Dependency on vulnerable version of send package

[DBAKANG-GIT]

Hello,

I'm using serve-static in my project and I noticed that it depends on the send package version 0.18.0, which has a known security vulnerability (see CVE-2024-43799](GHSA-m6fv-jmcg-4jfg)

The vulnerability is patched in send version 0.19.0. However, the latest version of serve-static still depends on a vulnerable version of send.

Could you please update the send dependency to a secure version to fix this vulnerability?

Thank you for your attention to this matter.

"serve-static": {
"version": "1.16.0",
"resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.0.tgz",
"integrity": "sha512-pDLK8zwl2eKaYrs8mrPZBJua4hMplRWJ1tIFksVC3FtBEBnl8dxgeHtsaMS8DhS9i4fLObaon6ABoc4/hQGdPA==",
"peer": true,
"dependencies": {
"encodeurl": "~1.0.2",
"escape-html": "~1.0.3",
"parseurl": "~1.3.3",
"send": "0.18.0"
}
}

[s100]

This appears to be fixed as of serve-static@1.16.1.

[leotm]

This appears to be fixed as of serve-static@1.16.1.

yep ^ @DBAKANG-GIT feel free to close if you're happy

[DBAKANG-GIT]

Thank you

[madatepe]

When will this new version will be released as stable?