koa
Endless Lifecycle Support (ELS) for koa from TuxCare provides security fixes for koa versions that have reached their end of life. This allows you to continue running koa applications without vulnerability concerns, even after official support has ended.
Supported koa Versions
- koa 1.7.1
Connection to ELS for koa Library
This guide outlines the steps needed to integrate the TuxCare ELS for the koa library.
Step 1: Get Token
You need a token in order to use TuxCare ELS koa library. Anonymous access is disabled. To receive the token, please contact sales@tuxcare.com.
Step 2: Set Up ELS for koa
TuxCare provides ELS for koa as an NPM package, hosted on a secure internal registry. Follow the steps below to add it to your project and get started.
Navigate to the root directory of your koa project.
Create a
.npmrcfile or update it if it already exists.Example:
my-koa-project/ ├── node_modules/ ├── package.json ├── .npmrc ⚠️ ← Create it here └── package-lock.jsonUse an editor of your choice (e.g., VS Code) to add the following registry address line:
registry=https://registry.npmjs.org/ @els-js:registry=https://nexus.repo.tuxcare.com/repository/els-js/ //nexus.repo.tuxcare.com/repository/els-js/:_auth=${TOKEN}Replace ${TOKEN} with the token you received from sales@tuxcare.com.
Update your
package.jsonfile to replace your koa dependencies with the TuxCare packages. You can do this in two ways:Option 1: Manual update
Manually update your
package.jsonfile by replacing your koa dependencies with the TuxCare packages. This method gives you full control over which packages to update."dependencies": { "koa": "npm:@els-js/koa@>=1.7.1-tuxcare.1" }, "overrides": { "koa@1.7.1": "npm:@els-js/koa@>=1.7.1-tuxcare.1" }Option 2: TuxCare Patcher (Automated)
Install the Patcher globally and run it. The TuxCare Patcher automatically detects the koa version in your
package.jsonand updates yourdependenciesandoverridesto use the corresponding TuxCare@els-js/*packages.npm install -g @els-js/tuxcare-patcher --userconfig ./.npmrc tuxcare-patch-jsThe patcher will update your
package.json, for example, from:"dependencies": { "koa": "^1.7.1" }to:
"dependencies": { "koa": "npm:@els-js/koa@>=1.7.1-tuxcare.1" }, "overrides": { "koa@1.7.1": "npm:@els-js/koa@>=1.7.1-tuxcare.1" }
You need to remove the
node_modulesdirectory and thepackage-lock.jsonfile, and also clear thenpm cachebefore installing the patched packages. Use the following commands:rm -rf node_modules package-lock.json && npm cache clean --forceRun the following command to install the ELS version of the koa library (token for the TuxCare repository will be automatically picked up from your
.npmrcfile):npm install
Step 3: Verify Installation
To confirm the TuxCare koa library is set up correctly, use npm to list the project's dependencies:
npm listAfter reviewing the dependencies, run your application to ensure everything works correctly.
The npm tool should be able to identify and resolve dependencies from the TuxCare ELS for Koa repository.
Vulnerability Exploitability eXchange (VEX)
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
TuxCare provides VEX for koa ELS versions: security.tuxcare.com/vex/cyclonedx/els_lang_javascript/koa/.
How to Upgrade to a Newer Version of TuxCare Packages
If you have already installed a package with a tuxcare.1 suffix and want to upgrade to a newer release (for example, tuxcare.3), remove node_modules, clear the npm cache to avoid conflicts, and then run the installation command:
rm -rf node_modules package-lock.json && npm cache clean --force
npm install
Resolved CVEs
Fixes for the following vulnerabilities are available in ELS for koa from TuxCare versions:
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
|---|---|---|---|---|
| CVE-2025-32379 | Direct | Medium | koa | < 2.16.1, < 3.0.0-alpha.5 |
If you are interested in the TuxCare Endless Lifecycle Support, contact sales@tuxcare.com.
