Migrate swagger-express-mw / and underlying swagger-node-runner to express-openapi
There have been a number of high and critical vulnerabilities caused by the npm package.
I myself have been hunting through ways to figure out how to solve these problems, as the package maintainers seem to have abandonded this library (there was even an NPM fork which still seems to have issues with bagpipes - see swagger-node-runner year old PR). I have created a basic guide to help others out, so that I am not just another DenverCoder9 (https://xkcd.com/979/)
npm audit and snyk scans find issues like:
See also:
- swagger-node-runner year old PR
- Support for Swagger 3.0
- Is this project dead?
- lodash version causing node vulnerability audit
You may choose to upgrade your Swagger config to be in the new format desired for OpenAPI 3.0.
Convert your Swagger 2.0 config to OpenAPI 3.0 via something like this OpenAPI converter tool.
(note: in the above I pasted in my Swagger JSON and it spit out YAML, so I had to do a post conversion step for the new YAML back to JSON)
Install express-openapi:
npm i express-openapi
Replace server initialization code.
This is not a thorough migration guide! Please read the docs on express-openapi for full setup instructions.
If you are lucky, you can do
-let SwaggerExpress = require('swagger-express-mw');
+let {initialize} = require('express-openapi');
Then, assuming your Swagger config is loaded somewhere in the server bootstrap file as swaggerConfig.
Replace:
SwaggerExpress.create(swaggerConfig, (err, swaggerExpress) => {
});
With:
initialize(swaggerConfig);
And adjust swaggerConfig to use the different syntax provided by express-openapi.
Remove swagger-express-mw and re-run security tests.
npm r swagger-express-mw
npm audit
snyk test
Success.
If not, feel free to ask me questions below, but please do consult express-openapi as well.
@charuhans did you find the solution for this?