Update dependency express to v4.20.0 [SECURITY] #312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-express-vulnerability

renovate bot commented Mar 30, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
express (source)	`4.9.7` → `4.20.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-29041

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

Resources

https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Release Notes

expressjs/express (express)

`v4.20.0`

==========

deps: serve-static@0.16.0
- Remove link renderization in html while redirecting
deps: send@0.19.0
- Remove link renderization in html while redirecting
deps: body-parser@0.6.0
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: path-to-regexp@0.1.10
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

==========

Prevent open redirect allow list bypass due to encodeurl
deps: cookie@0.6.0

`v4.18.3`

==========

Fix routing requests without method
deps: body-parser@1.20.2
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: raw-body@2.5.2
deps: cookie@0.6.0
- Add partitioned option

`v4.18.2`

===================

Fix regression routing a large stack in a single route
deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
deps: qs@6.11.0

`v4.18.1`

===================

Fix hanging on large stack of sync routes

`v4.18.0`

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: body-parser@1.20.0
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: depd@2.0.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: qs@6.10.3
- deps: raw-body@2.5.1
deps: cookie@0.5.0
- Add priority option
- Fix expires option to reject invalid dates
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: finalhandler@1.2.0
- Remove set content headers that break response
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: on-finished@2.4.1
- Prevent loss of async hooks context
deps: qs@6.10.3
deps: send@0.18.0
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: depd@2.0.0
- deps: destroy@1.2.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: serve-static@1.15.0
- deps: send@0.18.0
deps: statuses@2.0.1
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: negotiator@0.6.3
deps: body-parser@1.19.2
- deps: bytes@3.1.2
- deps: qs@6.9.7
- deps: raw-body@2.4.3
deps: cookie@0.4.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: body-parser@1.19.1
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: qs@6.9.6
- deps: raw-body@2.4.2
- deps: safe-buffer@5.2.1
- deps: type-is@~1.6.18
deps: content-disposition@0.5.4
- deps: safe-buffer@5.2.1
deps: cookie@0.4.1
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: forwarded@0.2.0
- deps: ipaddr.js@1.9.1
deps: qs@6.9.6
deps: safe-buffer@5.2.1
deps: send@0.17.2
- deps: http-errors@1.8.1
- deps: ms@2.1.3
- pref: ignore empty http tokens
deps: serve-static@1.14.2
- deps: send@0.17.2
deps: setprototypeof@1.2.0

`v4.17.1`

===================

Revert "Improve error message for null/undefined to res.status"

`v4.17.0`

===================

Add express.raw to parse bodies into Buffer
Add express.text to parse bodies into string
Improve error message for non-strings to res.sendFile
Improve error message for null/undefined to res.status
Support multiple hosts in X-Forwarded-Host
deps: accepts@~1.3.7
deps: body-parser@1.19.0
- Add encoding MIK
- Add petabyte (pb) support
- Fix parsing array brackets after index
- deps: bytes@3.1.0
- deps: http-errors@1.7.2
- deps: iconv-lite@0.4.24
- deps: qs@6.7.0
- deps: raw-body@2.4.0
- deps: type-is@~1.6.17
deps: content-disposition@0.5.3
deps: cookie@0.4.0
- Add SameSite=None support
deps: finalhandler@~1.1.2
- Set stricter Content-Security-Policy header
- deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
deps: parseurl@~1.3.3
deps: proxy-addr@~2.0.5
- deps: ipaddr.js@1.9.0
deps: qs@6.7.0
- Fix parsing array brackets after index
deps: range-parser@~1.2.1
deps: send@0.17.1
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: mime@1.6.0
- deps: ms@2.1.1
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant path.normalize call
deps: serve-static@1.14.1
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: send@0.17.1
deps: setprototypeof@1.1.1
deps: statuses@~1.5.0
- Add 103 Early Hints
deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

`v4.16.4`

===================

Fix issue where "Request aborted" may be logged in res.sendfile
Fix JSDoc for Router constructor
deps: body-parser@1.18.3
- Fix deprecation warnings on Node.js 10+
- Fix stack trace for strict json parse error
- deps: depd@~1.1.2
- deps: http-errors@~1.6.3
- deps: iconv-lite@0.4.23
- deps: qs@6.5.2
- deps: raw-body@2.3.3
- deps: type-is@~1.6.16
deps: proxy-addr@~2.0.4
- deps: ipaddr.js@1.8.0
deps: qs@6.5.2
deps: safe-buffer@5.1.2

