Abandoned NodeJS libraries - express-redis-cache

Roney_Dsilva · June 6, 2023, 12:02pm

Wappler NodeJS Projects are currently using express-redis-cache npm library for cache system with Redis.
The Project has been abandoned for nearly 5 years now, the last release being 1.1.3 on Jun 28, 2018.
As it’s built on “redis”: “^2.4.2”, SAST-based tools are picking it up as a vulnerability.

Can we have an alternate package to this in wappler, one which is supported and updated with the latest redis or atleast 3.1.2

patrick · April 26, 2023, 11:09am

There seems to be a fork that is up-to-date and uses the same API. Or do you have other suggestions as a replacement?

AdrianoLuiz · April 27, 2023, 4:14pm

Does ioredis not serve as an alternative @patrick?

Roney_Dsilva · April 28, 2023, 5:16pm

This too is based on redis 2.4.2

Maybe https://github.com/node-cache-manager/node-cache-manager-redis-yet
Or https://github.com/dabroek/node-cache-manager-redis-store

Alexander_Paladines · May 30, 2023, 1:57am

This fork is not available any more.
Any idea how to replace this to solve a high severity vulnerability?

redis  2.6.0 - 3.1.0
Severity: high
Node-Redis potential exponential regex in monitor mode - https://github.com/advisories/GHSA-35q2-47q7-3pc3
fix available via `npm audit fix`
node_modules/express-redis-cache/node_modules/redis

Teodor · May 30, 2023, 10:11am

patrick · May 31, 2023, 12:05pm

Next update will remove the express-redis-cache dependency and use a custom middleware for caching. Redis package will be updated to version 4.

George · June 6, 2023, 12:02pm

this was solved in the Wappler 5.8.0

George · June 6, 2023, 12:02pm