refactor(deps): migrate @types/express from 4.17.13 to 5.0.6

[digital-wizard48]

Changes

Dependency Update

• Bumped @types/express from ^4.17.13 to ^5.0.6 in root package.json

Breaking Changes Addressed

@types/express v5 query type changes (XSS.ts)

• In @types/express v5, Request.query values are typed as string | ParsedQs | string[] | ParsedQs[] | undefined, which is stricter than v4
• Updated sanitizeMiddleware in packages/server/src/utils/XSS.ts to:
  • Use const val = req.query[p] to capture the value with proper typing before branching
  • Use typeof val === 'string' guard instead of a bare cast as string to satisfy the narrowed type
  • Use String(q) for array elements to safely coerce ParsedQs entries to string before sanitizing
  • Changed for (let p in ...) to for (const p in ...) as the loop variable is never reassigned

Compatibility Notes

• Request, Response, NextFunction signatures remain structurally compatible between v4 and v5 types for the patterns used in this codebase
• The declare global namespace Express augmentation in packages/server/src/index.ts continues to work without changes
• Middleware callbacks (req, res, next) => void are compatible with v5's updated RequestHandler type

---

This PR was auto-generated by Gittensor upgrade bot using Claude AI

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on upgrading the @types/express dependency to its latest major version, 5.0.6. This upgrade necessitated adjustments to the sanitizeMiddleware function to align with the stricter type definitions for Request.query introduced in @types/express v5, ensuring continued type safety and functionality within the application's XSS protection mechanisms.

Highlights

• Dependency Upgrade: The @types/express package has been updated from version 4.17.13 to 5.0.6 in the development dependencies.
• Type Compatibility Adjustments: The sanitizeMiddleware function in packages/server/src/utils/XSS.ts was modified to address breaking changes in @types/express v5, specifically regarding the stricter typing of Request.query values.
• Improved Type Safety in Query Handling: Implemented type guards (typeof val === 'string') and safe coercion (String(q)) for query parameters, and changed loop variable declaration from let to const for immutability within the sanitizeMiddleware function.

Changelog

• package.json
  • Updated @types/express from ^4.17.13 to ^5.0.6 in devDependencies.
• packages/server/src/utils/XSS.ts
  • Modified sanitizeMiddleware to handle the new Request.query type definition.
  • Introduced a val constant to capture query values with proper typing.
  • Replaced as string casts with typeof val === 'string' type guards for string values.
  • Used String(q) for array elements to safely convert ParsedQs entries to strings before sanitization.
  • Changed for (let p in ...) to for (const p in ...) for the loop variable.

Activity

• This pull request was automatically generated by the Gittensor upgrade bot using Claude AI.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades @types/express to version 5 and adapts the code to the new, stricter type definitions for req.query. However, a critical security regression was introduced in the sanitizeMiddleware. The updated logic does not correctly sanitize nested query parameters (ParsedQs), leaving the application vulnerable to Cross-Site Scripting (XSS) attacks. Specifically, nested objects are no longer sanitized, which could lead to XSS if these parameters are rendered in the UI. A suggested fix has been provided to implement proper deep sanitization of the req.query object.

[gemini-code-assist]

The sanitizeMiddleware fails to sanitize nested objects in req.query, which can lead to Cross-Site Scripting (XSS) vulnerabilities. Express supports nested query parameters (e.g., ?filter[name]=<script>alert(1)</script>), but the current implementation only sanitizes strings, skipping objects due to the typeof val === 'string' check. This allows XSS payloads in nested query parameters to bypass the filter. The suggested change ensures that all non-undefined values are coerced to strings before sanitization, addressing this regression.

Suggested change

	} else if (typeof val === 'string') {
	req.query[p] = sanitizeHtml(val)
	}
	} else if (val !== undefined) {
	req.query[p] = sanitizeHtml(String(val))
	}