Closed dev-mend-for-github-com[bot] closed 1 year ago
This PR contains the following updates:
3.0.1
3.3.1
Mend ensures you have the greatest risk reduction (highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.
By merging this PR, the number of vulnerabilities in issue #10 will be resolved in part or in full.
--- ### Release Notes expressjs/express ### [`v3.3.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#331--2013-06-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) \================== - update connect ### [`v3.3.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#330--2013-06-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) \================== - update connect - add support for multiple X-Forwarded-Proto values. Closes [#1646](https://togithub.com/expressjs/express/issues/1646) - change: remove charset from json responses. Closes [#1631](https://togithub.com/expressjs/express/issues/1631) - change: return actual booleans from req.accept\* functions - fix jsonp callback array throw ### [`v3.2.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#326--2013-06-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) \================== - update connect ### [`v3.2.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#325--2013-05-21) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) \================== - update connect - update node-cookie - add: throw a meaningful error when there is no default engine - change generation of ETags with res.send() to GET requests only. Closes [#1619](https://togithub.com/expressjs/express/issues/1619) ### [`v3.2.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#324--2013-05-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) \================== - fix `req.subdomains` when no Host is present - fix `req.host` when no Host is present, return undefined ### [`v3.2.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#323--2013-05-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) \================== - update connect / qs ### [`v3.2.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#322--2013-05-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) \================== - update qs ### [`v3.2.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#321--2013-04-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) \================== - add app.VERB() paths array deprecation warning - update connect - update qs and remove all ~ semver crap - fix: accept number as value of Signed Cookie ### [`v3.2.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#320--2013-04-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) \================== - add "view" constructor setting to override view behaviour - add req.acceptsEncoding(name) - add req.acceptedEncodings - revert cookie signature change causing session race conditions - fix sorting of Accept values of the same quality ### [`v3.1.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#312--2013-04-12) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) \================== - add support for custom Accept parameters - update cookie-signature ### [`v3.1.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#311--2013-04-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) \================== - add X-Forwarded-Host support to `req.host` - fix relative redirects - update mkdirp - update buffer-crc32 - remove legacy app.configure() method from app template. ### [`v3.1.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#310--2013-01-25) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) \================== - add support for leading "." in "view engine" setting - add array support to `res.set()` - add node 0.8.x to travis.yml - add "subdomain offset" setting for tweaking `req.subdomains` - add `res.location(url)` implementing `res.redirect()`-like setting of Location - use app.get() for x-powered-by setting for inheritance - fix colons in passwords for `req.auth` ### [`v3.0.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#306--2013-01-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) \================== - add http verb methods to Router - update connect - fix mangling of the `res.cookie()` options object - fix jsonp whitespace escape. Closes [#1132](https://togithub.com/expressjs/express/issues/1132) ### [`v3.0.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#305--2012-12-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) \================== - add throwing when a non-function is passed to a route - fix: explicitly remove Transfer-Encoding header from 204 and 304 responses - revert "add 'etag' option" ### [`v3.0.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#304--2012-12-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) \================== - add 'etag' option to disable `res.send()` Etags - add escaping of urls in text/plain in `res.redirect()` for old browsers interpreting as html - change crc32 module for a more liberal license - update connect ### [`v3.0.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#303--2012-11-13) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) \================== - update connect - update cookie module - fix cookie max-age ### [`v3.0.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#302--2012-11-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.1...3.0.2) \================== - add OPTIONS to cors example. Closes [#1398](https://togithub.com/expressjs/express/issues/1398) - fix route chaining regression. Closes [#1397](https://togithub.com/expressjs/express/issues/1397) --- - [ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.0.1
->3.3.1
Version 3.3.1
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | -2% | 0 (--) | 2 (--) | 6 (-4 ) | 0 (--) |Version 3.0.1
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | N/A | 0 | 2 | 10 | 0 |Version 3.21.2
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | 1231% | 2 (+2) | 2 (--) | 4 (-6 ) | 2 (+2) |By merging this PR, the number of vulnerabilities in issue #10 will be resolved in part or in full.
--- ### Release Notes
---
- [ ] If you want to rebase/retry this PR, check this box
expressjs/express
### [`v3.3.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#331--2013-06-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) \================== - update connect ### [`v3.3.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#330--2013-06-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) \================== - update connect - add support for multiple X-Forwarded-Proto values. Closes [#1646](https://togithub.com/expressjs/express/issues/1646) - change: remove charset from json responses. Closes [#1631](https://togithub.com/expressjs/express/issues/1631) - change: return actual booleans from req.accept\* functions - fix jsonp callback array throw ### [`v3.2.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#326--2013-06-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) \================== - update connect ### [`v3.2.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#325--2013-05-21) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) \================== - update connect - update node-cookie - add: throw a meaningful error when there is no default engine - change generation of ETags with res.send() to GET requests only. Closes [#1619](https://togithub.com/expressjs/express/issues/1619) ### [`v3.2.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#324--2013-05-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) \================== - fix `req.subdomains` when no Host is present - fix `req.host` when no Host is present, return undefined ### [`v3.2.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#323--2013-05-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) \================== - update connect / qs ### [`v3.2.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#322--2013-05-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) \================== - update qs ### [`v3.2.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#321--2013-04-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) \================== - add app.VERB() paths array deprecation warning - update connect - update qs and remove all ~ semver crap - fix: accept number as value of Signed Cookie ### [`v3.2.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#320--2013-04-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) \================== - add "view" constructor setting to override view behaviour - add req.acceptsEncoding(name) - add req.acceptedEncodings - revert cookie signature change causing session race conditions - fix sorting of Accept values of the same quality ### [`v3.1.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#312--2013-04-12) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) \================== - add support for custom Accept parameters - update cookie-signature ### [`v3.1.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#311--2013-04-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) \================== - add X-Forwarded-Host support to `req.host` - fix relative redirects - update mkdirp - update buffer-crc32 - remove legacy app.configure() method from app template. ### [`v3.1.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#310--2013-01-25) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) \================== - add support for leading "." in "view engine" setting - add array support to `res.set()` - add node 0.8.x to travis.yml - add "subdomain offset" setting for tweaking `req.subdomains` - add `res.location(url)` implementing `res.redirect()`-like setting of Location - use app.get() for x-powered-by setting for inheritance - fix colons in passwords for `req.auth` ### [`v3.0.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#306--2013-01-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) \================== - add http verb methods to Router - update connect - fix mangling of the `res.cookie()` options object - fix jsonp whitespace escape. Closes [#1132](https://togithub.com/expressjs/express/issues/1132) ### [`v3.0.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#305--2012-12-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) \================== - add throwing when a non-function is passed to a route - fix: explicitly remove Transfer-Encoding header from 204 and 304 responses - revert "add 'etag' option" ### [`v3.0.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#304--2012-12-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) \================== - add 'etag' option to disable `res.send()` Etags - add escaping of urls in text/plain in `res.redirect()` for old browsers interpreting as html - change crc32 module for a more liberal license - update connect ### [`v3.0.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#303--2012-11-13) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) \================== - update connect - update cookie module - fix cookie max-age ### [`v3.0.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#302--2012-11-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.1...3.0.2) \================== - add OPTIONS to cors example. Closes [#1398](https://togithub.com/expressjs/express/issues/1398) - fix route chaining regression. Closes [#1397](https://togithub.com/expressjs/express/issues/1397)