Open mend-for-github-com[bot] opened 12 months ago
This PR contains the following updates:
3.0.1
4.21.1
This PR contains the following updates:
3.0.1
->4.21.1
Release Notes
expressjs/express (express)
### [`v4.21.1`](https://redirect.github.com/expressjs/express/releases/tag/4.21.1) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.21.0...4.21.1) #### What's Changed - Backport a fix for CVE-2024-47764 to the 4.x branch by [@joshbuker](https://redirect.github.com/joshbuker) in [https://github.com/expressjs/express/pull/6029](https://redirect.github.com/expressjs/express/pull/6029) - Release: 4.21.1 by [@UlisesGascon](https://redirect.github.com/UlisesGascon) in [https://github.com/expressjs/express/pull/6031](https://redirect.github.com/expressjs/express/pull/6031) **Full Changelog**: https://github.com/expressjs/express/compare/4.21.0...4.21.1 ### [`v4.21.0`](https://redirect.github.com/expressjs/express/releases/tag/4.21.0) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.20.0...4.21.0) #### What's Changed - Deprecate `"back"` magic string in redirects by [@blakeembrey](https://redirect.github.com/blakeembrey) in [https://github.com/expressjs/express/pull/5935](https://redirect.github.com/expressjs/express/pull/5935) - finalhandler@1.3.1 by [@wesleytodd](https://redirect.github.com/wesleytodd) in [https://github.com/expressjs/express/pull/5954](https://redirect.github.com/expressjs/express/pull/5954) - fix(deps): serve-static@1.16.2 by [@wesleytodd](https://redirect.github.com/wesleytodd) in [https://github.com/expressjs/express/pull/5951](https://redirect.github.com/expressjs/express/pull/5951) - Upgraded dependency qs to 6.13.0 to match qs in body-parser by [@agadzinski93](https://redirect.github.com/agadzinski93) in [https://github.com/expressjs/express/pull/5946](https://redirect.github.com/expressjs/express/pull/5946) #### New Contributors - [@agadzinski93](https://redirect.github.com/agadzinski93) made their first contribution in [https://github.com/expressjs/express/pull/5946](https://redirect.github.com/expressjs/express/pull/5946) **Full Changelog**: https://github.com/expressjs/express/compare/4.20.0...4.21.0 ### [`v4.20.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4200--2024-09-10) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.19.2...4.20.0) \========== - deps: serve-static@0.16.0 - Remove link renderization in html while redirecting - deps: send@0.19.0 - Remove link renderization in html while redirecting - deps: body-parser@0.6.0 - add `depth` option to customize the depth level in the parser - IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) - Remove link renderization in html while using `res.redirect` - deps: path-to-regexp@0.1.10 - Adds support for named matching groups in the routes using a regex - Adds backtracking protection to parameters without regexes defined - deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec - Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie ### [`v4.19.2`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.19.1...4.19.2) \========== - Improved fix for open redirect allow list bypass ### [`v4.19.1`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.19.0...4.19.1) \========== - Allow passing non-strings to res.location with new encoding handling checks ### [`v4.19.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4190--2024-03-20) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.18.3...4.19.0) \========== - Prevent open redirect allow list bypass due to encodeurl - deps: cookie@0.6.0 ### [`v4.18.3`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4183--2024-02-29) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.18.2...4.18.3) \========== - Fix routing requests without method - deps: body-parser@1.20.2 - Fix strict json error message on Node.js 19+ - deps: content-type@~1.0.5 - deps: raw-body@2.5.2 - deps: cookie@0.6.0 - Add `partitioned` option ### [`v4.18.2`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4182--2022-10-08) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.18.1...4.18.2) \=================== - Fix regression routing a large stack in a single route - deps: body-parser@1.20.1 - deps: qs@6.11.0 - perf: remove unnecessary object clone - deps: qs@6.11.0 ### [`v4.18.1`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4181--2022-04-29) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.18.0...4.18.1) \=================== - Fix hanging on large stack of sync routes ### [`v4.18.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4180--2022-04-25) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.17.3...4.18.0) \=================== - Add "root" option to `res.download` - Allow `options` without `filename` in `res.download` - Deprecate string and non-integer arguments to `res.status` - Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie` - Fix handling very large stacks of sync middleware - Ignore `Object.prototype` values in settings through `app.set`/`app.get` - Invoke `default` with same arguments as types in `res.format` - Support proper 205 responses using `res.send` - Use `http-errors` for `res.format` error - deps: body-parser@1.20.0 - Fix error message for json parse whitespace in `strict` - Fix internal error when inflated body exceeds limit - Prevent loss of async hooks context - Prevent hanging when request already read - deps: depd@2.0.0 - deps: http-errors@2.0.0 - deps: on-finished@2.4.1 - deps: qs@6.10.3 - deps: raw-body@2.5.1 - deps: cookie@0.5.0 - Add `priority` option - Fix `expires` option to reject invalid dates - deps: depd@2.0.0 - Replace internal `eval` usage with `Function` constructor - Use instance methods on `process` to check for listeners - deps: finalhandler@1.2.0 - Remove set content headers that break response - deps: on-finished@2.4.1 - deps: statuses@2.0.1 - deps: on-finished@2.4.1 - Prevent loss of async hooks context - deps: qs@6.10.3 - deps: send@0.18.0 - Fix emitted 416 error missing headers property - Limit the headers removed for 304 response - deps: depd@2.0.0 - deps: destroy@1.2.0 - deps: http-errors@2.0.0 - deps: on-finished@2.4.1 - deps: statuses@2.0.1 - deps: serve-static@1.15.0 - deps: send@0.18.0 - deps: statuses@2.0.1 - Remove code 306 - Rename `425 Unordered Collection` to standard `425 Too Early` ### [`v4.17.3`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4173--2022-02-16) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.17.2...4.17.3) \=================== - deps: accepts@~1.3.8 - deps: mime-types@~2.1.34 - deps: negotiator@0.6.3 - deps: body-parser@1.19.2 - deps: bytes@3.1.2 - deps: qs@6.9.7 - deps: raw-body@2.4.3 - deps: cookie@0.4.2 - deps: qs@6.9.7 - Fix handling of `__proto__` keys - pref: remove unnecessary regexp for trust proxy ### [`v4.17.2`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4172--2021-12-16) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.17.1...4.17.2) \=================== - Fix handling of `undefined` in `res.jsonp` - Fix handling of `undefined` when `"json escape"` is enabled - Fix incorrect middleware execution with unanchored `RegExp`s - Fix `res.jsonp(obj, status)` deprecation message - Fix typo in `res.is` JSDoc - deps: body-parser@1.19.1 - deps: bytes@3.1.1 - deps: http-errors@1.8.1 - deps: qs@6.9.6 - deps: raw-body@2.4.2 - deps: safe-buffer@5.2.1 - deps: type-is@~1.6.18 - deps: content-disposition@0.5.4 - deps: safe-buffer@5.2.1 - deps: cookie@0.4.1 - Fix `maxAge` option to reject invalid values - deps: proxy-addr@~2.0.7 - Use `req.socket` over deprecated `req.connection` - deps: forwarded@0.2.0 - deps: ipaddr.js@1.9.1 - deps: qs@6.9.6 - deps: safe-buffer@5.2.1 - deps: send@0.17.2 - deps: http-errors@1.8.1 - deps: ms@2.1.3 - pref: ignore empty http tokens - deps: serve-static@1.14.2 - deps: send@0.17.2 - deps: setprototypeof@1.2.0 ### [`v4.17.1`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4171--2019-05-25) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.17.0...4.17.1) \=================== - Revert "Improve error message for `null`/`undefined` to `res.status`" ### [`v4.17.