Package vulnerabilities

Shopify Apps

Topic summary

A developer is encountering multiple high-severity npm package vulnerabilities in their Shopify app, including issues with body-parser, express, cookie, send, serve-static, and ws packages.

Key vulnerabilities identified:

  • body-parser: Denial of service vulnerability when URL encoding is enabled
  • cookie: Accepts out-of-bounds characters in name, path, and domain
  • ws: DoS vulnerability when handling requests with many HTTP headers
  • express and serve-static: Depend on vulnerable versions of other packages

The core problem: Running npm audit fix --force would downgrade @shopify/app to version 3.15.0, which represents a breaking change and causes the application to crash.

The audit report shows 23 total vulnerabilities (10 low, 1 moderate, 12 high). The developer is seeking guidance on how to resolve these security issues without breaking their application functionality. The situation requires either finding compatible package versions or reviewing alternative dependencies that don’t introduce breaking changes.

Summarized with AI on November 2. AI used: claude-sonnet-4-5-20250929.
1

We have several high severity vulnerabilities, but It ask me to downgrade some packages to fix it, causing that the app crash, any idea how to fix this vulnerabilities?:

npm audit report

body-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/body-parser
node_modules/@shopify/app/node_modules/express/node_modules/body-parser
@Shopify_77 /app <=0.0.0-nightly-20240413160158 || >=3.6.0
Depends on vulnerable versions of @Shopify_77 /cli-kit
Depends on vulnerable versions of @Shopify_77 /create-app
Depends on vulnerable versions of @Shopify_77 /plugin-cloudflare
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of express
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of serve-static
Depends on vulnerable versions of ws
node_modules/@shopify/app
express <=4.21.1 || 5.0.0-alpha.1 - 5.0.0
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/@shopify/app/node_modules/express

cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via npm audit fix --force
Will install @remix-run/serve@1.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/cookie
node_modules/cookie
@remix-run/server-runtime *
Depends on vulnerable versions of cookie
node_modules/@remix-run/server-runtime
@remix-run/dev <=0.0.0-nightly-ff40409-20230514 || >=1.2.0-pre.0
Depends on vulnerable versions of @remix-run/node
Depends on vulnerable versions of @remix-run/react
Depends on vulnerable versions of @remix-run/serve
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@remix-run/dev
@remix-run/node *
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@remix-run/node
@remix-run/express *
Depends on vulnerable versions of @remix-run/node
node_modules/@remix-run/express
@remix-run/serve *
Depends on vulnerable versions of @remix-run/express
Depends on vulnerable versions of @remix-run/node
node_modules/@remix-run/serve
@Shopify_77 /shopify-app-remix *
Depends on vulnerable versions of @remix-run/node
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@shopify/shopify-app-remix
@remix-run/react <=0.0.0-nightly-fef7d16-20240205 || >=2.0.0-pre.0
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@remix-run/react

cross-spawn <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/pid-from-port/node_modules/cross-spawn
execa 0.5.0 - 0.9.0
Depends on vulnerable versions of cross-spawn
node_modules/pid-from-port/node_modules/execa
pid-from-port *
Depends on vulnerable versions of execa
node_modules/pid-from-port
kill-port-process *
Depends on vulnerable versions of pid-from-port
node_modules/kill-port-process
@Shopify_77 /cli-kit <=0.0.0-snapshot-20241017102314 || 3.6.0 - 3.68.1
Depends on vulnerable versions of kill-port-process
node_modules/@shopify/cli-kit
@Shopify_77 /create-app <=0.0.0-nightly-20240413160158 || 3.6.0 - 3.58.2
Depends on vulnerable versions of @Shopify_77 /cli-kit
node_modules/@shopify/create-app
@Shopify_77 /plugin-cloudflare <=3.68.1
Depends on vulnerable versions of @Shopify_77 /cli-kit
node_modules/@shopify/plugin-cloudflare

micromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/micromatch

path-to-regexp <=0.1.11
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
Unpatched path-to-regexp ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via npm audit fix
node_modules/@shopify/app/node_modules/path-to-regexp

send <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/send
node_modules/serve-static/node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static

ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/ws

23 vulnerabilities (10 low, 1 moderate, 12 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing a different dependency.