`v4.16.3`

===================

deps: accepts@~1.3.5
- deps: mime-types@~2.1.18
deps: depd@~1.1.2
- perf: remove argument reassignment
deps: encodeurl@~1.0.2
- Fix encoding % as last character
deps: finalhandler@1.1.1
- Fix 404 output for bad / missing pathnames
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
deps: proxy-addr@~2.0.3
- deps: ipaddr.js@1.6.0
deps: send@0.16.2
- Fix incorrect end tag in default error & redirects
- deps: depd@~1.1.2
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
deps: serve-static@1.13.2
- Fix incorrect end tag in redirects
- deps: encodeurl@~1.0.2
- deps: send@0.16.2
deps: statuses@~1.4.0
deps: type-is@~1.6.16
- deps: mime-types@~2.1.18

`v4.16.2`

===================

Fix TypeError in res.send when given Buffer and ETag header set
perf: skip parsing of entire X-Forwarded-Proto header

`v4.16.1`

===================

deps: send@0.16.1
deps: serve-static@1.13.1
- Fix regression when root is incorrectly set to a file
- deps: send@0.16.1

`v4.16.0`

===================

Add "json escape" setting for res.json and res.jsonp
Add express.json and express.urlencoded to parse bodies
Add options argument to res.download
Improve error message when autoloading invalid view engine
Improve error messages when non-function provided as middleware
Skip Buffer encoding when not generating ETag for small response
Use safe-buffer for improved Buffer API
deps: accepts@~1.3.4
- deps: mime-types@~2.1.16
deps: content-type@~1.0.4
- perf: remove argument reassignment
- perf: skip parameter parsing when no parameters
deps: etag@~1.8.1
- perf: replace regular expression with substring
deps: finalhandler@1.1.0
- Use res.headersSent when available
deps: parseurl@~1.3.2
- perf: reduce overhead for full URLs
- perf: unroll the "fast-path" RegExp
deps: proxy-addr@~2.0.2
- Fix trimming leading / trailing OWS in X-Forwarded-For
- deps: forwarded@~0.1.2
- deps: ipaddr.js@1.5.2
- perf: reduce overhead when no X-Forwarded-For header
deps: qs@6.5.1
- Fix parsing & compacting very deep objects
deps: send@0.16.0
- Add 70 new types for file extensions
- Add immutable option
- Fix missing </html> in default error & redirects
- Set charset as "UTF-8" for .js and .json
- Use instance methods on steam to check for listeners
- deps: mime@1.4.1
- perf: improve path validation speed
deps: serve-static@1.13.0
- Add 70 new types for file extensions
- Add immutable option
- Set charset as "UTF-8" for .js and .json
- deps: send@0.16.0
deps: setprototypeof@1.1.0
deps: utils-merge@1.0.1
deps: vary@~1.1.2
- perf: improve header token parsing speed
perf: re-use options object when generating ETags
perf: remove dead .charset set in res.jsonp

`v4.15.5`

===================

deps: debug@2.6.9
deps: finalhandler@~1.0.6
- deps: debug@2.6.9
- deps: parseurl@~1.3.2
deps: fresh@0.5.2
- Fix handling of modified headers with invalid dates
- perf: improve ETag match loop
- perf: improve If-None-Match token parsing
deps: send@0.15.6
- Fix handling of modified headers with invalid dates
- deps: debug@2.6.9
- deps: etag@~1.8.1
- deps: fresh@0.5.2
- perf: improve If-Match token parsing
deps: serve-static@1.12.6
- deps: parseurl@~1.3.2
- deps: send@0.15.6
- perf: improve slash collapsing

`v4.15.4`

===================

deps: debug@2.6.8
deps: depd@~1.1.1
- Remove unnecessary Buffer loading
deps: finalhandler@~1.0.4
- deps: debug@2.6.8
deps: proxy-addr@~1.1.5
- Fix array argument being altered
- deps: ipaddr.js@1.4.0
deps: qs@6.5.0
deps: send@0.15.4
- deps: debug@2.6.8
- deps: depd@~1.1.1
- deps: http-errors@~1.6.2
deps: serve-static@1.12.4
- deps: send@0.15.4

`v4.15.3`

===================

Fix error when res.set cannot add charset to Content-Type
deps: debug@2.6.7
- Fix DEBUG_MAX_ARRAY_LENGTH
- deps: ms@2.0.0
deps: finalhandler@~1.0.3
- Fix missing </html> in HTML document
- deps: debug@2.6.7
deps: proxy-addr@~1.1.4
- deps: ipaddr.js@1.3.0
deps: send@0.15.3
- deps: debug@2.6.7
- deps: ms@2.0.0
deps: serve-static@1.12.3
- deps: send@0.15.3
deps: type-is@~1.6.15
- deps: mime-types@~2.1.15
deps: vary@~1.1.1
- perf: hoist regular expression

`v4.15.2`

===================

deps: qs@6.4.0
- Fix regression parsing keys starting with [

`v4.15.1`

===================

deps: send@0.15.1
- Fix issue when Date.parse does not return NaN on invalid date
- Fix strict violation in broken environments
deps: serve-static@1.12.1
- Fix issue when Date.parse does not return NaN on invalid date
- deps: send@0.15.1

`v4.15.0`

===================

Add debug message when loading view engine
Add next("router") to exit from router
Fix case where router.use skipped requests routes did not
Remove usage of res._headers private field
- Improves compatibility with Node.js 8 nightly
Skip routing when req.url is not set
Use %o in path debug to tell types apart
Use Object.create to setup request & response prototypes
Use setprototypeof module to replace __proto__ setting
Use statuses instead of http module for status messages
deps: debug@2.6.1
- Allow colors in workers
- Deprecated DEBUG_FD environment variable set to 3 or higher
- Fix error when running under React Native
- Use same color for same namespace
- deps: ms@0.7.2
deps: etag@~1.8.0
- Use SHA1 instead of MD5 for ETag hashing
- Works with FIPS 140-2 OpenSSL configuration
deps: finalhandler@~1.0.0
- Fix exception when err cannot be converted to a string
- Fully URL-encode the pathname in the 404
- Only include the pathname in the 404 message
- Send complete HTML document
- Set Content-Security-Policy: default-src 'self' header
- deps: debug@2.6.1
deps: fresh@0.5.0
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- perf: delay reading header values until needed
- perf: enable strict mode
- perf: hoist regular expressions
- perf: remove duplicate conditional
- perf: remove unnecessary boolean coercions
- perf: skip checking modified time if ETag check failed
- perf: skip parsing If-None-Match when no ETag header
- perf: use Date.parse instead of new Date
deps: qs@6.3.1
- Fix array parsing from skipping empty values
- Fix compacting nested arrays
deps: send@0.15.0
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: debug@2.6.1
- deps: etag@~1.8.0
- deps: fresh@0.5.0
- deps: http-errors@~1.6.1
deps: serve-static@1.12.0
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Send complete HTML document in redirect response
- Set default CSP header in redirect response
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: send@0.15.0
perf: add fast match path for * route
perf: improve req.ips performance

`v4.14.1`

===================

deps: content-disposition@0.5.2
deps: finalhandler@0.5.1
- Fix exception when err.headers is not an object
- deps: statuses@~1.3.1
- perf: hoist regular expressions
- perf: remove duplicate validation path
deps: proxy-addr@~1.1.3
- deps: ipaddr.js@1.2.0
deps: send@0.14.2
- deps: http-errors@~1.5.1
- deps: ms@0.7.2
- deps: statuses@~1.3.1
deps: serve-static@~1.11.2
- deps: send@0.14.2
deps: type-is@~1.6.14
- deps: mime-types@~2.1.13

