chore(deps): update dependency express to v4.20.0 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
express (source)	4.19.2 -> 4.20.0

GitHub Vulnerability Alerts

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
2. express MUST NOT redirect before the template appears
3. the browser MUST NOT complete redirection before:
4. the user MUST click on the link in the template

---

Release Notes

expressjs/express (express)

### [`v4.20.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4200--2024-09-10) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.19.2...4.20.0) \========== - deps: serve-static@0.16.0 - Remove link renderization in html while redirecting - deps: send@0.19.0 - Remove link renderization in html while redirecting - deps: body-parser@0.6.0 - add `depth` option to customize the depth level in the parser - IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) - Remove link renderization in html while using `res.redirect` - deps: path-to-regexp@0.1.10 - Adds support for named matching groups in the routes using a regex - Adds backtracking protection to parameters without regexes defined - deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec - Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[nx-cloud[bot]]

☁️ Nx Cloud Report

CI is running/has finished running commands for commit bd78c409d844d9e32a41cb86a8fc0f4cf2a8550c. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

---

✅ Successfully ran 4 targets

- [`nx run-many --target=test --all --configuration=ci --base=remotes/origin/master --head=HEAD`](https://cloud.nx.app/runs/LkgI3dqHc0?utm_source=pull-request&utm_medium=comment) - [`nx run-many --target=lint --all --configuration=ci --base=remotes/origin/master --head=HEAD`](https://cloud.nx.app/runs/82Gkn6FByB?utm_source=pull-request&utm_medium=comment) - [`nx lint-types store`](https://cloud.nx.app/runs/rqfKHZJi0J?utm_source=pull-request&utm_medium=comment) - [`nx run-many --target=build --all`](https://cloud.nx.app/runs/RSiYl57Ss0?utm_source=pull-request&utm_medium=comment)

---

Sent with 💌 from NxCloud.

[pkg-pr-new[bot]]

Open in Stackblitz

@ngxs/devtools-plugin

``` yarn add https://pkg.pr.new/@ngxs/devtools-plugin@2220.tgz ```

@ngxs/form-plugin

``` yarn add https://pkg.pr.new/@ngxs/form-plugin@2220.tgz ```

@ngxs/hmr-plugin

``` yarn add https://pkg.pr.new/@ngxs/hmr-plugin@2220.tgz ```

@ngxs/router-plugin

``` yarn add https://pkg.pr.new/@ngxs/router-plugin@2220.tgz ```

@ngxs/storage-plugin

``` yarn add https://pkg.pr.new/@ngxs/storage-plugin@2220.tgz ```

@ngxs/store

``` yarn add https://pkg.pr.new/@ngxs/store@2220.tgz ```

@ngxs/websocket-plugin

``` yarn add https://pkg.pr.new/@ngxs/websocket-plugin@2220.tgz ```

commit: bd78c40

[bundlemon[bot]]

BundleMon

Unchanged files (6)

Status | Path | Size | Limits :------------: | ------------ | :------------: | :------------: :white_check_mark: | fesm2022/ngxs-store.mjs
| 100.32KB | 101KB / +0.5% :white_check_mark: | fesm2022/ngxs-store-internals.mjs
| 11.64KB | 13KB / +0.5% :white_check_mark: | fesm2022/ngxs-store-internals-testing.mjs
| 6.83KB | 7KB / +0.5% :white_check_mark: | fesm2022/ngxs-store-operators.mjs
| 6.22KB | 7KB / +0.5% :white_check_mark: | fesm2022/ngxs-store-plugins.mjs
| 2.04KB | 3KB / +0.5% :white_check_mark: | fesm2022/ngxs-store-experimental.mjs
| 1.4KB | 2KB / +0.5%

No change in files bundle size

Unchanged groups (2)

Status | Path | Size | Limits :------------: | ------------ | :------------: | :------------: :white_check_mark: | @ngxs/store(esm2022)[gzip]
_{./esm2022/**/*.mjs}
| 222.49KB | +1% :white_check_mark: | @ngxs/store(fesm2022)[gzip]
_{./fesm2022/*.mjs}
| 30.74KB | +1%

Final result: :white_check_mark:

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[bundlemon[bot]]

BundleMon (NGXS Plugins)

Unchanged files (9)

Status | Path | Size | Limits :------------: | ------------ | :------------: | :------------: :white_check_mark: | Plugins(fesm2022)[gzip]
_{storage-plugin/fesm2022/ngxs-storage-plugin.m
js}
| 4.15KB | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{router-plugin/fesm2022/ngxs-router-plugin.mjs}
| 3.2KB | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{websocket-plugin/fesm2022/ngxs-websocket-plug
in.mjs}
| 2.64KB | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{hmr-plugin/fesm2022/ngxs-hmr-plugin.mjs}
| 2.61KB | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{form-plugin/fesm2022/ngxs-form-plugin.mjs}
| 2.59KB | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{devtools-plugin/fesm2022/ngxs-devtools-plugin
.mjs}
| 2.23KB | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{logger-plugin/fesm2022/ngxs-logger-plugin.mjs}
| 2.09KB | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{storage-plugin/fesm2022/ngxs-storage-plugin-i
nternals.mjs}
| 875B | +0.5% :white_check_mark: | Plugins(fesm2022)[gzip]
_{router-plugin/fesm2022/ngxs-router-plugin-int
ernals.mjs}
| 411B | +0.5%

No change in files bundle size

Unchanged groups (1)

Status | Path | Size | Limits :------------: | ------------ | :------------: | :------------: :white_check_mark: | All Plugins(fesm2022)[gzip]
_{./*-plugin/fesm2022/*.mjs}
| 20.76KB | +0.5%

Final result: :white_check_mark:

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[bundlemon[bot]]

BundleMon (Integration Projects)

Unchanged files (3)

Status | Path | Size | Limits :------------: | ------------ | :------------: | :------------: :white_check_mark: | Main bundles(Gzip)
_{hello-world-ng18/dist-integration/browser/mai
n-(hash).js}
| 71.84KB | +1% :white_check_mark: | Main bundles(Gzip)
_{hello-world-ng17/dist-integration/main.(hash)
.js}
| 68.73KB | +1% :white_check_mark: | Main bundles(Gzip)
_{hello-world-ng16/dist-integration/main.(hash)
.js}
| 67.76KB | +1%

No change in files bundle size

Final result: :white_check_mark:

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[codeclimate[bot]]

Code Climate has analyzed commit 59f1b33e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 95.3% (0.0% change).

View more on Code Climate.