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4170--2019-05-16) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.16.4...4.17.0) \=================== - Add `express.raw` to parse bodies into `Buffer` - Add `express.text` to parse bodies into string - Improve error message for non-strings to `res.sendFile` - Improve error message for `null`/`undefined` to `res.status` - Support multiple hosts in `X-Forwarded-Host` - deps: accepts@~1.3.7 - deps: body-parser@1.19.0 - Add encoding MIK - Add petabyte (`pb`) support - Fix parsing array brackets after index - deps: bytes@3.1.0 - deps: http-errors@1.7.2 - deps: iconv-lite@0.4.24 - deps: qs@6.7.0 - deps: raw-body@2.4.0 - deps: type-is@~1.6.17 - deps: content-disposition@0.5.3 - deps: cookie@0.4.0 - Add `SameSite=None` support - deps: finalhandler@~1.1.2 - Set stricter `Content-Security-Policy` header - deps: parseurl@~1.3.3 - deps: statuses@~1.5.0 - deps: parseurl@~1.3.3 - deps: proxy-addr@~2.0.5 - deps: ipaddr.js@1.9.0 - deps: qs@6.7.0 - Fix parsing array brackets after index - deps: range-parser@~1.2.1 - deps: send@0.17.1 - Set stricter CSP header in redirect & error responses - deps: http-errors@~1.7.2 - deps: mime@1.6.0 - deps: ms@2.1.1 - deps: range-parser@~1.2.1 - deps: statuses@~1.5.0 - perf: remove redundant `path.normalize` call - deps: serve-static@1.14.1 - Set stricter CSP header in redirect response - deps: parseurl@~1.3.3 - deps: send@0.17.1 - deps: setprototypeof@1.1.1 - deps: statuses@~1.5.0 - Add `103 Early Hints` - deps: type-is@~1.6.18 - deps: mime-types@~2.1.24 - perf: prevent internal `throw` on invalid type ### [`v4.16.4`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4164--2018-10-10) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.16.3...4.16.4) \=================== - Fix issue where `"Request aborted"` may be logged in `res.sendfile` - Fix JSDoc for `Router` constructor - deps: body-parser@1.18.3 - Fix deprecation warnings on Node.js 10+ - Fix stack trace for strict json parse error - deps: depd@~1.1.2 - deps: http-errors@~1.6.3 - deps: iconv-lite@0.4.23 - deps: qs@6.5.2 - deps: raw-body@2.3.3 - deps: type-is@~1.6.16 - deps: proxy-addr@~2.0.4 - deps: ipaddr.js@1.8.0 - deps: qs@6.5.2 - deps: safe-buffer@5.1.2 ### [`v4.16.3`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4163--2018-03-12) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.16.2...4.16.3) \=================== - deps: accepts@~1.3.5 - deps: mime-types@~2.1.18 - deps: depd@~1.1.2 - perf: remove argument reassignment - deps: encodeurl@~1.0.2 - Fix encoding `%` as last character - deps: finalhandler@1.1.1 - Fix 404 output for bad / missing pathnames - deps: encodeurl@~1.0.2 - deps: statuses@~1.4.0 - deps: proxy-addr@~2.0.3 - deps: ipaddr.js@1.6.0 - deps: send@0.16.2 - Fix incorrect end tag in default error & redirects - deps: depd@~1.1.2 - deps: encodeurl@~1.0.2 - deps: statuses@~1.4.0 - deps: serve-static@1.13.2 - Fix incorrect end tag in redirects - deps: encodeurl@~1.0.2 - deps: send@0.16.2 - deps: statuses@~1.4.0 - deps: type-is@~1.6.16 - deps: mime-types@~2.1.18 ### [`v4.16.2`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4162--2017-10-09) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.16.1...4.16.2) \=================== - Fix `TypeError` in `res.send` when given `Buffer` and `ETag` header set - perf: skip parsing of entire `X-Forwarded-Proto` header ### [`v4.16.1`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4161--2017-09-29) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.16.0...4.16.1) \=================== - deps: send@0.16.1 - deps: serve-static@1.13.1 - Fix regression when `root` is incorrectly set to a file - deps: send@0.16.1 ### [`v4.16.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4160--2017-09-28) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.15.5...4.16.0) \=================== - Add `"json escape"` setting for `res.json` and `res.jsonp` - Add `express.json` and `express.urlencoded` to parse bodies - Add `options` argument to `res.download` - Improve error message when autoloading invalid view engine - Improve error messages when non-function provided as middleware - Skip `Buffer` encoding when not generating ETag for small response - Use `safe-buffer` for improved Buffer API - deps: accepts@~1.3.4 - deps: mime-types@~2.1.16 - deps: content-type@~1.0.4 - perf: remove argument reassignment - perf: skip parameter parsing when no parameters - deps: etag@~1.8.1 - perf: replace regular expression with substring - deps: finalhandler@1.1.0 - Use `res.headersSent` when available - deps: parseurl@~1.3.2 - perf: reduce overhead for full URLs - perf: unroll the "fast-path" `RegExp` - deps: proxy-addr@~2.0.2 - Fix trimming leading / trailing OWS in `X-Forwarded-For` - deps: forwarded@~0.1.2 - deps: ipaddr.js@1.5.2 - perf: reduce overhead when no `X-Forwarded-For` header - deps: qs@6.5.1 - Fix parsing & compacting very deep objects - deps: send@0.16.0 - Add 70 new types for file extensions - Add `immutable` option - Fix missing `