Proposal: Centralized CVE Tracking for Our Packages

I’ve just created a PoC to pull in all the CVEs we have across all our packages. Here’s the script (https://gist.github.com/bjohansebas/91c1056fbad6968b4bd739d53ab53d57). It can still be improved and even turned into a GitHub Action, but before moving forward, what do you think about tracking our packages’ CVEs here?

With this, we could also remove the page [https://expressjs.com/en/advanced/security-updates.html](https://expressjs.com/en/advanced/security-updates.html) and redirect it to the file generated by the script, so we wouldn’t have to maintain that page anymore (which we sometimes forget to update). Alternatively, we could keep maintaining that page but update the reference in [https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md#examples-of-vulnerabilities](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md#examples-of-vulnerabilities) to point to this new document, which is more specific to vulnerabilities.

result:

# Security Advisories

Total: 33

## expressjs

Total: 18

| Repository Name | Advisories |
|-----------------|------------|
| express | <ul><li>[CVE-2024-51999](https://github.com/advisories/GHSA-pj86-cfqh-vqx6) (withdrawn)</li><li>[CVE-2024-10491](https://github.com/advisories/GHSA-cm5g-3pgc-8rg4)</li><li>[CVE-2024-9266](https://github.com/advisories/GHSA-jj78-5fmv-mv28)</li><li>[CVE-2024-43796](https://github.com/advisories/GHSA-qw6h-vgh9-j6wx)</li><li>[CVE-2024-29041](https://github.com/advisories/GHSA-rv95-896h-c2vc)</li><li>[CVE-2014-6393](https://github.com/advisories/GHSA-gpvr-g6gh-9mc2)</li></ul> |
| body-parser | <ul><li>[CVE-2025-13466](https://github.com/advisories/GHSA-wqch-xfxh-vrr4)</li><li>[CVE-2024-45590](https://github.com/advisories/GHSA-qwcr-r2fm-qrc7)</li></ul> |
| basic-auth-connect | <ul><li>[CVE-2024-47178](https://github.com/advisories/GHSA-7p89-p6hx-q4fw)</li></ul> |
| multer | <ul><li>[CVE-2025-7338](https://github.com/advisories/GHSA-fjgf-rc76-4x9p)</li><li>[CVE-2025-48997](https://github.com/advisories/GHSA-g5hg-p3ph-g8qg)</li><li>[CVE-2025-47944](https://github.com/advisories/GHSA-4pg4-qvpc-4q3h)</li><li>[CVE-2025-47935](https://github.com/advisories/GHSA-44fp-w29j-9vj5)</li></ul> |
| morgan | <ul><li>[CVE-2019-5413](https://github.com/advisories/GHSA-gwg9-rgvj-4h5j)</li></ul> |
| method-override | <ul><li>[CVE-2017-16136](https://github.com/advisories/GHSA-qx2f-477c-35rq)</li></ul> |
| serve-index | <ul><li>[CVE-2015-8856](https://github.com/advisories/GHSA-v633-x5vv-hqwc)</li></ul> |
| serve-static | <ul><li>[CVE-2024-43800](https://github.com/advisories/GHSA-cm22-4g7w-348p)</li><li>[CVE-2015-1164](https://github.com/advisories/GHSA-c3x7-gjmx-r2ff)</li></ul> |

## pillarjs

Total: 10

| Repository Name | Advisories |
|-----------------|------------|
| hbs | <ul><li>[CVE-2021-32822](https://github.com/advisories/GHSA-7f5c-rpf4-86p8)</li></ul> |
| send | <ul><li>[CVE-2024-43799](https://github.com/advisories/GHSA-m6fv-jmcg-4jfg)</li><li>[https://github.com/advisories/GHSA-pgv6-jrvv-75jp](https://github.com/advisories/GHSA-pgv6-jrvv-75jp) (withdrawn)</li><li>[CVE-2014-6394](https://github.com/advisories/GHSA-xwg4-93c6-3h42)</li><li>[CVE-2015-8859](https://github.com/advisories/GHSA-jgqf-hwc5-hh37)</li></ul> |
| path-to-regexp | <ul><li>[CVE-2024-52798](https://github.com/advisories/GHSA-rhx6-c78j-4q9w)</li><li>[CVE-2024-45296](https://github.com/advisories/GHSA-9wv6-86v2-598j)</li></ul> |
| resolve-path | <ul><li>[CVE-2018-3732](https://github.com/advisories/GHSA-62g9-6hw5-rwfp)</li></ul> |
| request | <ul><li>[CVE-2023-28155](https://github.com/advisories/GHSA-p8p7-x288-28g6)</li><li>[CVE-2017-16026](https://github.com/advisories/GHSA-7xfp-9c55-5vqj)</li></ul> |

## jshttp

Total: 5

| Repository Name | Advisories |
|-----------------|------------|
| negotiator | <ul><li>[CVE-2016-10539](https://github.com/advisories/GHSA-7mc5-chhp-fmc3)</li></ul> |
| cookie | <ul><li>[CVE-2024-47764](https://github.com/advisories/GHSA-pxg6-pf52-xh8x)</li></ul> |
| fresh | <ul><li>[CVE-2017-16119](https://github.com/advisories/GHSA-9qj9-36jm-prpv)</li></ul> |
| on-headers | <ul><li>[CVE-2025-7339](https://github.com/advisories/GHSA-76c9-3jph-rj3q)</li></ul> |
| forwarded | <ul><li>[CVE-2017-16118](https://github.com/advisories/GHSA-mpcf-4gmh-23w8)</li></ul> |



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Proposal: Centralized CVE Tracking for Our Packages #116

Security Advisories

expressjs

pillarjs

jshttp

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Repository Name	Advisories
express	CVE-2024-51999 (withdrawn) CVE-2024-10491 CVE-2024-9266 CVE-2024-43796 CVE-2024-29041 CVE-2014-6393
body-parser	CVE-2025-13466 CVE-2024-45590
basic-auth-connect	CVE-2024-47178
multer	CVE-2025-7338 CVE-2025-48997 CVE-2025-47944 CVE-2025-47935
morgan	CVE-2019-5413
method-override	CVE-2017-16136
serve-index	CVE-2015-8856
serve-static	CVE-2024-43800 CVE-2015-1164

Repository Name	Advisories
hbs	CVE-2021-32822
send	CVE-2024-43799 GHSA-pgv6-jrvv-75jp (withdrawn) CVE-2014-6394 CVE-2015-8859
path-to-regexp	CVE-2024-52798 CVE-2024-45296
resolve-path	CVE-2018-3732
request	CVE-2023-28155 CVE-2017-16026

Repository Name	Advisories
negotiator	CVE-2016-10539
cookie	CVE-2024-47764
fresh	CVE-2017-16119
on-headers	CVE-2025-7339
forwarded	CVE-2017-16118

Uh oh!

Proposal: Centralized CVE Tracking for Our Packages #116

Description

Security Advisories

expressjs

pillarjs

jshttp

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions