fix(deps): override body-parser and bump express COMPASS-8288)

[mabaasit]

Description

Checklist

• New tests and/or benchmarks are included
• Documentation is changed or added
• I have signed the MongoDB Contributor License Agreement (https://www.mongodb.com/legal/contributor-agreement)

Motivation and Context

• Bugfix
• New feature
• Dependency update
• Misc

Open Questions

Dependents

Types of changes

• Backport Needed
• Patch (non-breaking change which fixes an issue)
• Minor (non-breaking change which adds functionality)
• Major (fix or feature that would cause existing functionality to change)

[addaleax]

Fwiw, in order to bump a transitive dependency, you don't usually need to put the nested dependency in overrides, unless the intermediate dependency (express in this case, I guess) has a dependency specification that conflicts with the new version.

It should be enough here to update our package-lock.json, i.e. you can remove this line, run npm install and the package-lock.json should still point to 1.20.3 without issues. That's going to simplify things a bit once our dependencies start depending on body-parser 2.x, for example.

[gribnoysup]

Yeah, I think it should be enough to bump express in this case and update package-lock with install, express has an exact version specified for body-parser and express version change should've bumped it in package lock too

[mabaasit]

So this PR is to address the vulnerability in body-parser 1.20.2 (added COMPASS-8288).

With bump in express, the package lock does update it correctly for compass-web package. But we also have express in compass-oidc and it resolves to body-parser version 1.20.2.

Running npm install with npm update express correctly updates the deps.

[addaleax]

Cool – opened mongodb-js/mongosh#2166 for the mongosh equivalent 🙂

[gribnoysup]

Aaaaah, finally got it, I was assuming this whole time that it's only due to express here having the "older" version than the one in oidc-plugin that the error is being triggered. Thanks for clarifying!

[addaleax]

Oh, also: Is this to fix some specific issue? If yes, we'll probably need the same for mongosh

[mcasimir]

Can we add a ticket link on the PR and some more context on the description, so that whoever will have to deal with this in future can get some context from the git history / blame at least.