-xml` which is more maintained and depends on a more recent `xml2js` version without the vulnerability. Relates-to: #18083 Signed-off-by: Patrick Jungermann <Patrick.Jungermann@gmail.com>
2023-08-25 19:46:33 +02:00
parent 65c7c64666
commit 91ccb56fb4
4 changed files with 46 additions and 26 deletions
@@ -0,0 +1,13 @@
+---
+'@backstage/plugin-code-coverage-backend': patch
+---
+
+Replace `express-xml-bodyparser` with `body-parser-xml`.
+
+`express-xml-bodyparser` was last updated 8 years ago
+and currently depends on a version of `xml2js` which
+contains a vulnerability.
+
+This change will swap it out in favor of `body-parser-xml`
+which is more maintained and depends on a more recent `xml2js`
+version without the vulnerability.
@@ -36,9 +36,10 @@
    "@backstage/errors": "workspace:^",
    "@backstage/integration": "workspace:^",
    "@types/express": "^4.17.6",
+    "body-parser": "^1.20.0",
+    "body-parser-xml": "^2.0.5",
    "express": "^4.17.1",
    "express-promise-router": "^4.1.0",
-    "express-xml-bodyparser": "^0.3.0",
    "knex": "^2.0.0",
    "uuid": "^8.3.2",
    "winston": "^3.2.1",
@@ -46,7 +47,7 @@
  },
  "devDependencies": {
    "@backstage/cli": "workspace:^",
-    "@types/express-xml-bodyparser": "^0.3.2",
+    "@types/body-parser-xml": "^2.0.2",
    "@types/supertest": "^2.0.8",
    "msw": "^1.0.0",
    "supertest": "^6.1.6",
@@ -17,7 +17,8 @@
 import express from 'express';
 import Router from 'express-promise-router';
 import { Logger } from 'winston';
-import xmlparser from 'express-xml-bodyparser';
+import BodyParser from 'body-parser';
+import bodyParserXml from 'body-parser-xml';
 import { CatalogApi, CatalogClient } from '@backstage/catalog-client';
 import {
  errorHandler,
@@ -62,8 +63,9 @@ export const makeRouter = async (
    options.catalogApi ?? new CatalogClient({ discoveryApi: discovery });
  const scm = ScmIntegrations.fromConfig(config);

+  bodyParserXml(BodyParser);
  const router = Router();
-  router.use(xmlparser());
+  router.use(BodyParser.xml());
  router.use(express.json());

  const utils = new CoverageUtils(scm, urlReader);
@@ -6180,12 +6180,13 @@ __metadata:
    "@backstage/config": "workspace:^"
    "@backstage/errors": "workspace:^"
    "@backstage/integration": "workspace:^"
+    "@types/body-parser-xml": ^2.0.2
    "@types/express": ^4.17.6
-    "@types/express-xml-bodyparser": ^0.3.2
    "@types/supertest": ^2.0.8
+    body-parser: ^1.20.0
+    body-parser-xml: ^2.0.5
    express: ^4.17.1
    express-promise-router: ^4.1.0
-    express-xml-bodyparser: ^0.3.0
    knex: ^2.0.0
    msw: ^1.0.0
    supertest: ^6.1.6
@@ -17011,6 +17012,19 @@ __metadata:
  languageName: node
  linkType: hard

+"@types/body-parser-xml@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "@types/body-parser-xml@npm:2.0.2"
+  dependencies:
+    "@types/body-parser": "*"
+    "@types/connect": "*"
+    "@types/express-serve-static-core": "*"
+    "@types/node": "*"
+    "@types/xml2js": "*"
+  checksum: ddac93399bc85b7402193004954215b9152374cd3e0e54e6f500ea71e8bf962ff091300a265551832c863e63539af1a2d9483838073ff43362d0bdf867802a50
+  languageName: node
+  linkType: hard
+
 "@types/body-parser@npm:*, @types/body-parser@npm:^1.19.0":
  version: 1.19.2
  resolution: "@types/body-parser@npm:1.19.2"
@@ -17456,16 +17470,6 @@ __metadata:
  languageName: node
  linkType: hard

-"@types/express-xml-bodyparser@npm:^0.3.2":
-  version: 0.3.2
-  resolution: "@types/express-xml-bodyparser@npm:0.3.2"
-  dependencies:
-    "@types/express": "*"
-    "@types/xml2js": "*"
-  checksum: 5d40669bf8b1f031c405e7172f12ecf53ccff5a35a7d08a7824a79f5a33bf450204bc1fa4c5bc618e32c9826dbf81170118f9aa6db7d0f2fa007ddc59e21929f
-  languageName: node
-  linkType: hard
-
 "@types/express@npm:*, @types/express@npm:^4.17.13, @types/express@npm:^4.17.17, @types/express@npm:^4.17.6":
  version: 4.17.17
  resolution: "@types/express@npm:4.17.17"
@@ -20786,6 +20790,15 @@ __metadata:
  languageName: node
  linkType: hard

+"body-parser-xml@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "body-parser-xml@npm:2.0.5"
+  dependencies:
+    xml2js: ^0.5.0
+  checksum: 57133dbe6439f74f2ffb814b54ab806596a31c51e0d93e045b3068402ae184d4fcb799b2966414d1f393f8dcc8342529d4d3ce4cdeaa219c3af140d961c56dfd
+  languageName: node
+  linkType: hard
+
 "body-parser@npm:1.20.1":
  version: 1.20.1
  resolution: "body-parser@npm:1.20.1"
@@ -26044,15 +26057,6 @@ __metadata:
  languageName: node
  linkType: hard

-"express-xml-bodyparser@npm:^0.3.0":
-  version: 0.3.0
-  resolution: "express-xml-bodyparser@npm:0.3.0"
-  dependencies:
-    xml2js: ^0.4.11
-  checksum: 37c2d2f9bc5bd748f7481423a26a334d82c352be1d58694dbc0b149e54bdcb3fc7aa70800c3bbbbbbede29c868680f2e4d4fc6990459191b5de615e263d28fec
-  languageName: node
-  linkType: hard
-
 "express@npm:^4.17.1, express@npm:^4.17.3, express@npm:^4.18.1, express@npm:^4.18.2":
  version: 4.18.2
  resolution: "express@npm:4.18.2"
@@ -43158,7 +43162,7 @@ __metadata:
  languageName: node
  linkType: hard

-"xml2js@npm:^0.4.11, xml2js@npm:^0.4.23":
+"xml2js@npm:^0.4.23":
  version: 0.4.23
  resolution: "xml2js@npm:0.4.23"
  dependencies: