Skip to content

Instantly share code, notes, and snippets.

@camsjams

camsjams/guide.md

Last active May 1, 2022 16:21
Show Gist options
  • Save camsjams/6c6ac145324786006972bedbf25ce1c4 to your computer and use it in GitHub Desktop.
Save camsjams/6c6ac145324786006972bedbf25ce1c4 to your computer and use it in GitHub Desktop.
Download ZIP
How to upgrade a Node JS Express project using Swagger-Express
Raw
guide.md

How to upgrade a Node JS Express project using Swagger

Migrate swagger-express-mw / and underlying swagger-node-runner to express-openapi

Intro

Why do this?

There have been a number of high and critical vulnerabilities caused by the npm package.

I myself have been hunting through ways to figure out how to solve these problems, as the package maintainers seem to have abandonded this library (there was even an NPM fork which still seems to have issues with bagpipes - see swagger-node-runner year old PR). I have created a basic guide to help others out, so that I am not just another DenverCoder9 (https://xkcd.com/979/)

npm audit and snyk scans find issues like:

See also:

Step Zero [optional]

You may choose to upgrade your Swagger config to be in the new format desired for OpenAPI 3.0.

Convert your Swagger 2.0 config to OpenAPI 3.0 via something like this OpenAPI converter tool.

(note: in the above I pasted in my Swagger JSON and it spit out YAML, so I had to do a post conversion step for the new YAML back to JSON)

Step One

Install express-openapi:

npm i express-openapi

Step Two

Replace server initialization code.

This is not a thorough migration guide! Please read the docs on express-openapi for full setup instructions.

If you are lucky, you can do

-let SwaggerExpress = require('swagger-express-mw');
+let {initialize} = require('express-openapi');

Then, assuming your Swagger config is loaded somewhere in the server bootstrap file as swaggerConfig.

Replace:

SwaggerExpress.create(swaggerConfig, (err, swaggerExpress) => {

});

With:

initialize(swaggerConfig);

And adjust swaggerConfig to use the different syntax provided by express-openapi.

Step Three

Remove swagger-express-mw and re-run security tests.

npm r swagger-express-mw
npm audit
snyk test

Step Four

Success.

If not, feel free to ask me questions below, but please do consult express-openapi as well.

@charuhans
Copy link

charuhans commented Jun 23, 2020
edited
Loading

Hello,

Thank you for the post.

I changed
SwaggerExpress.create(swaggerConfig, (err, swaggerExpress) => { if (err) { console.error(Error during SwaggerExpress.create ${err} ); throw err; }

to use

` initialize(swaggerConfig);`

I am getting the error Error: express-openapi: args.app must be an express app. Today my args look like:

const swaggerConfig = { appRoot: __dirname + '/..', // required config controllersDirs: [__dirname + '/app/controllers'], swaggerSecurityHandlers: swaggerSecurityHandlers };

Do you know what would be the replacement in express-openapi?

@abeikverdi
Copy link

@charuhans did you find the solution for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment