Update dependency express to v4 #4

mend-for-github-com · 2022-07-06T02:38:55Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	major	`^3.5.0` -> `^4.0.0`

By merging this PR, the issue #8 will be automatically resolved and closed:

Severity	CVSS Score	CVE
Critical	9.8	CVE-2019-5413
Critical	9.8	CVE-2021-44906
Critical	9.1	WS-2018-0111
High	7.5	CVE-2016-10539
High	7.5	CVE-2017-1000048
High	7.5	CVE-2017-16119
High	7.5	CVE-2017-16138
High	7.5	CVE-2022-24999
Medium	6.1	CVE-2024-29041
Medium	5.6	CVE-2020-7598
Medium	5.3	CVE-2024-47764
Medium	5.0	CVE-2024-43796
Medium	4.7	CVE-2024-9266
Medium	4.3	CVE-2017-20162
Medium	4.3	CVE-2017-20162
Medium	4.0	CVE-2024-10491
Low	3.7	CVE-2017-16137
Low	3.5	CVE-2017-20165

Release Notes

expressjs/express (express)

==========

deps: [email protected]
- Remove link renderization in html while redirecting
deps: [email protected]
- Remove link renderization in html while redirecting
deps: [email protected]
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: [email protected]
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

Compare Source

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

Compare Source

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: [email protected]

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: [email protected]
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: [email protected]
deps: [email protected]
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: [email protected]
- deps: [email protected]
- perf: remove unnecessary object clone
deps: [email protected]

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: [email protected]
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Add priority option
- Fix expires option to reject invalid dates
deps: [email protected]
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: [email protected]
- Remove set content headers that break response
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Prevent loss of async hooks context
deps: [email protected]
deps: [email protected]
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.18
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- pref: ignore empty http tokens
deps: [email protected]
- deps: [email protected]
deps: [email protected]

`v4.17.1`

Compare Source

===================

Revert "Improve error message for null/undefined to res.status"

`v4.17.0`

Compare Source

===================

Add express.raw to parse bodies into Buffer
Add express.text to parse bodies into string
Improve error message for non-strings to res.sendFile
Improve error message for null/undefined to res.status
Support multiple hosts in X-Forwarded-Host
deps: accepts@~1.3.7
deps: [email protected]
- Add encoding MIK
- Add petabyte (pb) support
- Fix parsing array brackets after index
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.17
deps: [email protected]
deps: [email protected]
- Add SameSite=None support
deps: finalhandler@~1.1.2
- Set stricter Content-Security-Policy header
- deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
deps: parseurl@~1.3.3
deps: proxy-addr@~2.0.5
- deps: [email protected]
deps: [email protected]
- Fix parsing array brackets after index
deps: range-parser@~1.2.1
deps: [email protected]
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: [email protected]
- deps: [email protected]
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant path.normalize call
deps: [email protected]
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: [email protected]
deps: [email protected]
deps: statuses@~1.5.0
- Add 103 Early Hints
deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

`v4.16.4`

Compare Source

===================

Fix issue where "Request aborted" may be logged in res.sendfile
Fix JSDoc for Router constructor
deps: [email protected]
- Fix deprecation warnings on Node.js 10+
- Fix stack trace for strict json parse error
- deps: depd@~1.1.2
- deps: http-errors@~1.6.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.16
deps: proxy-addr@~2.0.4
- deps: [email protected]
deps: [email protected]
deps: [email protected]

`v4.16.3`

Compare Source

===================

deps: accepts@~1.3.5
- deps: mime-types@~2.1.18
deps: depd@~1.1.2
- perf: remove argument reassignment
deps: encodeurl@~1.0.2
- Fix encoding % as last character
deps: [email protected]
- Fix 404 output for bad / missing pathnames
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
deps: proxy-addr@~2.0.3
- deps: [email protected]
deps: [email protected]
- Fix incorrect end tag in default error & redirects
- deps: depd@~1.1.2
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
deps: [email protected]
- Fix incorrect end tag in redirects
- deps: encodeurl@~1.0.2
- deps: [email protected]
deps: statuses@~1.4.0
deps: type-is@~1.6.16
- deps: mime-types@~2.1.18

`v4.16.2`

Compare Source

===================

Fix TypeError in res.send when given Buffer and ETag header set
perf: skip parsing of entire X-Forwarded-Proto header

`v4.16.1`

Compare Source

===================

deps: [email protected]
deps: [email protected]
- Fix regression when root is incorrectly set to a file
- deps: [email protected]

`v4.16.0`

Compare Source

===================

Add "json escape" setting for res.json and res.jsonp
Add express.json and express.urlencoded to parse bodies
Add options argument to res.download
Improve error message when autoloading invalid view engine
Improve error messages when non-function provided as middleware
Skip Buffer encoding when not generating ETag for small response
Use safe-buffer for improved Buffer API
deps: accepts@~1.3.4
- deps: mime-types@~2.1.16
deps: content-type@~1.0.4
- perf: remove argument reassignment
- perf: skip parameter parsing when no parameters
deps: etag@~1.8.1
- perf: replace regular expression with substring
deps: [email protected]
- Use res.headersSent when available
deps: parseurl@~1.3.2
- perf: reduce overhead for full URLs
- perf: unroll the "fast-path" RegExp
deps: proxy-addr@~2.0.2
- Fix trimming leading / trailing OWS in X-Forwarded-For
- deps: forwarded@~0.1.2
- deps: [email protected]
- perf: reduce overhead when no X-Forwarded-For header
deps: [email protected]
- Fix parsing & compacting very deep objects
deps: [email protected]
- Add 70 new types for file extensions
- Add immutable option
- Fix missing </html> in default error & redirects
- Set charset as "UTF-8" for .js and .json
- Use instance methods on steam to check for listeners
- deps: [email protected]
- perf: improve path validation speed
deps: [email protected]
- Add 70 new types for file extensions
- Add immutable option
- Set charset as "UTF-8" for .js and .json
- deps: [email protected]
deps: [email protected]
deps: [email protected]
deps: vary@~1.1.2
- perf: improve header token parsing speed
perf: re-use options object when generating ETags
perf: remove dead .charset set in res.jsonp

`v4.15.5`

Compare Source

===================

deps: [email protected]
deps: finalhandler@~1.0.6
- deps: [email protected]
- deps: parseurl@~1.3.2
deps: [email protected]
- Fix handling of modified headers with invalid dates
- perf: improve ETag match loop
- perf: improve If-None-Match token parsing
deps: [email protected]
- Fix handling of modified headers with invalid dates
- deps: [email protected]
- deps: etag@~1.8.1
- deps: [email protected]
- perf: improve If-Match token parsing
deps: [email protected]
- deps: parseurl@~1.3.2
- deps: [email protected]
- perf: improve slash collapsing

`v4.15.4`

Compare Source

===================

deps: [email protected]
deps: depd@~1.1.1
- Remove unnecessary Buffer loading
deps: finalhandler@~1.0.4
- deps: [email protected]
deps: proxy-addr@~1.1.5
- Fix array argument being altered
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: depd@~1.1.1
- deps: http-errors@~1.6.2
deps: [email protected]
- deps: [email protected]

`v4.15.3`

Compare Source

===================

Fix error when res.set cannot add charset to Content-Type
deps: [email protected]
- Fix DEBUG_MAX_ARRAY_LENGTH
- deps: [email protected]
deps: finalhandler@~1.0.3
- Fix missing </html> in HTML document
- deps: [email protected]
deps: proxy-addr@~1.1.4
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
deps: type-is@~1.6.15
- deps: mime-types@~2.1.15
deps: vary@~1.1.1
- perf: hoist regular expression

`v4.15.2`

Compare Source

===================

deps: [email protected]
- Fix regression parsing keys starting with [

`v4.15.1`

Compare Source

===================

deps: [email protected]
- Fix issue when Date.parse does not return NaN on invalid date
- Fix strict violation in broken environments
deps: [email protected]
- Fix issue when Date.parse does not return NaN on invalid date
- deps: [email protected]

`v4.15.0`

Compare Source

===================

Add debug message when loading view engine
Add next("router") to exit from router
Fix case where router.use skipped requests routes did not
Remove usage of res._headers private field
- Improves compatibility with Node.js 8 nightly
Skip routing when req.url is not set
Use %o in path debug to tell types apart
Use Object.create to setup request & response prototypes
Use setprototypeof module to replace __proto__ setting
Use statuses instead of http module for status messages
deps: [email protected]
- Allow colors in workers
- Deprecated DEBUG_FD environment variable set to 3 or higher
- Fix error when running under React Native
- Use same color for same namespace
- deps: [email protected]
deps: etag@~1.8.0
- Use SHA1 instead of MD5 for ETag hashing
- Works with FIPS 140-2 OpenSSL configuration
deps: finalhandler@~1.0.0
- Fix exception when err cannot be converted to a string
- Fully URL-encode the pathname in the 404
- Only include the pathname in the 404 message
- Send complete HTML document
- Set Content-Security-Policy: default-src 'self' header
- deps: [email protected]
deps: [email protected]
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- perf: delay reading header values until needed
- perf: enable strict mode
- perf: hoist regular expressions
- perf: remove duplicate conditional
- perf: remove unnecessary boolean coercions
- perf: skip checking modified time if ETag check failed
- perf: skip parsing If-None-Match when no ETag header
- perf: use Date.parse instead of new Date
deps: [email protected]
- Fix array parsing from skipping empty values
- Fix compacting nested arrays
deps: [email protected]
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: [email protected]
- deps: etag@~1.8.0
- deps: [email protected]
- deps: http-errors@~1.6.1
deps: [email protected]
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Send complete HTML document in redirect response
- Set default CSP header in redirect response
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: [email protected]
perf: add fast match path for * route
perf: improve req.ips performance

`v4.14.1`

Compare Source

===================

deps: [email protected]
deps: [email protected]
- Fix exception when err.headers is not an object
- deps: statuses@~1.3.1
- perf: hoist regular expressions
- perf: remove duplicate validation path
deps: proxy-addr@~1.1.3
- deps: [email protected]
deps: [email protected]
- deps: http-errors@~1.5.1
- deps: [email protected]
- deps: statuses@~1.3.1
deps: serve-static@~1.11.2
- deps: [email protected]
deps: type-is@~1.6.14
- deps: mime-types@~2.1.13

`v4.14.0`

Compare Source

===================

Add acceptRanges option to res.sendFile/res.sendfile
Add cacheControl option to res.sendFile/res.sendfile
Add options argument to req.range
- Includes the combine option
Encode URL in res.location/res.redirect if not already encoded
Fix some redirect handling in res.sendFile/res.sendfile
Fix Windows absolute path check using forward slashes
Improve error with invalid arguments to req.get()
Improve performance for res.json/res.jsonp in most cases
Improve Range header handling in res.sendFile/res.sendfile
deps: accepts@~1.3.3
- Fix including type extensions in parameters in Accept parsing
- Fix parsing Accept parameters with quoted equals
- Fix parsing Accept parameters with quoted semicolons
- Many performance improvements
- deps: mime-types@~2.1.11
- deps: [email protected]
deps: content-type@~1.0.2
- perf: enable strict mode
deps: [email protected]
- Add sameSite option
- Fix cookie Max-Age to never be a floating point number
- Improve error message when encode is not a function
- Improve error message when expires is not a Date
- Throw better error for invalid argument to parse
- Throw on invalid values provided to serialize
- perf: enable strict mode
- perf: hoist regular expression
- perf: use for loop in parse
- perf: use string concatenation for serialization
deps: [email protected]
- Change invalid or non-numeric status code to 500
- Overwrite status message to match set status code
- Prefer err.statusCode if err.status is invalid
- Set response headers from err.headers object
- Use statuses instead of http module for status messages
deps: proxy-addr@~1.1.2
- Fix accepting various invalid netmasks
- Fix IPv6-mapped IPv4 validation edge cases
- IPv4 netmasks must be contiguous
- IPv6 addresses cannot be used as a netmask
- deps: [email protected]
deps: [email protected]
- Add decoder option in parse function
deps: range-parser@~1.2.0
- Add combine option to combine overlapping ranges
- Fix incorrectly returning -1 when there is at least one valid range
- perf: remove internal function
deps: [email protected]
- Add acceptRanges option
- Add cacheControl option
- Attempt to combine multiple ranges into single range
- Correctly inherit from Stream class
- Fix Content-Range header in 416 responses when using start/end options
- Fix Content-Range header missing from default 416 responses
- Fix redirect error when path contains raw non-URL characters
- Fix redirect when path starts with multiple forward slashes
- Ignore non-byte Range headers
- deps: http-errors@~1.5.0
- deps: range-parser@~1.2.0
- deps: statuses@~1.3.0
- perf: remove argument reassignment
deps: serve-static@~1.11.1
- Add acceptRanges option
- Add cacheControl option
- Attempt to combine multiple ranges into single range
- Fix redirect error when req.url contains raw non-URL characters
- Ignore non-byte Range headers
- Use status code 301 for redirects
- deps: [email protected]
deps: type-is@~1.6.13
- Fix type error when given invalid type to match against
- deps: mime-types@~2.1.11
deps: vary@~1.1.0
- Only accept valid field names in the field argument
perf: use strict equality when possible

`v4.13.4`

Compare Source

===================

deps: [email protected]
- perf: enable strict mode
deps: [email protected]
- Throw on invalid values provided to serialize
deps: depd@~1.1.0
- Support web browser loading
- perf: enable strict mode
deps: escape-html@~1.0.3
- perf: enable strict mode
- perf: optimize string replacement
- perf: use faster string coercion
deps: [email protected]
- deps: escape-html@~1.0.3
deps: [email protected]
- perf: enable strict mode
deps: methods@~1.1.2
- perf: enable strict mode
deps: parseurl@~1.3.1
- perf: enable strict mode
deps: proxy-addr@~1.0.10
- deps: [email protected]
- perf: enable strict mode
deps: range-parser@~1.0.3
- perf: enable strict mode
deps: [email protected]
- deps: depd@~1.1.0
- deps: destroy@~1.0.4
- deps: escape-html@~1.0.3
- deps: range-parser@~1.0.3
deps: serve-static@~1.10.2
- deps: escape-html@~1.0.3
- deps: parseurl@~1.3.0
- deps: [email protected]

`v4.13.3`

Compare Source

===================

Fix infinite loop condition using mergeParams: true
Fix inner numeric indices incorrectly altering parent req.params

`v4.13.2`

Compare Source

===================

deps: accepts@~1.2.12
- deps: mime-types@~2.1.4
deps: [email protected]
- perf: enable strict mode
deps: [email protected]
- Fix regression with escaped round brackets and matching groups
deps: type-is@~1.6.6
- deps: mime-types@~2.1.4

`v4.13.1`

Compare Source

===================

deps: accepts@~1.2.10
- deps: mime-types@~2.1.2
deps: [email protected]
- Fix dropping parameters like hasOwnProperty
- Fix various parsing edge cases
deps: type-is@~1.6.4
- deps: mime-types@~2.1.2
- perf: enable strict mode
- perf: remove argument reassignment

`v4.13.0`

Compare Source

===================

Add settings to debug output
Fix res.format error when only default provided
Fix issue where next('route') in app.param would incorrectly skip values
Fix hiding platform issues with decodeURIComponent
- Only URIErrors are a 400
Fix using * before params in routes
Fix using capture groups before params in routes
Simplify res.cookie to call res.append
Use array-flatten module for flattening arrays
deps: accepts@~1.2.9
- deps: mime-types@~2.1.1
- perf: avoid argument reassignment & argument slice
- perf: avoid negotiator recursive construction
- perf: enable strict mode
- perf: remove unnecessary bitwise operator
deps: [email protected]
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
deps: [email protected]
deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
deps: [email protected]
- Fix a false-positive when unpiping in Node.js 0.8
- Support statusCode property on Error objects
- Use unpipe module for unpiping requests
- deps: [email protected]
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove argument reassignment
deps: [email protected]
- Add weak ETag matching support
deps: on-finished@~2.3.0
- Add defined behavior for HTTP CONNECT requests
- Add defined behavior for HTTP Upgrade requests
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- Allow Node.js HTTP server to set Date response header
- Fix incorrectly removing Content-Location on 304 response
- Improve the default redirect response headers
- Send appropriate headers on default error response
- Use http-errors for standard emitted errors
- Use statuses instead of http module for status messages
- deps: [email protected]
- deps: etag@~1.7.0
- deps: [email protected]
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations
deps: serve-static@~1.10.0
- Add fallthrough option
- Fix reading options from options prototype
- Improve the default redirect response headers
- Malformed URLs now next() instead of 400
- deps: [email protected]
- deps: [email protected]
- perf: enable strict mode
- perf: remove argument reassignment
deps: type-is@~1.6.3
- deps: mime-types@~2.1.1
- perf: reduce try block size
- perf: remove bitwise operations
perf: enable strict mode
perf: isolate app.render try block
perf: remove argument reassignments in application
perf: remove argument reassignments in request prototype
perf: remove argument reassignments in response prototype
perf: remove argument reassignments in routing
perf: remove argument reassignments in View
perf: skip attempting to decode zero length string
perf: use saved reference to http.STATUS_CODES

`v4.12.4`

Compare Source

===================

deps: accepts@~1.2.7
- deps: mime-types@~2.0.11
- deps: [email protected]
deps: debug@~2.2.0
- deps: [email protected]
deps: depd@~1.0.1
deps: etag@~1.6.0
- Improve support for JXcore
- Support "fake" stats objects in environments without fs
deps: [email protected]
- deps: debug@~2.2.0
- deps: on-finished@~2.2.1
deps: on-finished@~2.2.1
- Fix isFinished(req) when data buffered
deps: proxy-addr@~1.0.8
- deps: [email protected]
deps: [email protected]

Fix allowing parameters like constructor

deps: [email protected]
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: [email protected]
- deps: on-finished@~2.2.1
deps: serve-static@~1.9.3
- deps: [email protected]
deps: type-is@~1.6.2
- deps: mime-types@~2.0.11

`v4.12.3`

Compare Source

===================

deps: accepts@~1.2.5
- deps: mime-types@~2.0.10
deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: [email protected]
deps: [email protected]
- deps: debug@~2.1.3
deps: proxy-addr@~1.0.7
- deps: [email protected]
deps: [email protected]
- Fix error when parameter hasOwnProperty is present
deps: [email protected]
- Throw errors early for invalid extensions or index options
- deps: debug@~2.1.3
deps: serve-static@~1.9.2
- deps: [email protected]
deps: type-is@~1.6.1
- deps: mime-types@~2.0.10

`v4.12.2`

Compare Source

===================

Fix regression where "Request aborted" is logged using res.sendFile

`v4.12.1`

Compare Source

===================

Fix constructing application with non-configurable prototype properties
Fix ECONNRESET errors from res.sendFile usage
Fix req.host when using "trust proxy" hops count
Fix req.protocol/req.secure when using "trust proxy" hops count
Fix wrong code on aborted connections from res.sendFile
deps: [email protected]

`v4.12.0`

Compare Source

===================

Fix "trust proxy" setting to inherit when app is mounted
Generate ETags for all request responses
- No longer restricted to only responses for GET and HEAD requests
Use content-type to parse Content-Type headers
deps: accepts@~1.2.4
- Fix preference sorting to be stable for long acceptable lists
- deps: mime-types@~2.0.9
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- Always read the stat size from the file
- Fix mutating passed-in options
- deps: [email protected]
deps: serve-static@~1.9.1
- deps: [email protected]
deps: type-is@~1.6.0
- fix argument reassignment
- fix false-positives in hasBody Transfer-Encoding check
- support wildcard for both type and subtype (*/*)
- deps: mime-types@~2.0.9

`v4.11.2`

Compare Source

===================

Fix res.redirect double-calling res.end for HEAD requests
deps: accepts@~1.2.3
- deps: mime-types@~2.0.8
deps: proxy-addr@~1.0.6
- deps: [email protected]
deps: type-is@~1.5.6
- deps: mime-types@~2.0.8

`v4.11.1`

Compare Source

===================

deps: [email protected]
- Fix root path disclosure
deps: serve-static@~1.8.1
- Fix redirect loop in Node.js 0.11.14
- Fix root path disclosure
- deps: [email protected]

`v4.11.0`

Compare Source

===================

Add res.append(field, val) to append headers
Deprecate leading : in name for app.param(name, fn)
Deprecate req.param() -- use req.params, req.body, or req.query instead
Deprecate app.param(fn)
Fix OPTIONS responses to include the HEAD method properly
Fix res.sendFile not always detecting aborted connection
Match routes iteratively to prevent stack overflows
deps: accepts@~1.2.2
- deps: mime-types@~2.0.7
- deps: [email protected]
deps: [email protected]
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: [email protected]
- deps: on-finished@~2.2.0
deps: serve-static@~1.8.0
- deps: [email protected]

`v4.10.8`

Compare Source

===================

Fix crash from error within OPTIONS response handler
deps: proxy-addr@~1.0.5
- deps: [email protected]

`v4.10.7`

Compare Source

===================

Fix Allow header for OPTIONS to not contain duplicate methods
Fix incorrect "Request aborted" for res.sendFile when HEAD or 304
deps: debug@~2.1.1
deps: [email protected]
- deps: debug@~2.1.1
- deps: on-finished@~2.2.0
deps: methods@~1.1.1
deps: on-finished@~2.2.0
deps: serve-static@~1.7.2
- Fix potential open redirect when mounted at root
deps: type-is@~1.5.5
- deps: mime-types@~2.0.7

`v4.10.6`

Compare Source

===================

Fix exception in req.fresh/req.stale without response headers

`v4.10.5`

Compare Source

===================

Fix res.send double-calling res.end for HEAD requests
deps: accepts@~1.1.4
- deps: mime-types@~2.0.4
deps: type-is@~1.5.4
- deps: mime-types@~2.0.4

`v4.10.4`

Compare Source

===================

Fix res.sendfile logging standard write errors

`v4.10.3`

Compare Source

===================

Fix res.sendFile logging standard write errors
deps: etag@~1.5.1
deps: proxy-addr@~1.0.4
- deps: [email protected]
deps: [email protected]
- Fix arrayLimit behavior

`v4.10.2`

Compare Source

===================

Correctly invoke async router callback asynchronously
deps: accepts@~1.1.3
- deps: mime-types@~2.0.3
deps: type-is@~1.5.3
- deps: mime-types@~2.0.3

`v4.10.1`

Compare Source

===================

Fix handling of URLs containing :// in the path
deps: [email protected]
- Fix parsing of mixed objects and values

`v4.10.0`

Compare Source

===================

Add support for app.set('views', array)
- Views are looked up in sequence in array of directories
Fix res.send(status) to mention res.sendStatus(status)
Fix handling of invalid empty URLs
Use content-disposition module for res.attachment/res.download
- Sends standards-compliant Content-Disposition header
- Full Unicode support
Use path.resolve in view lookup
deps: debug@~2.1.0
- Implement DEBUG_FD env variable support
deps: depd@~1.0.0
deps: etag@~1.5.0
- Improve string performance
- Slightly improve speed for weak ETags over 1KB
deps: [email protected]
- Terminate in progress response only on error
- Use on-finished to determine request status
- deps: debug@~2.1.0
- deps: on-finished@~2.1.1
deps: on-finished@~2.1.1
- Fix handling of pipelined requests
deps: [email protected]
- Fix parsing of mixed implicit and explicit arrays
deps: [email protected]
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: etag@~1.5.0
- deps: on-finished@~2.1.1
deps: serve-static@~1.7.1
- deps: [email protected]

`v4.9.8`

Compare Source

==================

Fix res.redirect body when redirect status specified
deps: accepts@~1.1.2
- Fix error when media type has invalid parameter
- deps: [email protected]

`v4.9.7`

Compare Source

==================

Fix using same param name in array of paths

`v4.9.6`

Compare Source

==================

deps: accepts@~1.1.1
- deps: mime-types@~2.0.2
- deps: [email protected]
deps: serve-static@~1.6.4
- Fix redirect loop when index file serving disabled
deps: type-is@~1.5.2
- deps: mime-types@~2.0.2

`v4.9.5`

Compare Source

==================

deps: etag@~1.4.0
deps: proxy-addr@~1.0.3
- Use forwarded npm module
deps: [email protected]
- deps: etag@~1.4.0
deps: serve-static@~1.6.3
- deps: [email protected]

`v4.9.4`

Compare Source

==================

deps: [email protected]
- Fix issue with object keys starting with numbers truncated

`v4.9.3`

Compare Source

==================

deps: proxy-addr@~1.0.2
- Fix a global leak when multiple subnets are trusted
- deps: [email protected]

`v4.9.2`

Compare Source

==================

Fix regression for empty string path in app.use
Fix router.use to accept array of middleware without path
Improve error message for bad app.use arguments

`v4.9.1`

Compare Source

==================

Fix app.use to accept array of middleware without path
deps: [email protected]
deps: etag@~1.3.1
deps: [email protected]
- deps: [email protected]
- deps: etag@~1.3.1
- deps: range-parser@~1.0.2
deps: serve-static@~1.6.2
- deps: [email protected]

`v4.9.0`

Compare Source

==================

Add res.sendStatus
Invoke callback for sendfile when client aborts
- Applies to res.sendFile, res.sendfile, and res.download
- err will be populated with request aborted error
Support IP address host in req.subdomains
Use etag to generate ETag headers
deps: accepts@~1.1.0
- update mime-types
deps: [email protected]
deps: debug@~2.0.0
deps: [email protected]
- Set X-Content-Type-Options: nosniff header
- deps: debug@~2.0.0
deps: [email protected]
deps: [email protected]
- Throw error when parameter format invalid on parse
deps: [email protected]
- Fix issue where first empty value in array is discarded
deps: range-parser@~1.0.2
deps: [email protected]
- Add lastModified option
- Use etag to generate ETag header
- deps: debug@~2.0.0
- deps: [email protected]
deps: serve-static@~1.6.1
- Add lastModified option
- deps: [email protected]
deps: type-is@~1.5.1
- fix hasbody to be true for content-length: 0
- deps: [email protected]
- deps: mime-types@~2.0.1
deps: vary@~1.0.0
- Accept valid Vary header string as field

`v4.8.8`

Compare Source

==================

deps: [email protected]
- Fix a path traversal issue when using root
- Fix malicious path detection for empty string path
deps: serve-static@~1.5.4
- deps: [email protected]

`v4.8.7`

Compare Source

==================

deps: [email protected]
- Remove unnecessary cloning

`v4.8.6`

Compare Source

==================

deps: [email protected]
- Array parsing fix
- Performance improvements

`v4.8.5`

Compare Source

==================

deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: serve-static@~1.5.3
- deps: [email protected]

`v4.8.4`

Compare Source

==================

deps: [email protected]
deps: [email protected]
- Work around fd leak in Node.js 0.10 for fs.ReadStream
deps: serve-static@~1.5.2
- deps: [email protected]

`v4.8.3`

Compare Source

==================

deps: parseurl@~1.3.0
deps: [email protected]
deps: serve-static@~1.5.1
- Fix parsing of weird req.originalUrl values
- deps: parseurl@~1.3.0
- deps: [email protected]

`v4.8.2`

Compare Source

==================

deps: [email protected]
- Fix parsing array of objects

`v4.8.1`

Compare Source

==================

fix incorrect deprecation warnings on res.download
deps: [email protected]
- Accept urlencoded square brackets
- Accept empty values in implicit array notation

`v4.8.0`

Compare Source

==================

add res.sendFile
- accepts a file system path instead of a URL
- requires an absolute path or root option specified
deprecate res.sendfile -- use res.sendFile instead
support mounted app as any argument to app.use()
deps: [email protected]
- Complete rewrite
- Limits array length to 20
- Limits object depth to 5
- Limits parameters to 1,000
deps: [email protected]
- Add extensions option
deps: serve-static@~1.5.0
- Add extensions option
- deps: [email protected]

`v4.7.4`

Compare Source

==================

fix res.sendfile regression for serving directory index files
deps: [email protected]
- Fix incorrect 403 on Windows and Node.js 0.11
- Fix serving index files without root dir
deps: serve-static@~1.4.4
- deps: [email protected]

`v4.7.3`

Compare Source

==================

deps: [email protected]
- Fix incorrect 403 on Windows and Node.js 0.11
deps: serve-static@~1.4.3
- Fix incorrect 403 on Windows and Node.js 0.11
- deps: [email protected]

`v4.7.2`

Compare Source

==================

deps: [email protected]
- Work-around v8 generating empty stack traces
deps: [email protected]
- deps: [email protected]
deps: serve-static@~1.4.2

`v4.7.1`

Compare Source

==================

deps: [email protected]
- Fix exception when global Error.stackTraceLimit is too low
deps: [email protected]
- deps: [email protected]
deps: serve-static@~1.4.1

`v4.7.0`

Compare Source

==================

fix req.protocol for proxy-direct connections
configurable query parser with app.set('query parser', parser)
- app.set('query parser', 'extended') parse with "qs" module
- app.set('query parser', 'simple') parse with "querystring" core module
- app.set('query parser', false) disable query string parsing
- app.set('query parser', true) enable simple parsing
deprecate res.json(status, obj) -- use res.status(status).json(obj) instead
deprecate res.jsonp(status, obj) -- use res.status(status).jsonp(obj) instead
deprecate res.send(status, body) -- use res.status(status).send(body) instead
deps: [email protected]
deps: [email protected]
- Add TRACE_DEPRECATION environment variable
- Remove non-standard grey color from color output
- Support --no-deprecation argument
- Support --trace-deprecation argument
deps: [email protected]
- Respond after request fully read
- deps: [email protected]
deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path" RegExp
deps: [email protected]
- Add `dotf

mend-for-github-com bot added the security fix Security fix generated by Mend label Jul 6, 2022

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x branch from b3a7da3 to 8ad7784 Compare November 20, 2022 20:40

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x branch from 8ad7784 to 7f42a52 Compare November 29, 2022 07:09

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x branch 2 times, most recently from cd373b2 to 3f6c82c Compare December 28, 2022 07:35

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x branch from 3f6c82c to c7a557e Compare March 9, 2023 04:44

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x branch from c7a557e to 63aeb7c Compare March 18, 2023 09:02

mend-for-github-com bot changed the title ~~Update dependency express to v4~~ Update dependency express to v4 - autoclosed Mar 27, 2023

mend-for-github-com bot closed this Mar 27, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x branch March 27, 2023 19:25

mend-for-github-com bot changed the title ~~Update dependency express to v4 - autoclosed~~ Update dependency express to v4 Mar 31, 2023

mend-for-github-com bot reopened this Mar 31, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x branch March 31, 2023 05:49

mend-for-github-com bot changed the title ~~Update dependency express to v4~~ Update dependency express to v4 - autoclosed Jun 15, 2023

mend-for-github-com bot closed this Jun 15, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x branch June 15, 2023 05:21

mend-for-github-com bot changed the title ~~Update dependency express to v4 - autoclosed~~ Update dependency express to v4 Jun 18, 2023

mend-for-github-com bot reopened this Jun 18, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x branch June 18, 2023 18:54

Update dependency express to v4

e5bfba8

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x branch from 63aeb7c to e5bfba8 Compare June 18, 2023 18:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express to v4 #4

Update dependency express to v4 #4

mend-for-github-com bot commented Jul 6, 2022 •

edited

Loading

Update dependency express to v4 #4

Are you sure you want to change the base?

Update dependency express to v4 #4

Conversation

mend-for-github-com bot commented Jul 6, 2022 • edited Loading

Release Notes

What's Changed

What's Changed

What's Changed

New Contributors

mend-for-github-com bot commented Jul 6, 2022 •

edited

Loading