Closed uriel-mend-app[bot] closed 1 year ago
This PR contains the following updates:
3.0.0
3.21.0
Mend ensures you have the greatest risk reduction (highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.
By merging this PR, the number of vulnerabilities in issue #16 will be resolved in part or in full.
--- ### Release Notes expressjs/express ### [`v3.21.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3210--2015-06-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.3...3.21.0) \=================== - deps: basic-auth@1.0.2 - perf: enable strict mode - perf: hoist regular expression - perf: parse with regular expressions - perf: remove argument reassignment - deps: connect@2.30.0 - deps: body-parser@~1.13.1 - deps: bytes@2.1.0 - deps: compression@~1.5.0 - deps: cookie@0.1.3 - deps: cookie-parser@~1.3.5 - deps: csurf@~1.8.3 - deps: errorhandler@~1.4.0 - deps: express-session@~1.11.3 - deps: finalhandler@0.4.0 - deps: fresh@0.3.0 - deps: morgan@~1.6.0 - deps: serve-favicon@~2.3.0 - deps: serve-index@~1.7.0 - deps: serve-static@~1.10.0 - deps: type-is@~1.6.3 - deps: cookie@0.1.3 - perf: deduce the scope of try-catch deopt - perf: remove argument reassignments - deps: escape-html@1.0.2 - deps: etag@~1.7.0 - Always include entity length in ETags for hash length extensions - Generate non-Stats ETags using MD5 only (no longer CRC32) - Improve stat performance by removing hashing - Improve support for JXcore - Remove base64 padding in ETags to shorten - Support "fake" stats objects in environments without fs - Use MD5 instead of MD4 in weak ETags over 1KB - deps: fresh@0.3.0 - Add weak `ETag` matching support - deps: mkdirp@0.5.1 - Work in global strict mode - deps: send@0.13.0 - Allow Node.js HTTP server to set `Date` response header - Fix incorrectly removing `Content-Location` on 304 response - Improve the default redirect response headers - Send appropriate headers on default error response - Use `http-errors` for standard emitted errors - Use `statuses` instead of `http` module for status messages - deps: escape-html@1.0.2 - deps: etag@~1.7.0 - deps: fresh@0.3.0 - deps: on-finished@~2.3.0 - perf: enable strict mode - perf: remove unnecessary array allocations ### [`v3.20.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3203--2015-05-17) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.2...3.20.3) \=================== - deps: connect@2.29.2 - deps: body-parser@~1.12.4 - deps: compression@~1.4.4 - deps: connect-timeout@~1.6.2 - deps: debug@~2.2.0 - deps: depd@~1.0.1 - deps: errorhandler@~1.3.6 - deps: finalhandler@0.3.6 - deps: method-override@~2.3.3 - deps: morgan@~1.5.3 - deps: qs@2.4.2 - deps: response-time@~2.3.1 - deps: serve-favicon@~2.2.1 - deps: serve-index@~1.6.4 - deps: serve-static@~1.9.3 - deps: type-is@~1.6.2 - deps: debug@~2.2.0 - deps: ms@0.7.1 - deps: depd@~1.0.1 - deps: proxy-addr@~1.0.8 - deps: ipaddr.js@1.0.1 - deps: send@0.12.3 - deps: debug@~2.2.0 - deps: depd@~1.0.1 - deps: etag@~1.6.0 - deps: ms@0.7.1 - deps: on-finished@~2.2.1 ### [`v3.20.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3202--2015-03-16) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.1...3.20.2) \=================== - deps: connect@2.29.1 - deps: body-parser@~1.12.2 - deps: compression@~1.4.3 - deps: connect-timeout@~1.6.1 - deps: debug@~2.1.3 - deps: errorhandler@~1.3.5 - deps: express-session@~1.10.4 - deps: finalhandler@0.3.4 - deps: method-override@~2.3.2 - deps: morgan@~1.5.2 - deps: qs@2.4.1 - deps: serve-index@~1.6.3 - deps: serve-static@~1.9.2 - deps: type-is@~1.6.1 - deps: debug@~2.1.3 - Fix high intensity foreground color for bold - deps: ms@0.7.0 - deps: merge-descriptors@1.0.0 - deps: proxy-addr@~1.0.7 - deps: ipaddr.js@0.1.9 - deps: send@0.12.2 - Throw errors early for invalid `extensions` or `index` options - deps: debug@~2.1.3 ### [`v3.20.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3201--2015-02-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.0...3.20.1) \=================== - Fix `req.host` when using "trust proxy" hops count - Fix `req.protocol`/`req.secure` when using "trust proxy" hops count ### [`v3.20.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3200--2015-02-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.2...3.20.0) \=================== - Fix `"trust proxy"` setting to inherit when app is mounted - Generate `ETag`s for all request responses - No longer restricted to only responses for `GET` and `HEAD` requests - Use `content-type` to parse `Content-Type` headers - deps: connect@2.29.0 - Use `content-type` to parse `Content-Type` headers - deps: body-parser@~1.12.0 - deps: compression@~1.4.1 - deps: connect-timeout@~1.6.0 - deps: cookie-parser@~1.3.4 - deps: cookie-signature@1.0.6 - deps: csurf@~1.7.0 - deps: errorhandler@~1.3.4 - deps: express-session@~1.10.3 - deps: http-errors@~1.3.1 - deps: response-time@~2.3.0 - deps: serve-index@~1.6.2 - deps: serve-static@~1.9.1 - deps: type-is@~1.6.0 - deps: cookie-signature@1.0.6 - deps: send@0.12.1 - Always read the stat size from the file - Fix mutating passed-in `options` - deps: mime@1.3.4 ### [`v3.19.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3192--2015-02-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.1...3.19.2) \=================== - deps: connect@2.28.3 - deps: compression@~1.3.1 - deps: csurf@~1.6.6 - deps: errorhandler@~1.3.3 - deps: express-session@~1.10.2 - deps: serve-index@~1.6.1 - deps: type-is@~1.5.6 - deps: proxy-addr@~1.0.6 - deps: ipaddr.js@0.1.8 ### [`v3.19.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3191--2015-01-20) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.0...3.19.1) \=================== - deps: connect@2.28.2 - deps: body-parser@~1.10.2 - deps: serve-static@~1.8.1 - deps: send@0.11.1 - Fix root path disclosure ### [`v3.19.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3190--2015-01-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.6...3.19.0) \=================== - Fix `OPTIONS` responses to include the `HEAD` method property - Use `readline` for prompt in `express(1)` - deps: commander@2.6.0 - deps: connect@2.28.1 - deps: body-parser@~1.10.1 - deps: compression@~1.3.0 - deps: connect-timeout@~1.5.0 - deps: csurf@~1.6.4 - deps: debug@~2.1.1 - deps: errorhandler@~1.3.2 - deps: express-session@~1.10.1 - deps: finalhandler@0.3.3 - deps: method-override@~2.3.1 - deps: morgan@~1.5.1 - deps: serve-favicon@~2.2.0 - deps: serve-index@~1.6.0 - deps: serve-static@~1.8.0 - deps: type-is@~1.5.5 - deps: debug@~2.1.1 - deps: methods@~1.1.1 - deps: proxy-addr@~1.0.5 - deps: ipaddr.js@0.1.6 - deps: send@0.11.0 - deps: debug@~2.1.1 - deps: etag@~1.5.1 - deps: ms@0.7.0 - deps: on-finished@~2.2.0 ### [`v3.18.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3186--2014-12-12) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.5...3.18.6) \=================== - Fix exception in `req.fresh`/`req.stale` without response headers ### [`v3.18.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3185--2014-12-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.4...3.18.5) \=================== - deps: connect@2.27.6 - deps: compression@~1.2.2 - deps: express-session@~1.9.3 - deps: http-errors@~1.2.8 - deps: serve-index@~1.5.3 - deps: type-is@~1.5.4 ### [`v3.18.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3184--2014-11-23) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.3...3.18.4) \=================== - deps: connect@2.27.4 - deps: body-parser@~1.9.3 - deps: compression@~1.2.1 - deps: errorhandler@~1.2.3 - deps: express-session@~1.9.2 - deps: qs@2.3.3 - deps: serve-favicon@~2.1.7 - deps: serve-static@~1.5.1 - deps: type-is@~1.5.3 - deps: etag@~1.5.1 - deps: proxy-addr@~1.0.4 - deps: ipaddr.js@0.1.5 ### [`v3.18.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3183--2014-11-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.2...3.18.3) \=================== - deps: connect@2.27.3 - Correctly invoke async callback asynchronously - deps: csurf@~1.6.3 ### [`v3.18.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3182--2014-10-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.1...3.18.2) \=================== - deps: connect@2.27.2 - Fix handling of URLs containing `://` in the path - deps: body-parser@~1.9.2 - deps: qs@2.3.2 ### [`v3.18.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3181--2014-10-22) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.0...3.18.1) \=================== - Fix internal `utils.merge` deprecation warnings - deps: connect@2.27.1 - deps: body-parser@~1.9.1 - deps: express-session@~1.9.1 - deps: finalhandler@0.3.2 - deps: morgan@~1.4.1 - deps: qs@2.3.0 - deps: serve-static@~1.7.1 - deps: send@0.10.1 - deps: on-finished@~2.1.1 ### [`v3.18.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3180--2014-10-17) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.8...3.18.0) \=================== - Use `content-disposition` module for `res.attachment`/`res.download` - Sends standards-compliant `Content-Disposition` header - Full Unicode support - Use `etag` module to generate `ETag` headers - deps: connect@2.27.0 - Use `http-errors` module for creating errors - Use `utils-merge` module for merging objects - deps: body-parser@~1.9.0 - deps: compression@~1.2.0 - deps: connect-timeout@~1.4.0 - deps: debug@~2.1.0 - deps: depd@~1.0.0 - deps: express-session@~1.9.0 - deps: finalhandler@0.3.1 - deps: method-override@~2.3.0 - deps: morgan@~1.4.0 - deps: response-time@~2.2.0 - deps: serve-favicon@~2.1.6 - deps: serve-index@~1.5.0 - deps: serve-static@~1.7.0 - deps: debug@~2.1.0 - Implement `DEBUG_FD` env variable support - deps: depd@~1.0.0 - deps: send@0.10.0 - deps: debug@~2.1.0 - deps: depd@~1.0.0 - deps: etag@~1.5.0 ### [`v3.17.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3178--2014-10-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.7...3.17.8) \=================== - deps: connect@2.26.6 - deps: compression@~1.1.2 - deps: csurf@~1.6.2 - deps: errorhandler@~1.2.2 ### [`v3.17.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3177--2014-10-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.6...3.17.7) \=================== - deps: connect@2.26.5 - Fix accepting non-object arguments to `logger` - deps: serve-static@~1.6.4 ### [`v3.17.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3176--2014-10-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.5...3.17.6) \=================== - deps: connect@2.26.4 - deps: morgan@~1.3.2 - deps: type-is@~1.5.2 ### [`v3.17.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3175--2014-09-24) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.4...3.17.5) \=================== - deps: connect@2.26.3 - deps: body-parser@~1.8.4 - deps: serve-favicon@~2.1.5 - deps: serve-static@~1.6.3 - deps: proxy-addr@~1.0.3 - Use `forwarded` npm module - deps: send@0.9.3 - deps: etag@~1.4.0 ### [`v3.17.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3174--2014-09-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.3...3.17.4) \=================== - deps: connect@2.26.2 - deps: body-parser@~1.8.3 - deps: qs@2.2.4 ### [`v3.17.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3173--2014-09-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.2...3.17.3) \=================== - deps: proxy-addr@~1.0.2 - Fix a global leak when multiple subnets are trusted - deps: ipaddr.js@0.1.3 ### [`v3.17.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3172--2014-09-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.1...3.17.2) \=================== - Use `crc` instead of `buffer-crc32` for speed - deps: connect@2.26.1 - deps: body-parser@~1.8.2 - deps: depd@0.4.5 - deps: express-session@~1.8.2 - deps: morgan@~1.3.1 - deps: serve-favicon@~2.1.3 - deps: serve-static@~1.6.2 - deps: depd@0.4.5 - deps: send@0.9.2 - deps: depd@0.4.5 - deps: etag@~1.3.1 - deps: range-parser@~1.0.2 ### [`v3.17.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3171--2014-09-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.0...3.17.1) \=================== - Fix error in `req.subdomains` on empty host ### [`v3.17.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3170--2014-09-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.10...3.17.0) \=================== - Support `X-Forwarded-Host` in `req.subdomains` - Support IP address host in `req.subdomains` - deps: connect@2.26.0 - deps: body-parser@~1.8.1 - deps: compression@~1.1.0 - deps: connect-timeout@~1.3.0 - deps: cookie-parser@~1.3.3 - deps: cookie-signature@1.0.5 - deps: csurf@~1.6.1 - deps: debug@~2.0.0 - deps: errorhandler@~1.2.0 - deps: express-session@~1.8.1 - deps: finalhandler@0.2.0 - deps: fresh@0.2.4 - deps: media-typer@0.3.0 - deps: method-override@~2.2.0 - deps: morgan@~1.3.0 - deps: qs@2.2.3 - deps: serve-favicon@~2.1.3 - deps: serve-index@~1.2.1 - deps: serve-static@~1.6.1 - deps: type-is@~1.5.1 - deps: vhost@~3.0.0 - deps: cookie-signature@1.0.5 - deps: debug@~2.0.0 - deps: fresh@0.2.4 - deps: media-typer@0.3.0 - Throw error when parameter format invalid on parse - deps: range-parser@~1.0.2 - deps: send@0.9.1 - Add `lastModified` option - Use `etag` to generate `ETag` header - deps: debug@~2.0.0 - deps: fresh@0.2.4 - deps: vary@~1.0.0 - Accept valid `Vary` header string as `field` ### [`v3.16.10`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.9...3.16.10) \==================== - deps: connect@2.25.10 - deps: serve-static@~1.5.4 - deps: send@0.8.5 - Fix a path traversal issue when using `root` - Fix malicious path detection for empty string path ### [`v3.16.9`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3169--2014-08-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.8...3.16.9) \=================== - deps: connect@2.25.9 - deps: body-parser@~1.6.7 - deps: qs@2.2.2 ### [`v3.16.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3168--2014-08-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.7...3.16.8) \=================== - deps: connect@2.25.8 - deps: body-parser@~1.6.6 - deps: csurf@~1.4.1 - deps: qs@2.2.0 ### [`v3.16.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3167--2014-08-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.6...3.16.7) \=================== - deps: connect@2.25.7 - deps: body-parser@~1.6.5 - deps: express-session@~1.7.6 - deps: morgan@~1.2.3 - deps: serve-static@~1.5.3 - deps: send@0.8.3 - deps: destroy@1.0.3 - deps: on-finished@2.1.0 ### [`v3.16.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3166--2014-08-14) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.5...3.16.6) \=================== - deps: connect@2.25.6 - deps: body-parser@~1.6.4 - deps: qs@1.2.2 - deps: serve-static@~1.5.2 - deps: send@0.8.2 - Work around `fd` leak in Node.js 0.10 for `fs.ReadStream` ### [`v3.16.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3165--2014-08-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.4...3.16.5) \=================== - deps: connect@2.25.5 - Fix backwards compatibility in `logger` ### [`v3.16.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3164--2014-08-10) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.3...3.16.4) \=================== - Fix original URL parsing in `res.location` - deps: connect@2.25.4 - Fix `query` middleware breaking with argument - deps: body-parser@~1.6.3 - deps: compression@~1.0.11 - deps: connect-timeout@~1.2.2 - deps: express-session@~1.7.5 - deps: method-override@~2.1.3 - deps: on-headers@~1.0.0 - deps: parseurl@~1.3.0 - deps: qs@1.2.1 - deps: response-time@~2.0.1 - deps: serve-index@~1.1.6 - deps: serve-static@~1.5.1 - deps: parseurl@~1.3.0 ### [`v3.16.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3163--2014-08-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.2...3.16.3) \=================== - deps: connect@2.25.3 - deps: multiparty@3.3.2 ### [`v3.16.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3162--2014-08-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.1...3.16.2) \=================== - deps: connect@2.25.2 - deps: body-parser@~1.6.2 - deps: qs@1.2.0 ### [`v3.16.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.0...3.16.1) \==================== - deps: connect@2.25.10 - deps: serve-static@~1.5.4 - deps: send@0.8.5 - Fix a path traversal issue when using `root` - Fix malicious path detection for empty string path ### [`v3.16.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3160--2014-08-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.3...3.16.0) \=================== - deps: connect@2.25.0 - deps: body-parser@~1.6.0 - deps: compression@~1.0.10 - deps: csurf@~1.4.0 - deps: express-session@~1.7.4 - deps: qs@1.0.2 - deps: serve-static@~1.5.0 - deps: send@0.8.1 - Add `extensions` option ### [`v3.15.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3153--2014-08-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.2...3.15.3) \=================== - fix `res.sendfile` regression for serving directory index files - deps: connect@2.24.3 - deps: serve-index@~1.1.5 - deps: serve-static@~1.4.4 - deps: send@0.7.4 - Fix incorrect 403 on Windows and Node.js 0.11 - Fix serving index files without root dir ### [`v3.15.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3152--2014-07-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.1...3.15.2) \=================== - deps: connect@2.24.2 - deps: body-parser@~1.5.2 - deps: depd@0.4.4 - deps: express-session@~1.7.2 - deps: morgan@~1.2.2 - deps: serve-static@~1.4.2 - deps: depd@0.4.4 - Work-around v8 generating empty stack traces - deps: send@0.7.2 - deps: depd@0.4.4 ### [`v3.15.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3151--2014-07-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.0...3.15.1) \=================== - deps: connect@2.24.1 - deps: body-parser@~1.5.1 - deps: depd@0.4.3 - deps: express-session@~1.7.1 - deps: morgan@~1.2.1 - deps: serve-index@~1.1.4 - deps: serve-static@~1.4.1 - deps: depd@0.4.3 - Fix exception when global `Error.stackTraceLimit` is too low - deps: send@0.7.1 - deps: depd@0.4.3 ### [`v3.15.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3150--2014-07-22) [Compare Source](https://togithub.com/expressjs/express/compare/3.14.0...3.15.0) \=================== - Fix `req.protocol` for proxy-direct connections - Pass options from `res.sendfile` to `send` - deps: connect@2.24.0 - deps: body-parser@~1.5.0 - deps: compression@~1.0.9 - deps: connect-timeout@~1.2.1 - deps: debug@1.0.4 - deps: depd@0.4.2 - deps: express-session@~1.7.0 - deps: finalhandler@0.1.0 - deps: method-override@~2.1.2 - deps: morgan@~1.2.0 - deps: multiparty@3.3.1 - deps: parseurl@~1.2.0 - deps: serve-static@~1.4.0 - deps: debug@1.0.4 - deps: depd@0.4.2 - Add `TRACE_DEPRECATION` environment variable - Remove non-standard grey color from color output - Support `--no-deprecation` argument - Support `--trace-deprecation` argument - deps: parseurl@~1.2.0 - Cache URLs based on original value - Remove no-longer-needed URL mis-parse work-around - Simplify the "fast-path" `RegExp` - deps: send@0.7.0 - Add `dotfiles` option - Cap `maxAge` value to 1 year - deps: debug@1.0.4 - deps: depd@0.4.2 ### [`v3.14.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3140--2014-07-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.13.0...3.14.0) \=================== - add explicit "Rosetta Flash JSONP abuse" protection - previous versions are not vulnerable; this is just explicit protection - deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead - fix `res.send(status, num)` to send `num` as json (not error) - remove unnecessary escaping when `res.jsonp` returns JSON response - deps: basic-auth@1.0.0 - support empty password - support empty username - deps: connect@2.23.0 - deps: debug@1.0.3 - deps: express-session@~1.6.4 - deps: method-override@~2.1.0 - deps: parseurl@~1.1.3 - deps: serve-static@~1.3.1 - deps: debug@1.0.3 - Add support for multiple wildcards in namespaces - deps: methods@1.1.0 - add `CONNECT` - deps: parseurl@~1.1.3 - faster parsing of href-only URLs ### [`v3.13.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3130--2014-07-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.12.1...3.13.0) \=================== - add deprecation message to `app.configure` - add deprecation message to `req.auth` - use `basic-auth` to parse `Authorization` header - deps: connect@2.22.0 - deps: csurf@~1.3.0 - deps: express-session@~1.6.1 - deps: multiparty@3.3.0 - deps: serve-static@~1.3.0 - deps: send@0.5.0 - Accept string for `maxage` (converted by `ms`) - Include link in default redirect response ### [`v3.12.1`](https://togithub.com/expressjs/express/compare/3.12.0...3.12.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.12.0...3.12.1) ### [`v3.12.0`](https://togithub.com/expressjs/express/compare/3.11.0...3.12.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.11.0...3.12.0) ### [`v3.11.0`](https://togithub.com/expressjs/express/compare/3.10.5...3.11.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.5...3.11.0) ### [`v3.10.5`](https://togithub.com/expressjs/express/compare/3.10.4...3.10.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.4...3.10.5) ### [`v3.10.4`](https://togithub.com/expressjs/express/compare/3.10.3...3.10.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.3...3.10.4) ### [`v3.10.3`](https://togithub.com/expressjs/express/compare/3.10.2...3.10.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.2...3.10.3) ### [`v3.10.2`](https://togithub.com/expressjs/express/compare/3.10.1...3.10.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.1...3.10.2) ### [`v3.10.1`](https://togithub.com/expressjs/express/compare/3.10.0...3.10.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.0...3.10.1) ### [`v3.10.0`](https://togithub.com/expressjs/express/compare/3.9.0...3.10.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.9.0...3.10.0) ### [`v3.9.0`](https://togithub.com/expressjs/express/compare/3.8.1...3.9.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.1...3.9.0) ### [`v3.8.1`](https://togithub.com/expressjs/express/compare/3.8.0...3.8.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.0...3.8.1) ### [`v3.8.0`](https://togithub.com/expressjs/express/compare/3.7.0...3.8.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.7.0...3.8.0) ### [`v3.7.0`](https://togithub.com/expressjs/express/compare/3.6.0...3.7.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.6.0...3.7.0) ### [`v3.6.0`](https://togithub.com/expressjs/express/compare/3.5.3...3.6.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.3...3.6.0) ### [`v3.5.3`](https://togithub.com/expressjs/express/compare/3.5.2...3.5.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.2...3.5.3) ### [`v3.5.2`](https://togithub.com/expressjs/express/compare/3.5.1...3.5.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.1...3.5.2) ### [`v3.5.1`](https://togithub.com/expressjs/express/compare/3.5.0...3.5.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.0...3.5.1) ### [`v3.5.0`](https://togithub.com/expressjs/express/compare/3.4.8...3.5.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.8...3.5.0) ### [`v3.4.8`](https://togithub.com/expressjs/express/compare/3.4.7...3.4.8) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.7...3.4.8) ### [`v3.4.7`](https://togithub.com/expressjs/express/compare/3.4.6...3.4.7) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.6...3.4.7) ### [`v3.4.6`](https://togithub.com/expressjs/express/compare/3.4.5...3.4.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.5...3.4.6) ### [`v3.4.5`](https://togithub.com/expressjs/express/compare/3.4.4...3.4.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.4...3.4.5) ### [`v3.4.4`](https://togithub.com/expressjs/express/compare/3.4.3...3.4.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.3...3.4.4) ### [`v3.4.3`](https://togithub.com/expressjs/express/compare/3.4.2...3.4.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.2...3.4.3) ### [`v3.4.2`](https://togithub.com/expressjs/express/compare/3.4.1...3.4.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.1...3.4.2) ### [`v3.4.1`](https://togithub.com/expressjs/express/compare/3.4.0...3.4.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.0...3.4.1) ### [`v3.4.0`](https://togithub.com/expressjs/express/compare/3.3.8...3.4.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.8...3.4.0) ### [`v3.3.8`](https://togithub.com/expressjs/express/compare/3.3.7...3.3.8) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.7...3.3.8) ### [`v3.3.7`](https://togithub.com/expressjs/express/compare/3.3.6...3.3.7) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.6...3.3.7) ### [`v3.3.6`](https://togithub.com/expressjs/express/compare/3.3.5...3.3.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.5...3.3.6) ### [`v3.3.5`](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) ### [`v3.3.4`](https://togithub.com/expressjs/express/compare/3.3.3...3.3.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.3...3.3.4) ### [`v3.3.3`](https://togithub.com/expressjs/express/compare/3.3.2...3.3.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.2...3.3.3) ### [`v3.3.2`](https://togithub.com/expressjs/express/compare/3.3.1...3.3.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.1...3.3.2) ### [`v3.3.1`](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) ### [`v3.3.0`](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) ### [`v3.2.6`](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) ### [`v3.2.5`](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) ### [`v3.2.4`](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) ### [`v3.2.3`](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) ### [`v3.2.2`](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) ### [`v3.2.1`](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) ### [`v3.2.0`](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) ### [`v3.1.2`](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) ### [`v3.1.1`](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) ### [`v3.1.0`](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) ### [`v3.0.6`](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) ### [`v3.0.5`](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) ### [`v3.0.4`](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) ### [`v3.0.3`](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) ### [`v3.0.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#302--2012-11-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.1...3.0.2) \================== - add OPTIONS to cors example. Closes [#1398](https://togithub.com/expressjs/express/issues/1398) - fix route chaining regression. Closes [#1397](https://togithub.com/expressjs/express/issues/1397) ### [`v3.0.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#301--2012-11-01) \================== - update connect --- - [ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
3.0.0
->3.21.0
Version 3.21.0
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | -50% | 0 (--) | 2 (-2 ) | 1 (-7 ) | 2 (+2) |Version 3.0.0
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | N/A | 0 | 4 | 8 | 0 |Version 3.21.2
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | -50% | 0 (--) | 2 (-2 ) | 1 (-7 ) | 2 (+2) |By merging this PR, the number of vulnerabilities in issue #16 will be resolved in part or in full.
--- ### Release Notes
---
- [ ] If you want to rebase/retry this PR, click this checkbox.
expressjs/express
### [`v3.21.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3210--2015-06-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.3...3.21.0) \=================== - deps: basic-auth@1.0.2 - perf: enable strict mode - perf: hoist regular expression - perf: parse with regular expressions - perf: remove argument reassignment - deps: connect@2.30.0 - deps: body-parser@~1.13.1 - deps: bytes@2.1.0 - deps: compression@~1.5.0 - deps: cookie@0.1.3 - deps: cookie-parser@~1.3.5 - deps: csurf@~1.8.3 - deps: errorhandler@~1.4.0 - deps: express-session@~1.11.3 - deps: finalhandler@0.4.0 - deps: fresh@0.3.0 - deps: morgan@~1.6.0 - deps: serve-favicon@~2.3.0 - deps: serve-index@~1.7.0 - deps: serve-static@~1.10.0 - deps: type-is@~1.6.3 - deps: cookie@0.1.3 - perf: deduce the scope of try-catch deopt - perf: remove argument reassignments - deps: escape-html@1.0.2 - deps: etag@~1.7.0 - Always include entity length in ETags for hash length extensions - Generate non-Stats ETags using MD5 only (no longer CRC32) - Improve stat performance by removing hashing - Improve support for JXcore - Remove base64 padding in ETags to shorten - Support "fake" stats objects in environments without fs - Use MD5 instead of MD4 in weak ETags over 1KB - deps: fresh@0.3.0 - Add weak `ETag` matching support - deps: mkdirp@0.5.1 - Work in global strict mode - deps: send@0.13.0 - Allow Node.js HTTP server to set `Date` response header - Fix incorrectly removing `Content-Location` on 304 response - Improve the default redirect response headers - Send appropriate headers on default error response - Use `http-errors` for standard emitted errors - Use `statuses` instead of `http` module for status messages - deps: escape-html@1.0.2 - deps: etag@~1.7.0 - deps: fresh@0.3.0 - deps: on-finished@~2.3.0 - perf: enable strict mode - perf: remove unnecessary array allocations ### [`v3.20.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3203--2015-05-17) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.2...3.20.3) \=================== - deps: connect@2.29.2 - deps: body-parser@~1.12.4 - deps: compression@~1.4.4 - deps: connect-timeout@~1.6.2 - deps: debug@~2.2.0 - deps: depd@~1.0.1 - deps: errorhandler@~1.3.6 - deps: finalhandler@0.3.6 - deps: method-override@~2.3.3 - deps: morgan@~1.5.3 - deps: qs@2.4.2 - deps: response-time@~2.3.1 - deps: serve-favicon@~2.2.1 - deps: serve-index@~1.6.4 - deps: serve-static@~1.9.3 - deps: type-is@~1.6.2 - deps: debug@~2.2.0 - deps: ms@0.7.1 - deps: depd@~1.0.1 - deps: proxy-addr@~1.0.8 - deps: ipaddr.js@1.0.1 - deps: send@0.12.3 - deps: debug@~2.2.0 - deps: depd@~1.0.1 - deps: etag@~1.6.0 - deps: ms@0.7.1 - deps: on-finished@~2.2.1 ### [`v3.20.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3202--2015-03-16) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.1...3.20.2) \=================== - deps: connect@2.29.1 - deps: body-parser@~1.12.2 - deps: compression@~1.4.3 - deps: connect-timeout@~1.6.1 - deps: debug@~2.1.3 - deps: errorhandler@~1.3.5 - deps: express-session@~1.10.4 - deps: finalhandler@0.3.4 - deps: method-override@~2.3.2 - deps: morgan@~1.5.2 - deps: qs@2.4.1 - deps: serve-index@~1.6.3 - deps: serve-static@~1.9.2 - deps: type-is@~1.6.1 - deps: debug@~2.1.3 - Fix high intensity foreground color for bold - deps: ms@0.7.0 - deps: merge-descriptors@1.0.0 - deps: proxy-addr@~1.0.7 - deps: ipaddr.js@0.1.9 - deps: send@0.12.2 - Throw errors early for invalid `extensions` or `index` options - deps: debug@~2.1.3 ### [`v3.20.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3201--2015-02-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.0...3.20.1) \=================== - Fix `req.host` when using "trust proxy" hops count - Fix `req.protocol`/`req.secure` when using "trust proxy" hops count ### [`v3.20.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3200--2015-02-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.2...3.20.0) \=================== - Fix `"trust proxy"` setting to inherit when app is mounted - Generate `ETag`s for all request responses - No longer restricted to only responses for `GET` and `HEAD` requests - Use `content-type` to parse `Content-Type` headers - deps: connect@2.29.0 - Use `content-type` to parse `Content-Type` headers - deps: body-parser@~1.12.0 - deps: compression@~1.4.1 - deps: connect-timeout@~1.6.0 - deps: cookie-parser@~1.3.4 - deps: cookie-signature@1.0.6 - deps: csurf@~1.7.0 - deps: errorhandler@~1.3.4 - deps: express-session@~1.10.3 - deps: http-errors@~1.3.1 - deps: response-time@~2.3.0 - deps: serve-index@~1.6.2 - deps: serve-static@~1.9.1 - deps: type-is@~1.6.0 - deps: cookie-signature@1.0.6 - deps: send@0.12.1 - Always read the stat size from the file - Fix mutating passed-in `options` - deps: mime@1.3.4 ### [`v3.19.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3192--2015-02-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.1...3.19.2) \=================== - deps: connect@2.28.3 - deps: compression@~1.3.1 - deps: csurf@~1.6.6 - deps: errorhandler@~1.3.3 - deps: express-session@~1.10.2 - deps: serve-index@~1.6.1 - deps: type-is@~1.5.6 - deps: proxy-addr@~1.0.6 - deps: ipaddr.js@0.1.8 ### [`v3.19.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3191--2015-01-20) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.0...3.19.1) \=================== - deps: connect@2.28.2 - deps: body-parser@~1.10.2 - deps: serve-static@~1.8.1 - deps: send@0.11.1 - Fix root path disclosure ### [`v3.19.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3190--2015-01-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.6...3.19.0) \=================== - Fix `OPTIONS` responses to include the `HEAD` method property - Use `readline` for prompt in `express(1)` - deps: commander@2.6.0 - deps: connect@2.28.1 - deps: body-parser@~1.10.1 - deps: compression@~1.3.0 - deps: connect-timeout@~1.5.0 - deps: csurf@~1.6.4 - deps: debug@~2.1.1 - deps: errorhandler@~1.3.2 - deps: express-session@~1.10.1 - deps: finalhandler@0.3.3 - deps: method-override@~2.3.1 - deps: morgan@~1.5.1 - deps: serve-favicon@~2.2.0 - deps: serve-index@~1.6.0 - deps: serve-static@~1.8.0 - deps: type-is@~1.5.5 - deps: debug@~2.1.1 - deps: methods@~1.1.1 - deps: proxy-addr@~1.0.5 - deps: ipaddr.js@0.1.6 - deps: send@0.11.0 - deps: debug@~2.1.1 - deps: etag@~1.5.1 - deps: ms@0.7.0 - deps: on-finished@~2.2.0 ### [`v3.18.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3186--2014-12-12) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.5...3.18.6) \=================== - Fix exception in `req.fresh`/`req.stale` without response headers ### [`v3.18.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3185--2014-12-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.4...3.18.5) \=================== - deps: connect@2.27.6 - deps: compression@~1.2.2 - deps: express-session@~1.9.3 - deps: http-errors@~1.2.8 - deps: serve-index@~1.5.3 - deps: type-is@~1.5.4 ### [`v3.18.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3184--2014-11-23) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.3...3.18.4) \=================== - deps: connect@2.27.4 - deps: body-parser@~1.9.3 - deps: compression@~1.2.1 - deps: errorhandler@~1.2.3 - deps: express-session@~1.9.2 - deps: qs@2.3.3 - deps: serve-favicon@~2.1.7 - deps: serve-static@~1.5.1 - deps: type-is@~1.5.3 - deps: etag@~1.5.1 - deps: proxy-addr@~1.0.4 - deps: ipaddr.js@0.1.5 ### [`v3.18.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3183--2014-11-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.2...3.18.3) \=================== - deps: connect@2.27.3 - Correctly invoke async callback asynchronously - deps: csurf@~1.6.3 ### [`v3.18.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3182--2014-10-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.1...3.18.2) \=================== - deps: connect@2.27.2 - Fix handling of URLs containing `://` in the path - deps: body-parser@~1.9.2 - deps: qs@2.3.2 ### [`v3.18.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3181--2014-10-22) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.0...3.18.1) \=================== - Fix internal `utils.merge` deprecation warnings - deps: connect@2.27.1 - deps: body-parser@~1.9.1 - deps: express-session@~1.9.1 - deps: finalhandler@0.3.2 - deps: morgan@~1.4.1 - deps: qs@2.3.0 - deps: serve-static@~1.7.1 - deps: send@0.10.1 - deps: on-finished@~2.1.1 ### [`v3.18.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3180--2014-10-17) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.8...3.18.0) \=================== - Use `content-disposition` module for `res.attachment`/`res.download` - Sends standards-compliant `Content-Disposition` header - Full Unicode support - Use `etag` module to generate `ETag` headers - deps: connect@2.27.0 - Use `http-errors` module for creating errors - Use `utils-merge` module for merging objects - deps: body-parser@~1.9.0 - deps: compression@~1.2.0 - deps: connect-timeout@~1.4.0 - deps: debug@~2.1.0 - deps: depd@~1.0.0 - deps: express-session@~1.9.0 - deps: finalhandler@0.3.1 - deps: method-override@~2.3.0 - deps: morgan@~1.4.0 - deps: response-time@~2.2.0 - deps: serve-favicon@~2.1.6 - deps: serve-index@~1.5.0 - deps: serve-static@~1.7.0 - deps: debug@~2.1.0 - Implement `DEBUG_FD` env variable support - deps: depd@~1.0.0 - deps: send@0.10.0 - deps: debug@~2.1.0 - deps: depd@~1.0.0 - deps: etag@~1.5.0 ### [`v3.17.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3178--2014-10-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.7...3.17.8) \=================== - deps: connect@2.26.6 - deps: compression@~1.1.2 - deps: csurf@~1.6.2 - deps: errorhandler@~1.2.2 ### [`v3.17.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3177--2014-10-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.6...3.17.7) \=================== - deps: connect@2.26.5 - Fix accepting non-object arguments to `logger` - deps: serve-static@~1.6.4 ### [`v3.17.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3176--2014-10-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.5...3.17.6) \=================== - deps: connect@2.26.4 - deps: morgan@~1.3.2 - deps: type-is@~1.5.2 ### [`v3.17.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3175--2014-09-24) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.4...3.17.5) \=================== - deps: connect@2.26.3 - deps: body-parser@~1.8.4 - deps: serve-favicon@~2.1.5 - deps: serve-static@~1.6.3 - deps: proxy-addr@~1.0.3 - Use `forwarded` npm module - deps: send@0.9.3 - deps: etag@~1.4.0 ### [`v3.17.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3174--2014-09-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.3...3.17.4) \=================== - deps: connect@2.26.2 - deps: body-parser@~1.8.3 - deps: qs@2.2.4 ### [`v3.17.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3173--2014-09-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.2...3.17.3) \=================== - deps: proxy-addr@~1.0.2 - Fix a global leak when multiple subnets are trusted - deps: ipaddr.js@0.1.3 ### [`v3.17.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3172--2014-09-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.1...3.17.2) \=================== - Use `crc` instead of `buffer-crc32` for speed - deps: connect@2.26.1 - deps: body-parser@~1.8.2 - deps: depd@0.4.5 - deps: express-session@~1.8.2 - deps: morgan@~1.3.1 - deps: serve-favicon@~2.1.3 - deps: serve-static@~1.6.2 - deps: depd@0.4.5 - deps: send@0.9.2 - deps: depd@0.4.5 - deps: etag@~1.3.1 - deps: range-parser@~1.0.2 ### [`v3.17.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3171--2014-09-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.0...3.17.1) \=================== - Fix error in `req.subdomains` on empty host ### [`v3.17.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3170--2014-09-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.10...3.17.0) \=================== - Support `X-Forwarded-Host` in `req.subdomains` - Support IP address host in `req.subdomains` - deps: connect@2.26.0 - deps: body-parser@~1.8.1 - deps: compression@~1.1.0 - deps: connect-timeout@~1.3.0 - deps: cookie-parser@~1.3.3 - deps: cookie-signature@1.0.5 - deps: csurf@~1.6.1 - deps: debug@~2.0.0 - deps: errorhandler@~1.2.0 - deps: express-session@~1.8.1 - deps: finalhandler@0.2.0 - deps: fresh@0.2.4 - deps: media-typer@0.3.0 - deps: method-override@~2.2.0 - deps: morgan@~1.3.0 - deps: qs@2.2.3 - deps: serve-favicon@~2.1.3 - deps: serve-index@~1.2.1 - deps: serve-static@~1.6.1 - deps: type-is@~1.5.1 - deps: vhost@~3.0.0 - deps: cookie-signature@1.0.5 - deps: debug@~2.0.0 - deps: fresh@0.2.4 - deps: media-typer@0.3.0 - Throw error when parameter format invalid on parse - deps: range-parser@~1.0.2 - deps: send@0.9.1 - Add `lastModified` option - Use `etag` to generate `ETag` header - deps: debug@~2.0.0 - deps: fresh@0.2.4 - deps: vary@~1.0.0 - Accept valid `Vary` header string as `field` ### [`v3.16.10`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.9...3.16.10) \==================== - deps: connect@2.25.10 - deps: serve-static@~1.5.4 - deps: send@0.8.5 - Fix a path traversal issue when using `root` - Fix malicious path detection for empty string path ### [`v3.16.9`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3169--2014-08-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.8...3.16.9) \=================== - deps: connect@2.25.9 - deps: body-parser@~1.6.7 - deps: qs@2.2.2 ### [`v3.16.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3168--2014-08-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.7...3.16.8) \=================== - deps: connect@2.25.8 - deps: body-parser@~1.6.6 - deps: csurf@~1.4.1 - deps: qs@2.2.0 ### [`v3.16.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3167--2014-08-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.6...3.16.7) \=================== - deps: connect@2.25.7 - deps: body-parser@~1.6.5 - deps: express-session@~1.7.6 - deps: morgan@~1.2.3 - deps: serve-static@~1.5.3 - deps: send@0.8.3 - deps: destroy@1.0.3 - deps: on-finished@2.1.0 ### [`v3.16.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3166--2014-08-14) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.5...3.16.6) \=================== - deps: connect@2.25.6 - deps: body-parser@~1.6.4 - deps: qs@1.2.2 - deps: serve-static@~1.5.2 - deps: send@0.8.2 - Work around `fd` leak in Node.js 0.10 for `fs.ReadStream` ### [`v3.16.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3165--2014-08-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.4...3.16.5) \=================== - deps: connect@2.25.5 - Fix backwards compatibility in `logger` ### [`v3.16.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3164--2014-08-10) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.3...3.16.4) \=================== - Fix original URL parsing in `res.location` - deps: connect@2.25.4 - Fix `query` middleware breaking with argument - deps: body-parser@~1.6.3 - deps: compression@~1.0.11 - deps: connect-timeout@~1.2.2 - deps: express-session@~1.7.5 - deps: method-override@~2.1.3 - deps: on-headers@~1.0.0 - deps: parseurl@~1.3.0 - deps: qs@1.2.1 - deps: response-time@~2.0.1 - deps: serve-index@~1.1.6 - deps: serve-static@~1.5.1 - deps: parseurl@~1.3.0 ### [`v3.16.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3163--2014-08-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.2...3.16.3) \=================== - deps: connect@2.25.3 - deps: multiparty@3.3.2 ### [`v3.16.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3162--2014-08-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.1...3.16.2) \=================== - deps: connect@2.25.2 - deps: body-parser@~1.6.2 - deps: qs@1.2.0 ### [`v3.16.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.0...3.16.1) \==================== - deps: connect@2.25.10 - deps: serve-static@~1.5.4 - deps: send@0.8.5 - Fix a path traversal issue when using `root` - Fix malicious path detection for empty string path ### [`v3.16.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3160--2014-08-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.3...3.16.0) \=================== - deps: connect@2.25.0 - deps: body-parser@~1.6.0 - deps: compression@~1.0.10 - deps: csurf@~1.4.0 - deps: express-session@~1.7.4 - deps: qs@1.0.2 - deps: serve-static@~1.5.0 - deps: send@0.8.1 - Add `extensions` option ### [`v3.15.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3153--2014-08-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.2...3.15.3) \=================== - fix `res.sendfile` regression for serving directory index files - deps: connect@2.24.3 - deps: serve-index@~1.1.5 - deps: serve-static@~1.4.4 - deps: send@0.7.4 - Fix incorrect 403 on Windows and Node.js 0.11 - Fix serving index files without root dir ### [`v3.15.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3152--2014-07-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.1...3.15.2) \=================== - deps: connect@2.24.2 - deps: body-parser@~1.5.2 - deps: depd@0.4.4 - deps: express-session@~1.7.2 - deps: morgan@~1.2.2 - deps: serve-static@~1.4.2 - deps: depd@0.4.4 - Work-around v8 generating empty stack traces - deps: send@0.7.2 - deps: depd@0.4.4 ### [`v3.15.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3151--2014-07-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.0...3.15.1) \=================== - deps: connect@2.24.1 - deps: body-parser@~1.5.1 - deps: depd@0.4.3 - deps: express-session@~1.7.1 - deps: morgan@~1.2.1 - deps: serve-index@~1.1.4 - deps: serve-static@~1.4.1 - deps: depd@0.4.3 - Fix exception when global `Error.stackTraceLimit` is too low - deps: send@0.7.1 - deps: depd@0.4.3 ### [`v3.15.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3150--2014-07-22) [Compare Source](https://togithub.com/expressjs/express/compare/3.14.0...3.15.0) \=================== - Fix `req.protocol` for proxy-direct connections - Pass options from `res.sendfile` to `send` - deps: connect@2.24.0 - deps: body-parser@~1.5.0 - deps: compression@~1.0.9 - deps: connect-timeout@~1.2.1 - deps: debug@1.0.4 - deps: depd@0.4.2 - deps: express-session@~1.7.0 - deps: finalhandler@0.1.0 - deps: method-override@~2.1.2 - deps: morgan@~1.2.0 - deps: multiparty@3.3.1 - deps: parseurl@~1.2.0 - deps: serve-static@~1.4.0 - deps: debug@1.0.4 - deps: depd@0.4.2 - Add `TRACE_DEPRECATION` environment variable - Remove non-standard grey color from color output - Support `--no-deprecation` argument - Support `--trace-deprecation` argument - deps: parseurl@~1.2.0 - Cache URLs based on original value - Remove no-longer-needed URL mis-parse work-around - Simplify the "fast-path" `RegExp` - deps: send@0.7.0 - Add `dotfiles` option - Cap `maxAge` value to 1 year - deps: debug@1.0.4 - deps: depd@0.4.2 ### [`v3.14.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3140--2014-07-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.13.0...3.14.0) \=================== - add explicit "Rosetta Flash JSONP abuse" protection - previous versions are not vulnerable; this is just explicit protection - deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead - fix `res.send(status, num)` to send `num` as json (not error) - remove unnecessary escaping when `res.jsonp` returns JSON response - deps: basic-auth@1.0.0 - support empty password - support empty username - deps: connect@2.23.0 - deps: debug@1.0.3 - deps: express-session@~1.6.4 - deps: method-override@~2.1.0 - deps: parseurl@~1.1.3 - deps: serve-static@~1.3.1 - deps: debug@1.0.3 - Add support for multiple wildcards in namespaces - deps: methods@1.1.0 - add `CONNECT` - deps: parseurl@~1.1.3 - faster parsing of href-only URLs ### [`v3.13.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3130--2014-07-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.12.1...3.13.0) \=================== - add deprecation message to `app.configure` - add deprecation message to `req.auth` - use `basic-auth` to parse `Authorization` header - deps: connect@2.22.0 - deps: csurf@~1.3.0 - deps: express-session@~1.6.1 - deps: multiparty@3.3.0 - deps: serve-static@~1.3.0 - deps: send@0.5.0 - Accept string for `maxage` (converted by `ms`) - Include link in default redirect response ### [`v3.12.1`](https://togithub.com/expressjs/express/compare/3.12.0...3.12.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.12.0...3.12.1) ### [`v3.12.0`](https://togithub.com/expressjs/express/compare/3.11.0...3.12.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.11.0...3.12.0) ### [`v3.11.0`](https://togithub.com/expressjs/express/compare/3.10.5...3.11.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.5...3.11.0) ### [`v3.10.5`](https://togithub.com/expressjs/express/compare/3.10.4...3.10.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.4...3.10.5) ### [`v3.10.4`](https://togithub.com/expressjs/express/compare/3.10.3...3.10.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.3...3.10.4) ### [`v3.10.3`](https://togithub.com/expressjs/express/compare/3.10.2...3.10.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.2...3.10.3) ### [`v3.10.2`](https://togithub.com/expressjs/express/compare/3.10.1...3.10.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.1...3.10.2) ### [`v3.10.1`](https://togithub.com/expressjs/express/compare/3.10.0...3.10.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.0...3.10.1) ### [`v3.10.0`](https://togithub.com/expressjs/express/compare/3.9.0...3.10.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.9.0...3.10.0) ### [`v3.9.0`](https://togithub.com/expressjs/express/compare/3.8.1...3.9.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.1...3.9.0) ### [`v3.8.1`](https://togithub.com/expressjs/express/compare/3.8.0...3.8.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.0...3.8.1) ### [`v3.8.0`](https://togithub.com/expressjs/express/compare/3.7.0...3.8.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.7.0...3.8.0) ### [`v3.7.0`](https://togithub.com/expressjs/express/compare/3.6.0...3.7.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.6.0...3.7.0) ### [`v3.6.0`](https://togithub.com/expressjs/express/compare/3.5.3...3.6.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.3...3.6.0) ### [`v3.5.3`](https://togithub.com/expressjs/express/compare/3.5.2...3.5.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.2...3.5.3) ### [`v3.5.2`](https://togithub.com/expressjs/express/compare/3.5.1...3.5.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.1...3.5.2) ### [`v3.5.1`](https://togithub.com/expressjs/express/compare/3.5.0...3.5.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.0...3.5.1) ### [`v3.5.0`](https://togithub.com/expressjs/express/compare/3.4.8...3.5.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.8...3.5.0) ### [`v3.4.8`](https://togithub.com/expressjs/express/compare/3.4.7...3.4.8) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.7...3.4.8) ### [`v3.4.7`](https://togithub.com/expressjs/express/compare/3.4.6...3.4.7) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.6...3.4.7) ### [`v3.4.6`](https://togithub.com/expressjs/express/compare/3.4.5...3.4.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.5...3.4.6) ### [`v3.4.5`](https://togithub.com/expressjs/express/compare/3.4.4...3.4.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.4...3.4.5) ### [`v3.4.4`](https://togithub.com/expressjs/express/compare/3.4.3...3.4.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.3...3.4.4) ### [`v3.4.3`](https://togithub.com/expressjs/express/compare/3.4.2...3.4.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.2...3.4.3) ### [`v3.4.2`](https://togithub.com/expressjs/express/compare/3.4.1...3.4.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.1...3.4.2) ### [`v3.4.1`](https://togithub.com/expressjs/express/compare/3.4.0...3.4.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.0...3.4.1) ### [`v3.4.0`](https://togithub.com/expressjs/express/compare/3.3.8...3.4.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.8...3.4.0) ### [`v3.3.8`](https://togithub.com/expressjs/express/compare/3.3.7...3.3.8) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.7...3.3.8) ### [`v3.3.7`](https://togithub.com/expressjs/express/compare/3.3.6...3.3.7) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.6...3.3.7) ### [`v3.3.6`](https://togithub.com/expressjs/express/compare/3.3.5...3.3.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.5...3.3.6) ### [`v3.3.5`](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) ### [`v3.3.4`](https://togithub.com/expressjs/express/compare/3.3.3...3.3.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.3...3.3.4) ### [`v3.3.3`](https://togithub.com/expressjs/express/compare/3.3.2...3.3.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.2...3.3.3) ### [`v3.3.2`](https://togithub.com/expressjs/express/compare/3.3.1...3.3.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.1...3.3.2) ### [`v3.3.1`](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) ### [`v3.3.0`](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) ### [`v3.2.6`](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) ### [`v3.2.5`](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) ### [`v3.2.4`](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) ### [`v3.2.3`](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) ### [`v3.2.2`](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) ### [`v3.2.1`](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) ### [`v3.2.0`](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) ### [`v3.1.2`](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) ### [`v3.1.1`](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) ### [`v3.1.0`](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) ### [`v3.0.6`](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) ### [`v3.0.5`](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) ### [`v3.0.4`](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) ### [`v3.0.3`](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) ### [`v3.0.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#302--2012-11-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.1...3.0.2) \================== - add OPTIONS to cors example. Closes [#1398](https://togithub.com/expressjs/express/issues/1398) - fix route chaining regression. Closes [#1397](https://togithub.com/expressjs/express/issues/1397) ### [`v3.0.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#301--2012-11-01) \================== - update connect