Conversation
* Update deployment documentation to reflect infrastructure change automation * Complete production deployment documentation based on promote-prod workflow * Upgrade root package.json dependencies to latest compatible versions * MAJOR UPGRADE: Node.js engines, Express 5.x, React 19.x * COMPATIBILITY FIX: Downgrade React Router to v5.3.4 * Downgrade React from v19 to v18 for Material-UI v4 * Replace body-parser with express.json() for Express v5 upgrade * Nodejs upgrade from v20 to v24 * Fix root npm dependencies and npm-run-all script syntax * Update docker versions on Docker files and fix the statusFilters * Global and Frontend modules upgrades * Update nodejs version on format check workflow * Fix errors and warnings scanned by Format check workflow, and update eslint to v9 on server code * adding regex to support dev and test domains * updating new cert in documents and pipelines --------- Co-authored-by: Dinh Nguyen Pham <nguyenphamswork@gmail.com> Co-authored-by: Dinh Nguyen Pham <63203684+npham49@users.noreply.github.com>
Removing freshworks.club references in front-end code and replacing with new prefixes.
Updating string replacement for double quotes
Updating nonce to be inserted by webpack
Fix Pagination issues on tables and adding Docs for DEV TEST Certs
* client js upgrade and fix * fix on JSU-224 * fix JSU-225 * remove debug comments
* backend library upgrades and mongodb version update * add scripts for mongo db upgrade * remove MongoDB migration scripts (not needed as production uses Helm-managed MongoDB 4.4.6) * rollback mongo.yml
* fix the email validation on participant info edit pop-up * update email validation check
… column (#1139) * fix: resolve 'a few seconds ago' display for participant Last Updated column * update comment
Fixing seeding script
* JSU-422 remove 'Add Non-Portal Hire' button for MOH Admin accounts * JSU-416 Correct the Health Authority dropdown option for employers under the 'My Sites' tab
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+112
to
+114
| app.get(/^(?!\/api\/v1).*/, (req, res) => { | ||
| res.sendFile(path.join(__dirname, '../client/build', 'index.html')); | ||
| }); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
The best way to fix this problem is to introduce a rate-limiting middleware into the Express pipeline prior to the route which performs file system access, specifically before the route handler serving index.html. The express-rate-limit package is a well-known, maintained library for this scenario and offers an easy-to-use API. We should install and import express-rate-limit, configure a limiter (e.g., 100 requests per 15 minutes), and apply it only to the route serving index.html. This ensures that requests to index.html are throttled and protected from abuse without effecting other API endpoints or static content.
We need to:
- import
express-rate-limitat the top, - instantiate a rate limiter,
- apply it to the SPA wildcard route (lines 112-114).
These changes should only involve code that we've seen in server/server.ts.
Suggested changeset
2
server/server.ts
| @@ -3,6 +3,7 @@ | ||
| import express from 'express'; | ||
| import helmet from 'helmet'; | ||
| import { v4 as uuidv4 } from 'uuid'; | ||
| import rateLimit from 'express-rate-limit'; | ||
|
|
||
| import path from 'path'; | ||
| import apiRouter from './routes'; | ||
| @@ -108,8 +109,13 @@ | ||
| // Client app | ||
|
|
||
| if (process.env.NODE_ENV === 'production') { | ||
| // serve index.html for any GET that doesn't start with /api/v1 | ||
| app.get(/^(?!\/api\/v1).*/, (req, res) => { | ||
| // Rate limiter for SPA entry point | ||
| const spaLimiter = rateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 100 // limit each IP to 100 requests per windowMs | ||
| }); | ||
| // serve index.html for any GET that doesn't start with /api/v1 with rate limiting | ||
| app.get(/^(?!\/api\/v1).*/, spaLimiter, (req, res) => { | ||
| res.sendFile(path.join(__dirname, '../client/build', 'index.html')); | ||
| }); | ||
| } |
server/package.json
Outside changed files
| @@ -74,7 +74,8 @@ | ||
| "uuid": "^9.0.1", | ||
| "winston": "^3.17.0", | ||
| "winston-mongodb": "^6.0.0", | ||
| "yup": "^1.7.0" | ||
| "yup": "^1.7.0", | ||
| "express-rate-limit": "^8.1.0" | ||
| }, | ||
| "devDependencies": { | ||
| "@eslint/js": "^9.17.0", |
This fix introduces these dependencies
| Package | Version | Security advisories |
| express-rate-limit (npm) | 8.1.0 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.