`v4.14.0`

===================

Add acceptRanges option to res.sendFile/res.sendfile
Add cacheControl option to res.sendFile/res.sendfile
Add options argument to req.range
- Includes the combine option
Encode URL in res.location/res.redirect if not already encoded
Fix some redirect handling in res.sendFile/res.sendfile
Fix Windows absolute path check using forward slashes
Improve error with invalid arguments to req.get()
Improve performance for res.json/res.jsonp in most cases
Improve Range header handling in res.sendFile/res.sendfile
deps: accepts@~1.3.3
- Fix including type extensions in parameters in Accept parsing
- Fix parsing Accept parameters with quoted equals
- Fix parsing Accept parameters with quoted semicolons
- Many performance improvements
- deps: mime-types@~2.1.11
- deps: negotiator@0.6.1
deps: content-type@~1.0.2
- perf: enable strict mode
deps: cookie@0.3.1
- Add sameSite option
- Fix cookie Max-Age to never be a floating point number
- Improve error message when encode is not a function
- Improve error message when expires is not a Date
- Throw better error for invalid argument to parse
- Throw on invalid values provided to serialize
- perf: enable strict mode
- perf: hoist regular expression
- perf: use for loop in parse
- perf: use string concatenation for serialization
deps: finalhandler@0.5.0
- Change invalid or non-numeric status code to 500
- Overwrite status message to match set status code
- Prefer err.statusCode if err.status is invalid
- Set response headers from err.headers object
- Use statuses instead of http module for status messages
deps: proxy-addr@~1.1.2
- Fix accepting various invalid netmasks
- Fix IPv6-mapped IPv4 validation edge cases
- IPv4 netmasks must be contiguous
- IPv6 addresses cannot be used as a netmask
- deps: ipaddr.js@1.1.1
deps: qs@6.2.0
- Add decoder option in parse function
deps: range-parser@~1.2.0
- Add combine option to combine overlapping ranges
- Fix incorrectly returning -1 when there is at least one valid range
- perf: remove internal function
deps: send@0.14.1
- Add acceptRanges option
- Add cacheControl option
- Attempt to combine multiple ranges into single range
- Correctly inherit from Stream class
- Fix Content-Range header in 416 responses when using start/end options
- Fix Content-Range header missing from default 416 responses
- Fix redirect error when path contains raw non-URL characters
- Fix redirect when path starts with multiple forward slashes
- Ignore non-byte Range headers
- deps: http-errors@~1.5.0
- deps: range-parser@~1.2.0
- deps: statuses@~1.3.0
- perf: remove argument reassignment
deps: serve-static@~1.11.1
- Add acceptRanges option
- Add cacheControl option
- Attempt to combine multiple ranges into single range
- Fix redirect error when req.url contains raw non-URL characters
- Ignore non-byte Range headers
- Use status code 301 for redirects
- deps: send@0.14.1
deps: type-is@~1.6.13
- Fix type error when given invalid type to match against
- deps: mime-types@~2.1.11
deps: vary@~1.1.0
- Only accept valid field names in the field argument
perf: use strict equality when possible

`v4.13.4`

===================

deps: content-disposition@0.5.1
- perf: enable strict mode
deps: cookie@0.1.5
- Throw on invalid values provided to serialize
deps: depd@~1.1.0
- Support web browser loading
- perf: enable strict mode
deps: escape-html@~1.0.3
- perf: enable strict mode
- perf: optimize string replacement
- perf: use faster string coercion
deps: finalhandler@0.4.1
- deps: escape-html@~1.0.3
deps: merge-descriptors@1.0.1
- perf: enable strict mode
deps: methods@~1.1.2
- perf: enable strict mode
deps: parseurl@~1.3.1
- perf: enable strict mode
deps: proxy-addr@~1.0.10
- deps: ipaddr.js@1.0.5
- perf: enable strict mode
deps: range-parser@~1.0.3
- perf: enable strict mode
deps: send@0.13.1
- deps: depd@~1.1.0
- deps: destroy@~1.0.4
- deps: escape-html@~1.0.3
- deps: range-parser@~1.0.3
deps: serve-static@~1.10.2
- deps: escape-html@~1.0.3
- deps: parseurl@~1.3.0
- deps: send@0.13.1

`v4.13.3`

===================

Fix infinite loop condition using mergeParams: true
Fix inner numeric indices incorrectly altering parent req.params

`v4.13.2`

===================

deps: accepts@~1.2.12
- deps: mime-types@~2.1.4
deps: array-flatten@1.1.1
- perf: enable strict mode
deps: path-to-regexp@0.1.7
- Fix regression with escaped round brackets and matching groups
deps: type-is@~1.6.6
- deps: mime-types@~2.1.4

`v4.13.1`

===================

deps: accepts@~1.2.10
- deps: mime-types@~2.1.2
deps: qs@4.0.0
- Fix dropping parameters like hasOwnProperty
- Fix various parsing edge cases
deps: type-is@~1.6.4
- deps: mime-types@~2.1.2
- perf: enable strict mode
- perf: remove argument reassignment

`v4.13.0`

===================

Add settings to debug output
Fix res.format error when only default provided
Fix issue where next('route') in app.param would incorrectly skip values
Fix hiding platform issues with decodeURIComponent
- Only URIErrors are a 400
Fix using * before params in routes
Fix using capture groups before params in routes
Simplify res.cookie to call res.append
Use array-flatten module for flattening arrays
deps: accepts@~1.2.9
- deps: mime-types@~2.1.1
- perf: avoid argument reassignment & argument slice
- perf: avoid negotiator recursive construction
- perf: enable strict mode
- perf: remove unnecessary bitwise operator
deps: cookie@0.1.3
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
deps: escape-html@1.0.2
deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
deps: finalhandler@0.4.0
- Fix a false-positive when unpiping in Node.js 0.8
- Support statusCode property on Error objects
- Use unpipe module for unpiping requests
- deps: escape-html@1.0.2
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove argument reassignment
deps: fresh@0.3.0
- Add weak ETag matching support
deps: on-finished@~2.3.0
- Add defined behavior for HTTP CONNECT requests
- Add defined behavior for HTTP Upgrade requests
- deps: ee-first@1.1.1
deps: path-to-regexp@0.1.6
deps: send@0.13.0
- Allow Node.js HTTP server to set Date response header
- Fix incorrectly removing Content-Location on 304 response
- Improve the default redirect response headers
- Send appropriate headers on default error response
- Use http-errors for standard emitted errors
- Use statuses instead of http module for status messages
- deps: escape-html@1.0.2
- deps: etag@~1.7.0
- deps: fresh@0.3.0
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations
deps: serve-static@~1.10.0
- Add fallthrough option
- Fix reading options from options prototype
- Improve the default redirect response headers
- Malformed URLs now next() instead of 400
- deps: escape-html@1.0.2
- deps: send@0.13.0
- perf: enable strict mode
- perf: remove argument reassignment
deps: type-is@~1.6.3
- deps: mime-types@~2.1.1
- perf: reduce try block size
- perf: remove bitwise operations
perf: enable strict mode
perf: isolate app.render try block
perf: remove argument reassignments in application
perf: remove argument reassignments in request prototype
perf: remove argument reassignments in response prototype
perf: remove argument reassignments in routing
perf: remove argument reassignments in View
perf: skip attempting to decode zero length string
perf: use saved reference to http.STATUS_CODES

`v4.12.4`

===================

deps: accepts@~1.2.7
- deps: mime-types@~2.0.11
- deps: negotiator@0.5.3
deps: debug@~2.2.0
- deps: ms@0.7.1
deps: depd@~1.0.1
deps: etag@~1.6.0
- Improve support for JXcore
- Support "fake" stats objects in environments without fs
deps: finalhandler@0.3.6
- deps: debug@~2.2.0
- deps: on-finished@~2.2.1
deps: on-finished@~2.2.1
- Fix isFinished(req) when data buffered
deps: proxy-addr@~1.0.8
- deps: ipaddr.js@1.0.1
deps: qs@2.4.2

Fix allowing parameters like constructor

deps: send@0.12.3
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: ms@0.7.1
- deps: on-finished@~2.2.1
deps: serve-static@~1.9.3
- deps: send@0.12.3
deps: type-is@~1.6.2
- deps: mime-types@~2.0.11

`v4.12.3`

===================

deps: accepts@~1.2.5
- deps: mime-types@~2.0.10
deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: ms@0.7.0
deps: finalhandler@0.3.4
- deps: debug@~2.1.3
deps: proxy-addr@~1.0.7
- deps: ipaddr.js@0.1.9
deps: qs@2.4.1
- Fix error when parameter hasOwnProperty is present
deps: send@0.12.2
- Throw errors early for invalid extensions or index options
- deps: debug@~2.1.3
deps: serve-static@~1.9.2
- deps: send@0.12.2
deps: type-is@~1.6.1
- deps: mime-types@~2.0.10

`v4.12.2`

===================

Fix regression where "Request aborted" is logged using res.sendFile

`v4.12.1`

===================

Fix constructing application with non-configurable prototype properties
Fix ECONNRESET errors from res.sendFile usage
Fix req.host when using "trust proxy" hops count
Fix req.protocol/req.secure when using "trust proxy" hops count
Fix wrong code on aborted connections from res.sendFile
deps: merge-descriptors@1.0.0

`v4.12.0`

===================

Fix "trust proxy" setting to inherit when app is mounted
Generate ETags for all request responses
- No longer restricted to only responses for GET and HEAD requests
Use content-type to parse Content-Type headers
deps: accepts@~1.2.4
- Fix preference sorting to be stable for long acceptable lists
- deps: mime-types@~2.0.9
- deps: negotiator@0.5.1
deps: cookie-signature@1.0.6
deps: send@0.12.1
- Always read the stat size from the file
- Fix mutating passed-in options
- deps: mime@1.3.4
deps: serve-static@~1.9.1
- deps: send@0.12.1
deps: type-is@~1.6.0
- fix argument reassignment
- fix false-positives in hasBody Transfer-Encoding check
- support wildcard for both type and subtype (*/*)
- deps: mime-types@~2.0.9

`v4.11.2`

===================

Fix res.redirect double-calling res.end for HEAD requests
deps: accepts@~1.2.3
- deps: mime-types@~2.0.8
deps: proxy-addr@~1.0.6
- deps: ipaddr.js@0.1.8
deps: type-is@~1.5.6
- deps: mime-types@~2.0.8

`v4.11.1`

===================

deps: send@0.11.1
- Fix root path disclosure
deps: serve-static@~1.8.1
- Fix redirect loop in Node.js 0.11.14
- Fix root path disclosure
- deps: send@0.11.1

`v4.11.0`

===================

Add res.append(field, val) to append headers
Deprecate leading : in name for app.param(name, fn)
Deprecate req.param() -- use req.params, req.body, or req.query instead
Deprecate app.param(fn)
Fix OPTIONS responses to include the HEAD method properly
Fix res.sendFile not always detecting aborted connection
Match routes iteratively to prevent stack overflows
deps: accepts@~1.2.2
- deps: mime-types@~2.0.7
- deps: negotiator@0.5.0
deps: send@0.11.0
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: ms@0.7.0
- deps: on-finished@~2.2.0
deps: serve-static@~1.8.0
- deps: send@0.11.0

`v4.10.8`

===================

Fix crash from error within OPTIONS response handler
deps: proxy-addr@~1.0.5
- deps: ipaddr.js@0.1.6

`v4.10.7`

===================

Fix Allow header for OPTIONS to not contain duplicate methods
Fix incorrect "Request aborted" for res.sendFile when HEAD or 304
deps: debug@~2.1.1
deps: finalhandler@0.3.3
- deps: debug@~2.1.1
- deps: on-finished@~2.2.0
deps: methods@~1.1.1
deps: on-finished@~2.2.0
deps: serve-static@~1.7.2
- Fix potential open redirect when mounted at root
deps: type-is@~1.5.5
- deps: mime-types@~2.0.7

`v4.10.6`

===================

Fix exception in req.fresh/req.stale without response headers

`v4.10.5`

===================

Fix res.send double-calling res.end for HEAD requests
deps: accepts@~1.1.4
- deps: mime-types@~2.0.4
deps: type-is@~1.5.4
- deps: mime-types@~2.0.4

`v4.10.4`

===================

Fix res.sendfile logging standard write errors

`v4.10.3`

===================

Fix res.sendFile logging standard write errors
deps: etag@~1.5.1
deps: proxy-addr@~1.0.4
- deps: ipaddr.js@0.1.5
deps: qs@2.3.3
- Fix arrayLimit behavior

`v4.10.2`

===================

Correctly invoke async router callback asynchronously
deps: accepts@~1.1.3
- deps: mime-types@~2.0.3
deps: type-is@~1.5.3
- deps: mime-types@~2.0.3

`v4.10.1`

===================

Fix handling of URLs containing :// in the path
deps: qs@2.3.2
- Fix parsing of mixed objects and values

`v4.10.0`

===================

Add support for app.set('views', array)
- Views are looked up in sequence in array of directories
Fix res.send(status) to mention res.sendStatus(status)
Fix handling of invalid empty URLs
Use content-disposition module for res.attachment/res.download
- Sends standards-compliant Content-Disposition header
- Full Unicode support
Use path.resolve in view lookup
deps: debug@~2.1.0
- Implement DEBUG_FD env variable support
deps: depd@~1.0.0
deps: etag@~1.5.0
- Improve string performance
- Slightly improve speed for weak ETags over 1KB
deps: finalhandler@0.3.2
- Terminate in progress response only on error
- Use on-finished to determine request status
- deps: debug@~2.1.0
- deps: on-finished@~2.1.1
deps: on-finished@~2.1.1
- Fix handling of pipelined requests
deps: qs@2.3.0
- Fix parsing of mixed implicit and explicit arrays
deps: send@0.10.1
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: etag@~1.5.0
- deps: on-finished@~2.1.1
deps: serve-static@~1.7.1
- deps: send@0.10.1

`v4.9.8`

==================

Fix res.redirect body when redirect status specified
deps: accepts@~1.1.2
- Fix error when media type has invalid parameter
- deps: negotiator@0.4.9

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency express to v4.20.0 [SECURITY]

64c8a62

renovate bot force-pushed the renovate/npm-express-vulnerability branch from 763a2ca to 64c8a62 Compare

September 22, 2024 02:56

renovate bot changed the title ~~Update dependency express to v4.19.2 [SECURITY]~~ Update dependency express to v4.20.0 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet