Identifying and fixing issues. Labs should not have static versions in guide steps #3
Description
Under the Identifying and fixing issues. step 4 specifies specific versions. New versions are released continuously, so if we specify a specific version the lab will always be outdated. Instead of specifying a version we should have the instructions for the user to evaluate the scout output and find the vulnerability with the highest version to address the vulnerabilities. Review pkg:npm/express@4.17.1 review the CVEs and locate the latest version under Fixed version.
also the statement under 4 : "The path-to-regexp library is updated to a fixed version in express version 4.21.2. " this made me very confused I do not have the experience with what package dependancies will be resolved if installing another package, and by looking at the scout output there is nothing to tell me that the path-to-regexp library will be fixed in version 4.21.2. So if I get confused, other users will also get confused. Instead of mentioning path-to-regexp and referring to a version which is not listed in scout output, just have the user read from the Scout output and run install for express on the highest version listed to address the issue.
so this is not a bug, but making sure the labs do not get outdated, relying on instructions from output and having user populate the versions from output, to always stay current. this will minimize the work Docker has to do to go back and update the labs. Also any instructions should be written so that a noob like me can understand where we get the information to remediate things. path-to-regexp being a depencency of express is not something a noob will know, and having a version listed in instructions that is not in the scout output makes it confusing.