Updating to version 0.19.0 tries to install old webpack-dev-server version

[jrtsnabc]

When running npm audit fix to fix the send < 0.19.0 vulnerability, I get a message saying the fix can't be done because it will install a (very) old version of webpack-dev-server, which is a breaking change.

The latest version of webpack-dev-server is 5.1.0, and my product is on 4.15.2. To fix the send vulnerability, webpack-dev-server version 1.2.9 would be installed.

npm audit report

send <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - GHSA-m6fv-jmcg-4jfg
fix available via npm audit fix --force
Will install webpack-dev-server@1.2.9, which is a breaking change
node_modules/serve-static/node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
express 4.0.0-rc1 - 5.0.0-beta.3
Depends on vulnerable versions of serve-static
node_modules/express
webpack-dev-server >=1.3.0
Depends on vulnerable versions of express
node_modules/webpack-dev-server

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Forcing a fix installs the old version of webpack-dev-server, and creates 18 vulnerabilities, 4 of which are critical, and 12 high:

18 vulnerabilities (2 moderate, 12 high, 4 critical)

Maybe I'm missing a step?

[jrtsnabc]

I actually think this may be an issue with static-serve, and not send.

[NewEraCracker]

Solved with express 4.21.0

See: expressjs/express#5947

Caused by: expressjs/express#5943