Moving @types/express to deveDependencies | prod build need not to ha…

[nandan-bhat]

Changes

• Removed the Express type import from index.d.ts so published typings no longer require Express types.
• Moved @types/express to devDependencies in package.json, eliminating the transitive @types/mime pull for consumers.

[semgrepcode-auth0]

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at node-jwks-rsa/package-lock.json:2212.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

🍰 Fixed in commit efe5321 🍰

[semgrepcode-auth0]

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at node-jwks-rsa/package-lock.json:2212.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

✨ Fixed in commit efe5321 ✨

[cschetan77]

The build is failing because of higher lockfileVersions generated by npm>=9 are not compatible with lower npms.

[cschetan77]

Duplicate of #464