Skip to content

Comments

Update dependency express to v4.21.0#11

Open
mend-for-github-com[bot] wants to merge 1 commit intomasterfrom
whitesource-remediate/express-4.x-lockfile
Open

Update dependency express to v4.21.0#11
mend-for-github-com[bot] wants to merge 1 commit intomasterfrom
whitesource-remediate/express-4.x-lockfile

Conversation

@mend-for-github-com
Copy link
Contributor

@mend-for-github-com mend-for-github-com bot commented Nov 6, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
express (source) 4.16.44.21.0 age adoption passing confidence

By merging this PR, the issue #10 will be automatically resolved and closed:

Severity CVSS Score Vulnerability Reachability
High High 7.5 CVE-2024-45296
High High 7.5 CVE-2024-52798
Medium Medium 6.1 CVE-2024-29041
Medium Medium 5.0 CVE-2024-43796
Medium Medium 5.0 CVE-2024-43799
Medium Medium 5.0 CVE-2024-43800

Release Notes

expressjs/express (express)

v4.21.0

Compare Source

What's Changed

New Contributors

Full Changelog: expressjs/express@4.20.0...4.21.0

v4.20.0

Compare Source

==========

  • deps: serve-static@​0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@​0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@​0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@​0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

  • Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

  • Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@​0.6.0

v4.18.3

Compare Source

==========

  • Fix routing requests without method
  • deps: body-parser@​1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@​2.5.2
  • deps: cookie@​0.6.0
    • Add partitioned option

v4.18.2

Compare Source

===================

  • Fix regression routing a large stack in a single route
  • deps: body-parser@​1.20.1
    • deps: qs@​6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@​6.11.0

v4.18.1

Compare Source

===================

  • Fix hanging on large stack of sync routes

v4.18.0

Compare Source

===================

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@​1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@​2.0.0
    • deps: http-errors@​2.0.0
    • deps: on-finished@​2.4.1
    • deps: qs@​6.10.3
    • deps: raw-body@​2.5.1
  • deps: cookie@​0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@​2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@​1.2.0
    • Remove set content headers that break response
    • deps: on-finished@​2.4.1
    • deps: statuses@​2.0.1
  • deps: on-finished@​2.4.1
    • Prevent loss of async hooks context
  • deps: qs@​6.10.3
  • deps: send@​0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@​2.0.0
    • deps: destroy@​1.2.0
    • deps: http-errors@​2.0.0
    • deps: on-finished@​2.4.1
    • deps: statuses@​2.0.1
  • deps: serve-static@​1.15.0
    • deps: send@​0.18.0
  • deps: statuses@​2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early

v4.17.3

Compare Source

===================

  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@​0.6.3
  • deps: body-parser@​1.19.2
    • deps: bytes@​3.1.2
    • deps: qs@​6.9.7
    • deps: raw-body@​2.4.3
  • deps: cookie@​0.4.2
  • deps: qs@​6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy

v4.17.2

Compare Source

===================

  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: body-parser@​1.19.1
    • deps: bytes@​3.1.1
    • deps: http-errors@​1.8.1
    • deps: qs@​6.9.6
    • deps: raw-body@​2.4.2
    • deps: safe-buffer@​5.2.1
    • deps: type-is@~1.6.18
  • deps: content-disposition@​0.5.4
    • deps: safe-buffer@​5.2.1
  • deps: cookie@​0.4.1
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: forwarded@​0.2.0
    • deps: ipaddr.js@​1.9.1
  • deps: qs@​6.9.6
  • deps: safe-buffer@​5.2.1
  • deps: send@​0.17.2
    • deps: http-errors@​1.8.1
    • deps: ms@​2.1.3
    • pref: ignore empty http tokens
  • deps: serve-static@​1.14.2
    • deps: send@​0.17.2
  • deps: setprototypeof@​1.2.0

v4.17.1

Compare Source

===================

  • Revert "Improve error message for null/undefined to res.status"

v4.17.0

Compare Source

===================

  • Add express.raw to parse bodies into Buffer
  • Add express.text to parse bodies into string
  • Improve error message for non-strings to res.sendFile
  • Improve error message for null/undefined to res.status
  • Support multiple hosts in X-Forwarded-Host
  • deps: accepts@~1.3.7
  • deps: body-parser@​1.19.0
    • Add encoding MIK
    • Add petabyte (pb) support
    • Fix parsing array brackets after index
    • deps: bytes@​3.1.0
    • deps: http-errors@​1.7.2
    • deps: iconv-lite@​0.4.24
    • deps: qs@​6.7.0
    • deps: raw-body@​2.4.0
    • deps: type-is@~1.6.17
  • deps: content-disposition@​0.5.3
  • deps: cookie@​0.4.0
    • Add SameSite=None support
  • deps: finalhandler@~1.1.2
    • Set stricter Content-Security-Policy header
    • deps: parseurl@~1.3.3
    • deps: statuses@~1.5.0
  • deps: parseurl@~1.3.3
  • deps: proxy-addr@~2.0.5
    • deps: ipaddr.js@​1.9.0
  • deps: qs@​6.7.0
    • Fix parsing array brackets after index
  • deps: range-parser@~1.2.1
  • deps: send@​0.17.1
    • Set stricter CSP header in redirect & error responses
    • deps: http-errors@~1.7.2
    • deps: mime@​1.6.0
    • deps: ms@​2.1.1
    • deps: range-parser@~1.2.1
    • deps: statuses@~1.5.0
    • perf: remove redundant path.normalize call
  • deps: serve-static@​1.14.1
    • Set stricter CSP header in redirect response
    • deps: parseurl@~1.3.3
    • deps: send@​0.17.1
  • deps: setprototypeof@​1.1.1
  • deps: statuses@~1.5.0
    • Add 103 Early Hints
  • deps: type-is@~1.6.18
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Nov 6, 2023
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 3a15aca to 0868248 Compare November 14, 2023 00:37
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.17.0 Update dependency express to v4.18.2 Nov 14, 2023
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.18.2 Update dependency express to v4.17.0 Nov 22, 2023
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 0868248 to 8dee180 Compare November 22, 2023 00:02
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 8dee180 to 51ab17a Compare March 26, 2024 12:21
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.17.0 Update dependency express to v4.19.0 Mar 26, 2024
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.19.0 Update dependency express to v4.20.0 Sep 11, 2024
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 51ab17a to abd2a1d Compare September 11, 2024 12:29
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.20.0 Update dependency express to v4.21.2 Dec 6, 2024
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from abd2a1d to b47e478 Compare December 6, 2024 19:34
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from b47e478 to 6c66f6b Compare January 27, 2025 05:55
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.2 Update dependency express to v4.21.0 Feb 4, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 11ee3da to e6de9c6 Compare February 5, 2025 02:41
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from e6de9c6 to 2b6dccf Compare February 13, 2025 11:06
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 2b6dccf to 963f170 Compare February 23, 2025 11:23
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 963f170 to bbdfcb4 Compare March 4, 2025 09:35
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.0 Update dependency express to v4.21.1 Mar 11, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from bbdfcb4 to c953256 Compare March 11, 2025 06:58
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from c953256 to a70a037 Compare March 22, 2025 01:25
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.1 Update dependency express to v4.21.2 Mar 22, 2025
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.2 Update dependency express to v4.21.0 Mar 24, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from a70a037 to 31f4316 Compare March 24, 2025 06:41
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.0 Update dependency express to v4.20.0 Mar 30, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 31f4316 to 350c0c9 Compare March 30, 2025 13:20
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 350c0c9 to 53a3b73 Compare April 30, 2025 14:53
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.20.0 Update dependency express to v4.21.1 Apr 30, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 53a3b73 to 4305554 Compare June 8, 2025 18:05
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.1 Update dependency express to v4.21.0 Jun 8, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 4305554 to 6c22b23 Compare September 13, 2025 17:27
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.0 Update dependency express to v4.21.1 Sep 13, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from bd16745 to ad7220f Compare October 1, 2025 13:13
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from ad7220f to 3009d0e Compare November 7, 2025 06:09
@mend-for-github-com mend-for-github-com bot changed the title Update dependency express to v4.21.1 Update dependency express to v4.21.0 Nov 7, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 3009d0e to 38193ac Compare December 1, 2025 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

security fix Security fix generated by Mend

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants