Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.
Release Notes
expressjs/express
### [`v3.21.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3210--2015-06-18)
[Compare Source](https://togithub.com/expressjs/express/compare/3.20.3...3.21.0)
\===================
- deps: basic-auth@1.0.2
- perf: enable strict mode
- perf: hoist regular expression
- perf: parse with regular expressions
- perf: remove argument reassignment
- deps: connect@2.30.0
- deps: body-parser@~1.13.1
- deps: bytes@2.1.0
- deps: compression@~1.5.0
- deps: cookie@0.1.3
- deps: cookie-parser@~1.3.5
- deps: csurf@~1.8.3
- deps: errorhandler@~1.4.0
- deps: express-session@~1.11.3
- deps: finalhandler@0.4.0
- deps: fresh@0.3.0
- deps: morgan@~1.6.0
- deps: serve-favicon@~2.3.0
- deps: serve-index@~1.7.0
- deps: serve-static@~1.10.0
- deps: type-is@~1.6.3
- deps: cookie@0.1.3
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
- deps: escape-html@1.0.2
- deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
- deps: fresh@0.3.0
- Add weak `ETag` matching support
- deps: mkdirp@0.5.1
- Work in global strict mode
- deps: send@0.13.0
- Allow Node.js HTTP server to set `Date` response header
- Fix incorrectly removing `Content-Location` on 304 response
- Improve the default redirect response headers
- Send appropriate headers on default error response
- Use `http-errors` for standard emitted errors
- Use `statuses` instead of `http` module for status messages
- deps: escape-html@1.0.2
- deps: etag@~1.7.0
- deps: fresh@0.3.0
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations
### [`v3.20.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3203--2015-05-17)
[Compare Source](https://togithub.com/expressjs/express/compare/3.20.2...3.20.3)
\===================
- deps: connect@2.29.2
- deps: body-parser@~1.12.4
- deps: compression@~1.4.4
- deps: connect-timeout@~1.6.2
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: errorhandler@~1.3.6
- deps: finalhandler@0.3.6
- deps: method-override@~2.3.3
- deps: morgan@~1.5.3
- deps: qs@2.4.2
- deps: response-time@~2.3.1
- deps: serve-favicon@~2.2.1
- deps: serve-index@~1.6.4
- deps: serve-static@~1.9.3
- deps: type-is@~1.6.2
- deps: debug@~2.2.0
- deps: ms@0.7.1
- deps: depd@~1.0.1
- deps: proxy-addr@~1.0.8
- deps: ipaddr.js@1.0.1
- deps: send@0.12.3
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: ms@0.7.1
- deps: on-finished@~2.2.1
### [`v3.20.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3202--2015-03-16)
[Compare Source](https://togithub.com/expressjs/express/compare/3.20.1...3.20.2)
\===================
- deps: connect@2.29.1
- deps: body-parser@~1.12.2
- deps: compression@~1.4.3
- deps: connect-timeout@~1.6.1
- deps: debug@~2.1.3
- deps: errorhandler@~1.3.5
- deps: express-session@~1.10.4
- deps: finalhandler@0.3.4
- deps: method-override@~2.3.2
- deps: morgan@~1.5.2
- deps: qs@2.4.1
- deps: serve-index@~1.6.3
- deps: serve-static@~1.9.2
- deps: type-is@~1.6.1
- deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: ms@0.7.0
- deps: merge-descriptors@1.0.0
- deps: proxy-addr@~1.0.7
- deps: ipaddr.js@0.1.9
- deps: send@0.12.2
- Throw errors early for invalid `extensions` or `index` options
- deps: debug@~2.1.3
### [`v3.20.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3201--2015-02-28)
[Compare Source](https://togithub.com/expressjs/express/compare/3.20.0...3.20.1)
\===================
- Fix `req.host` when using "trust proxy" hops count
- Fix `req.protocol`/`req.secure` when using "trust proxy" hops count
### [`v3.20.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3200--2015-02-18)
[Compare Source](https://togithub.com/expressjs/express/compare/3.19.2...3.20.0)
\===================
- Fix `"trust proxy"` setting to inherit when app is mounted
- Generate `ETag`s for all request responses
- No longer restricted to only responses for `GET` and `HEAD` requests
- Use `content-type` to parse `Content-Type` headers
- deps: connect@2.29.0
- Use `content-type` to parse `Content-Type` headers
- deps: body-parser@~1.12.0
- deps: compression@~1.4.1
- deps: connect-timeout@~1.6.0
- deps: cookie-parser@~1.3.4
- deps: cookie-signature@1.0.6
- deps: csurf@~1.7.0
- deps: errorhandler@~1.3.4
- deps: express-session@~1.10.3
- deps: http-errors@~1.3.1
- deps: response-time@~2.3.0
- deps: serve-index@~1.6.2
- deps: serve-static@~1.9.1
- deps: type-is@~1.6.0
- deps: cookie-signature@1.0.6
- deps: send@0.12.1
- Always read the stat size from the file
- Fix mutating passed-in `options`
- deps: mime@1.3.4
### [`v3.19.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3192--2015-02-01)
[Compare Source](https://togithub.com/expressjs/express/compare/3.19.1...3.19.2)
\===================
- deps: connect@2.28.3
- deps: compression@~1.3.1
- deps: csurf@~1.6.6
- deps: errorhandler@~1.3.3
- deps: express-session@~1.10.2
- deps: serve-index@~1.6.1
- deps: type-is@~1.5.6
- deps: proxy-addr@~1.0.6
- deps: ipaddr.js@0.1.8
### [`v3.19.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3191--2015-01-20)
[Compare Source](https://togithub.com/expressjs/express/compare/3.19.0...3.19.1)
\===================
- deps: connect@2.28.2
- deps: body-parser@~1.10.2
- deps: serve-static@~1.8.1
- deps: send@0.11.1
- Fix root path disclosure
### [`v3.19.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3190--2015-01-09)
[Compare Source](https://togithub.com/expressjs/express/compare/3.18.6...3.19.0)
\===================
- Fix `OPTIONS` responses to include the `HEAD` method property
- Use `readline` for prompt in `express(1)`
- deps: commander@2.6.0
- deps: connect@2.28.1
- deps: body-parser@~1.10.1
- deps: compression@~1.3.0
- deps: connect-timeout@~1.5.0
- deps: csurf@~1.6.4
- deps: debug@~2.1.1
- deps: errorhandler@~1.3.2
- deps: express-session@~1.10.1
- deps: finalhandler@0.3.3
- deps: method-override@~2.3.1
- deps: morgan@~1.5.1
- deps: serve-favicon@~2.2.0
- deps: serve-index@~1.6.0
- deps: serve-static@~1.8.0
- deps: type-is@~1.5.5
- deps: debug@~2.1.1
- deps: methods@~1.1.1
- deps: proxy-addr@~1.0.5
- deps: ipaddr.js@0.1.6
- deps: send@0.11.0
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: ms@0.7.0
- deps: on-finished@~2.2.0
### [`v3.18.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3186--2014-12-12)
[Compare Source](https://togithub.com/expressjs/express/compare/3.18.5...3.18.6)
\===================
- Fix exception in `req.fresh`/`req.stale` without response headers
### [`v3.18.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3185--2014-12-11)
[Compare Source](https://togithub.com/expressjs/express/compare/3.18.4...3.18.5)
\===================
- deps: connect@2.27.6
- deps: compression@~1.2.2
- deps: express-session@~1.9.3
- deps: http-errors@~1.2.8
- deps: serve-index@~1.5.3
- deps: type-is@~1.5.4
### [`v3.18.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3184--2014-11-23)
[Compare Source](https://togithub.com/expressjs/express/compare/3.18.3...3.18.4)
\===================
- deps: connect@2.27.4
- deps: body-parser@~1.9.3
- deps: compression@~1.2.1
- deps: errorhandler@~1.2.3
- deps: express-session@~1.9.2
- deps: qs@2.3.3
- deps: serve-favicon@~2.1.7
- deps: serve-static@~1.5.1
- deps: type-is@~1.5.3
- deps: etag@~1.5.1
- deps: proxy-addr@~1.0.4
- deps: ipaddr.js@0.1.5
### [`v3.18.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3183--2014-11-09)
[Compare Source](https://togithub.com/expressjs/express/compare/3.18.2...3.18.3)
\===================
- deps: connect@2.27.3
- Correctly invoke async callback asynchronously
- deps: csurf@~1.6.3
### [`v3.18.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3182--2014-10-28)
[Compare Source](https://togithub.com/expressjs/express/compare/3.18.1...3.18.2)
\===================
- deps: connect@2.27.2
- Fix handling of URLs containing `://` in the path
- deps: body-parser@~1.9.2
- deps: qs@2.3.2
### [`v3.18.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3181--2014-10-22)
[Compare Source](https://togithub.com/expressjs/express/compare/3.18.0...3.18.1)
\===================
- Fix internal `utils.merge` deprecation warnings
- deps: connect@2.27.1
- deps: body-parser@~1.9.1
- deps: express-session@~1.9.1
- deps: finalhandler@0.3.2
- deps: morgan@~1.4.1
- deps: qs@2.3.0
- deps: serve-static@~1.7.1
- deps: send@0.10.1
- deps: on-finished@~2.1.1
### [`v3.18.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3180--2014-10-17)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.8...3.18.0)
\===================
- Use `content-disposition` module for `res.attachment`/`res.download`
- Sends standards-compliant `Content-Disposition` header
- Full Unicode support
- Use `etag` module to generate `ETag` headers
- deps: connect@2.27.0
- Use `http-errors` module for creating errors
- Use `utils-merge` module for merging objects
- deps: body-parser@~1.9.0
- deps: compression@~1.2.0
- deps: connect-timeout@~1.4.0
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: express-session@~1.9.0
- deps: finalhandler@0.3.1
- deps: method-override@~2.3.0
- deps: morgan@~1.4.0
- deps: response-time@~2.2.0
- deps: serve-favicon@~2.1.6
- deps: serve-index@~1.5.0
- deps: serve-static@~1.7.0
- deps: debug@~2.1.0
- Implement `DEBUG_FD` env variable support
- deps: depd@~1.0.0
- deps: send@0.10.0
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: etag@~1.5.0
### [`v3.17.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3178--2014-10-15)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.7...3.17.8)
\===================
- deps: connect@2.26.6
- deps: compression@~1.1.2
- deps: csurf@~1.6.2
- deps: errorhandler@~1.2.2
### [`v3.17.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3177--2014-10-08)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.6...3.17.7)
\===================
- deps: connect@2.26.5
- Fix accepting non-object arguments to `logger`
- deps: serve-static@~1.6.4
### [`v3.17.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3176--2014-10-02)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.5...3.17.6)
\===================
- deps: connect@2.26.4
- deps: morgan@~1.3.2
- deps: type-is@~1.5.2
### [`v3.17.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3175--2014-09-24)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.4...3.17.5)
\===================
- deps: connect@2.26.3
- deps: body-parser@~1.8.4
- deps: serve-favicon@~2.1.5
- deps: serve-static@~1.6.3
- deps: proxy-addr@~1.0.3
- Use `forwarded` npm module
- deps: send@0.9.3
- deps: etag@~1.4.0
### [`v3.17.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3174--2014-09-19)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.3...3.17.4)
\===================
- deps: connect@2.26.2
- deps: body-parser@~1.8.3
- deps: qs@2.2.4
### [`v3.17.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3173--2014-09-18)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.2...3.17.3)
\===================
- deps: proxy-addr@~1.0.2
- Fix a global leak when multiple subnets are trusted
- deps: ipaddr.js@0.1.3
### [`v3.17.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3172--2014-09-15)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.1...3.17.2)
\===================
- Use `crc` instead of `buffer-crc32` for speed
- deps: connect@2.26.1
- deps: body-parser@~1.8.2
- deps: depd@0.4.5
- deps: express-session@~1.8.2
- deps: morgan@~1.3.1
- deps: serve-favicon@~2.1.3
- deps: serve-static@~1.6.2
- deps: depd@0.4.5
- deps: send@0.9.2
- deps: depd@0.4.5
- deps: etag@~1.3.1
- deps: range-parser@~1.0.2
### [`v3.17.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3171--2014-09-08)
[Compare Source](https://togithub.com/expressjs/express/compare/3.17.0...3.17.1)
\===================
- Fix error in `req.subdomains` on empty host
### [`v3.17.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3170--2014-09-08)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.10...3.17.0)
\===================
- Support `X-Forwarded-Host` in `req.subdomains`
- Support IP address host in `req.subdomains`
- deps: connect@2.26.0
- deps: body-parser@~1.8.1
- deps: compression@~1.1.0
- deps: connect-timeout@~1.3.0
- deps: cookie-parser@~1.3.3
- deps: cookie-signature@1.0.5
- deps: csurf@~1.6.1
- deps: debug@~2.0.0
- deps: errorhandler@~1.2.0
- deps: express-session@~1.8.1
- deps: finalhandler@0.2.0
- deps: fresh@0.2.4
- deps: media-typer@0.3.0
- deps: method-override@~2.2.0
- deps: morgan@~1.3.0
- deps: qs@2.2.3
- deps: serve-favicon@~2.1.3
- deps: serve-index@~1.2.1
- deps: serve-static@~1.6.1
- deps: type-is@~1.5.1
- deps: vhost@~3.0.0
- deps: cookie-signature@1.0.5
- deps: debug@~2.0.0
- deps: fresh@0.2.4
- deps: media-typer@0.3.0
- Throw error when parameter format invalid on parse
- deps: range-parser@~1.0.2
- deps: send@0.9.1
- Add `lastModified` option
- Use `etag` to generate `ETag` header
- deps: debug@~2.0.0
- deps: fresh@0.2.4
- deps: vary@~1.0.0
- Accept valid `Vary` header string as `field`
### [`v3.16.10`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.9...3.16.10)
\====================
- deps: connect@2.25.10
- deps: serve-static@~1.5.4
- deps: send@0.8.5
- Fix a path traversal issue when using `root`
- Fix malicious path detection for empty string path
### [`v3.16.9`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3169--2014-08-29)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.8...3.16.9)
\===================
- deps: connect@2.25.9
- deps: body-parser@~1.6.7
- deps: qs@2.2.2
### [`v3.16.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3168--2014-08-27)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.7...3.16.8)
\===================
- deps: connect@2.25.8
- deps: body-parser@~1.6.6
- deps: csurf@~1.4.1
- deps: qs@2.2.0
### [`v3.16.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3167--2014-08-18)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.6...3.16.7)
\===================
- deps: connect@2.25.7
- deps: body-parser@~1.6.5
- deps: express-session@~1.7.6
- deps: morgan@~1.2.3
- deps: serve-static@~1.5.3
- deps: send@0.8.3
- deps: destroy@1.0.3
- deps: on-finished@2.1.0
### [`v3.16.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3166--2014-08-14)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.5...3.16.6)
\===================
- deps: connect@2.25.6
- deps: body-parser@~1.6.4
- deps: qs@1.2.2
- deps: serve-static@~1.5.2
- deps: send@0.8.2
- Work around `fd` leak in Node.js 0.10 for `fs.ReadStream`
### [`v3.16.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3165--2014-08-11)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.4...3.16.5)
\===================
- deps: connect@2.25.5
- Fix backwards compatibility in `logger`
### [`v3.16.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3164--2014-08-10)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.3...3.16.4)
\===================
- Fix original URL parsing in `res.location`
- deps: connect@2.25.4
- Fix `query` middleware breaking with argument
- deps: body-parser@~1.6.3
- deps: compression@~1.0.11
- deps: connect-timeout@~1.2.2
- deps: express-session@~1.7.5
- deps: method-override@~2.1.3
- deps: on-headers@~1.0.0
- deps: parseurl@~1.3.0
- deps: qs@1.2.1
- deps: response-time@~2.0.1
- deps: serve-index@~1.1.6
- deps: serve-static@~1.5.1
- deps: parseurl@~1.3.0
### [`v3.16.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3163--2014-08-07)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.2...3.16.3)
\===================
- deps: connect@2.25.3
- deps: multiparty@3.3.2
### [`v3.16.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3162--2014-08-07)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.1...3.16.2)
\===================
- deps: connect@2.25.2
- deps: body-parser@~1.6.2
- deps: qs@1.2.0
### [`v3.16.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04)
[Compare Source](https://togithub.com/expressjs/express/compare/3.16.0...3.16.1)
\====================
- deps: connect@2.25.10
- deps: serve-static@~1.5.4
- deps: send@0.8.5
- Fix a path traversal issue when using `root`
- Fix malicious path detection for empty string path
### [`v3.16.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3160--2014-08-05)
[Compare Source](https://togithub.com/expressjs/express/compare/3.15.3...3.16.0)
\===================
- deps: connect@2.25.0
- deps: body-parser@~1.6.0
- deps: compression@~1.0.10
- deps: csurf@~1.4.0
- deps: express-session@~1.7.4
- deps: qs@1.0.2
- deps: serve-static@~1.5.0
- deps: send@0.8.1
- Add `extensions` option
### [`v3.15.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3153--2014-08-04)
[Compare Source](https://togithub.com/expressjs/express/compare/3.15.2...3.15.3)
\===================
- fix `res.sendfile` regression for serving directory index files
- deps: connect@2.24.3
- deps: serve-index@~1.1.5
- deps: serve-static@~1.4.4
- deps: send@0.7.4
- Fix incorrect 403 on Windows and Node.js 0.11
- Fix serving index files without root dir
### [`v3.15.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3152--2014-07-27)
[Compare Source](https://togithub.com/expressjs/express/compare/3.15.1...3.15.2)
\===================
- deps: connect@2.24.2
- deps: body-parser@~1.5.2
- deps: depd@0.4.4
- deps: express-session@~1.7.2
- deps: morgan@~1.2.2
- deps: serve-static@~1.4.2
- deps: depd@0.4.4
- Work-around v8 generating empty stack traces
- deps: send@0.7.2
- deps: depd@0.4.4
### [`v3.15.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3151--2014-07-26)
[Compare Source](https://togithub.com/expressjs/express/compare/3.15.0...3.15.1)
\===================
- deps: connect@2.24.1
- deps: body-parser@~1.5.1
- deps: depd@0.4.3
- deps: express-session@~1.7.1
- deps: morgan@~1.2.1
- deps: serve-index@~1.1.4
- deps: serve-static@~1.4.1
- deps: depd@0.4.3
- Fix exception when global `Error.stackTraceLimit` is too low
- deps: send@0.7.1
- deps: depd@0.4.3
### [`v3.15.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3150--2014-07-22)
[Compare Source](https://togithub.com/expressjs/express/compare/3.14.0...3.15.0)
\===================
- Fix `req.protocol` for proxy-direct connections
- Pass options from `res.sendfile` to `send`
- deps: connect@2.24.0
- deps: body-parser@~1.5.0
- deps: compression@~1.0.9
- deps: connect-timeout@~1.2.1
- deps: debug@1.0.4
- deps: depd@0.4.2
- deps: express-session@~1.7.0
- deps: finalhandler@0.1.0
- deps: method-override@~2.1.2
- deps: morgan@~1.2.0
- deps: multiparty@3.3.1
- deps: parseurl@~1.2.0
- deps: serve-static@~1.4.0
- deps: debug@1.0.4
- deps: depd@0.4.2
- Add `TRACE_DEPRECATION` environment variable
- Remove non-standard grey color from color output
- Support `--no-deprecation` argument
- Support `--trace-deprecation` argument
- deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path" `RegExp`
- deps: send@0.7.0
- Add `dotfiles` option
- Cap `maxAge` value to 1 year
- deps: debug@1.0.4
- deps: depd@0.4.2
### [`v3.14.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3140--2014-07-11)
[Compare Source](https://togithub.com/expressjs/express/compare/3.13.0...3.14.0)
\===================
- add explicit "Rosetta Flash JSONP abuse" protection
- previous versions are not vulnerable; this is just explicit protection
- deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead
- fix `res.send(status, num)` to send `num` as json (not error)
- remove unnecessary escaping when `res.jsonp` returns JSON response
- deps: basic-auth@1.0.0
- support empty password
- support empty username
- deps: connect@2.23.0
- deps: debug@1.0.3
- deps: express-session@~1.6.4
- deps: method-override@~2.1.0
- deps: parseurl@~1.1.3
- deps: serve-static@~1.3.1
- deps: debug@1.0.3
- Add support for multiple wildcards in namespaces
- deps: methods@1.1.0
- add `CONNECT`
- deps: parseurl@~1.1.3
- faster parsing of href-only URLs
### [`v3.13.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3130--2014-07-03)
[Compare Source](https://togithub.com/expressjs/express/compare/3.12.1...3.13.0)
\===================
- add deprecation message to `app.configure`
- add deprecation message to `req.auth`
- use `basic-auth` to parse `Authorization` header
- deps: connect@2.22.0
- deps: csurf@~1.3.0
- deps: express-session@~1.6.1
- deps: multiparty@3.3.0
- deps: serve-static@~1.3.0
- deps: send@0.5.0
- Accept string for `maxage` (converted by `ms`)
- Include link in default redirect response
### [`v3.12.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3121--2014-06-26)
[Compare Source](https://togithub.com/expressjs/express/compare/3.12.0...3.12.1)
\===================
- deps: connect@2.21.1
- deps: cookie-parser@1.3.2
- deps: cookie-signature@1.0.4
- deps: express-session@~1.5.2
- deps: type-is@~1.3.2
- deps: cookie-signature@1.0.4
- fix for timing attacks
### [`v3.12.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3120--2014-06-21)
[Compare Source](https://togithub.com/expressjs/express/compare/3.11.0...3.12.0)
\===================
- use `media-typer` to alter content-type charset
- deps: connect@2.21.0
- deprecate `connect(middleware)` -- use `app.use(middleware)` instead
- deprecate `connect.createServer()` -- use `connect()` instead
- fix `res.setHeader()` patch to work with get -> append -> set pattern
- deps: compression@~1.0.8
- deps: errorhandler@~1.1.1
- deps: express-session@~1.5.0
- deps: serve-index@~1.1.3
### [`v3.11.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3110--2014-06-19)
[Compare Source](https://togithub.com/expressjs/express/compare/3.10.5...3.11.0)
\===================
- deprecate things with `depd` module
- deps: buffer-crc32@0.2.3
- deps: connect@2.20.2
- deprecate `verify` option to `json` -- use `body-parser` npm module instead
- deprecate `verify` option to `urlencoded` -- use `body-parser` npm module instead
- deprecate things with `depd` module
- use `finalhandler` for final response handling
- use `media-typer` to parse `content-type` for charset
- deps: body-parser@1.4.3
- deps: connect-timeout@1.1.1
- deps: cookie-parser@1.3.1
- deps: csurf@1.2.2
- deps: errorhandler@1.1.0
- deps: express-session@1.4.0
- deps: multiparty@3.2.9
- deps: serve-index@1.1.2
- deps: type-is@1.3.1
- deps: vhost@2.0.0
### [`v3.10.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3105--2014-06-11)
[Compare Source](https://togithub.com/expressjs/express/compare/3.10.4...3.10.5)
\===================
- deps: connect@2.19.6
- deps: body-parser@1.3.1
- deps: compression@1.0.7
- deps: debug@1.0.2
- deps: serve-index@1.1.1
- deps: serve-static@1.2.3
- deps: debug@1.0.2
- deps: send@0.4.3
- Do not throw uncatchable error on file open race condition
- Use `escape-html` for HTML escaping
- deps: debug@1.0.2
- deps: finished@1.2.2
- deps: fresh@0.2.2
### [`v3.10.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3104--2014-06-09)
[Compare Source](https://togithub.com/expressjs/express/compare/3.10.3...3.10.4)
\===================
- deps: connect@2.19.5
- fix "event emitter leak" warnings
- deps: csurf@1.2.1
- deps: debug@1.0.1
- deps: serve-static@1.2.2
- deps: type-is@1.2.1
- deps: debug@1.0.1
- deps: send@0.4.2
- fix "event emitter leak" warnings
- deps: finished@1.2.1
- deps: debug@1.0.1
### [`v3.10.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3103--2014-06-05)
[Compare Source](https://togithub.com/expressjs/express/compare/3.10.2...3.10.3)
\===================
- use `vary` module for `res.vary`
- deps: connect@2.19.4
- deps: errorhandler@1.0.2
- deps: method-override@2.0.2
- deps: serve-favicon@2.0.1
- deps: debug@1.0.0
### [`v3.10.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3102--2014-06-03)
[Compare Source](https://togithub.com/expressjs/express/compare/3.10.1...3.10.2)
\===================
- deps: connect@2.19.3
- deps: compression@1.0.6
### [`v3.10.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3101--2014-06-03)
[Compare Source](https://togithub.com/expressjs/express/compare/3.10.0...3.10.1)
\===================
- deps: connect@2.19.2
- deps: compression@1.0.4
- deps: proxy-addr@1.0.1
### [`v3.10.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3100--2014-06-02)
[Compare Source](https://togithub.com/expressjs/express/compare/3.9.0...3.10.0)
\===================
- deps: connect@2.19.1
- deprecate `methodOverride()` -- use `method-override` npm module instead
- deps: body-parser@1.3.0
- deps: method-override@2.0.1
- deps: multiparty@3.2.8
- deps: response-time@2.0.0
- deps: serve-static@1.2.1
- deps: methods@1.0.1
- deps: send@0.4.1
- Send `max-age` in `Cache-Control` in correct format
### [`v3.9.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#390--2014-05-30)
[Compare Source](https://togithub.com/expressjs/express/compare/3.8.1...3.9.0)
\==================
- custom etag control with `app.set('etag', val)`
- `app.set('etag', function(body, encoding){ return '"etag"' })` custom etag generation
- `app.set('etag', 'weak')` weak tag
- `app.set('etag', 'strong')` strong etag
- `app.set('etag', false)` turn off
- `app.set('etag', true)` standard etag
- Include ETag in HEAD requests
- mark `res.send` ETag as weak and reduce collisions
- update connect to 2.18.0
- deps: compression@1.0.3
- deps: serve-index@1.1.0
- deps: serve-static@1.2.0
- update send to 0.4.0
- Calculate ETag with md5 for reduced collisions
- Ignore stream errors after request ends
- deps: debug@0.8.1
### [`v3.8.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#381--2014-05-27)
[Compare Source](https://togithub.com/expressjs/express/compare/3.8.0...3.8.1)
\==================
- update connect to 2.17.3
- deps: body-parser@1.2.2
- deps: express-session@1.2.1
- deps: method-override@1.0.2
### [`v3.8.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#380--2014-05-21)
[Compare Source](https://togithub.com/expressjs/express/compare/3.7.0...3.8.0)
\==================
- keep previous `Content-Type` for `res.jsonp`
- set proper `charset` in `Content-Type` for `res.send`
- update connect to 2.17.1
- fix `res.charset` appending charset when `content-type` has one
- deps: express-session@1.2.0
- deps: morgan@1.1.1
- deps: serve-index@1.0.3
### [`v3.7.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#370--2014-05-18)
[Compare Source](https://togithub.com/expressjs/express/compare/3.6.0...3.7.0)
\==================
- proper proxy trust with `app.set('trust proxy', trust)`
- `app.set('trust proxy', 1)` trust first hop
- `app.set('trust proxy', 'loopback')` trust loopback addresses
- `app.set('trust proxy', '10.0.0.1')` trust single IP
- `app.set('trust proxy', '10.0.0.1/16')` trust subnet
- `app.set('trust proxy', '10.0.0.1, 10.0.0.2')` trust list
- `app.set('trust proxy', false)` turn off
- `app.set('trust proxy', true)` trust everything
- update connect to 2.16.2
- deprecate `res.headerSent` -- use `res.headersSent`
- deprecate `res.on("header")` -- use on-headers module instead
- fix edge-case in `res.appendHeader` that would append in wrong order
- json: use body-parser
- urlencoded: use body-parser
- dep: bytes@1.0.0
- dep: cookie-parser@1.1.0
- dep: csurf@1.2.0
- dep: express-session@1.1.0
- dep: method-override@1.0.1
### [`v3.6.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#360--2014-05-09)
[Compare Source](https://togithub.com/expressjs/express/compare/3.5.3...3.6.0)
\==================
- deprecate `app.del()` -- use `app.delete()` instead
- deprecate `res.json(obj, status)` -- use `res.json(status, obj)` instead
- the edge-case `res.json(status, num)` requires `res.status(status).json(num)`
- deprecate `res.jsonp(obj, status)` -- use `res.jsonp(status, obj)` instead
- the edge-case `res.jsonp(status, num)` requires `res.status(status).jsonp(num)`
- support PURGE method
- add `app.purge`
- add `router.purge`
- include PURGE in `app.all`
- update connect to 2.15.0
- Add `res.appendHeader`
- Call error stack even when response has been sent
- Patch `res.headerSent` to return Boolean
- Patch `res.headersSent` for node.js 0.8
- Prevent default 404 handler after response sent
- dep: compression@1.0.2
- dep: connect-timeout@1.1.0
- dep: debug@^0.8.0
- dep: errorhandler@1.0.1
- dep: express-session@1.0.4
- dep: morgan@1.0.1
- dep: serve-favicon@2.0.0
- dep: serve-index@1.0.2
- update debug to 0.8.0
- add `enable()` method
- change from stderr to stdout
- update methods to 1.0.0
- add PURGE
- update mkdirp to 0.5.0
### [`v3.5.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#353--2014-05-08)
[Compare Source](https://togithub.com/expressjs/express/compare/3.5.2...3.5.3)
\==================
- fix `req.host` for IPv6 literals
- fix `res.jsonp` error if callback param is object
### [`v3.5.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#352--2014-04-24)
[Compare Source](https://togithub.com/expressjs/express/compare/3.5.1...3.5.2)
\==================
- update connect to 2.14.5
- update cookie to 0.1.2
- update mkdirp to 0.4.0
- update send to 0.3.0
### [`v3.5.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#351--2014-03-25)
[Compare Source](https://togithub.com/expressjs/express/compare/3.5.0...3.5.1)
\==================
- pin less-middleware in generated app
### [`v3.5.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#350--2014-03-06)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.8...3.5.0)
\==================
- bump deps
### [`v3.4.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#348--2014-01-13)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.7...3.4.8)
\==================
- prevent incorrect automatic OPTIONS responses [#1868](https://togithub.com/expressjs/express/issues/1868) [@dpatti](https://togithub.com/dpatti)
- update binary and examples for jade 1.0 [#1876](https://togithub.com/expressjs/express/issues/1876) [@yossi](https://togithub.com/yossi), [#1877](https://togithub.com/expressjs/express/issues/1877) [@reqshark](https://togithub.com/reqshark), [#1892](https://togithub.com/expressjs/express/issues/1892) [@matheusazzi](https://togithub.com/matheusazzi)
- throw 400 in case of malformed paths [@rlidwka](https://togithub.com/rlidwka)
### [`v3.4.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#347--2013-12-10)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.6...3.4.7)
\==================
- update connect
### [`v3.4.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#346--2013-12-01)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.5...3.4.6)
\==================
- update connect (raw-body)
### [`v3.4.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#345--2013-11-27)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.4...3.4.5)
\==================
- update connect
- res.location: remove leading ./ [#1802](https://togithub.com/expressjs/express/issues/1802) [@kapouer](https://togithub.com/kapouer)
- res.redirect: fix \`res.redirect('toString') [#1829](https://togithub.com/expressjs/express/issues/1829) [@michaelficarra](https://togithub.com/michaelficarra)
- res.send: always send ETag when content-length > 0
- router: add Router.all() method
### [`v3.4.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#344--2013-10-29)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.3...3.4.4)
\==================
- update connect
- update supertest
- update methods
- express(1): replace bodyParser() with urlencoded() and json() [#1795](https://togithub.com/expressjs/express/issues/1795) [@chirag04](https://togithub.com/chirag04)
### [`v3.4.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#343--2013-10-23)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.2...3.4.3)
\==================
- update connect
### [`v3.4.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#342--2013-10-18)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.1...3.4.2)
\==================
- update connect
- downgrade commander
### [`v3.4.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#341--2013-10-15)
[Compare Source](https://togithub.com/expressjs/express/compare/3.4.0...3.4.1)
\==================
- update connect
- update commander
- jsonp: check if callback is a function
- router: wrap encodeURIComponent in a try/catch [#1735](https://togithub.com/expressjs/express/issues/1735) ([@lxe](https://togithub.com/lxe))
- res.format: now includes charset [@1747](https://togithub.com/1747) ([@sorribas](https://togithub.com/sorribas))
- res.links: allow multiple calls [@1746](https://togithub.com/1746) ([@sorribas](https://togithub.com/sorribas))
### [`v3.4.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#340--2013-09-07)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.8...3.4.0)
\==================
- add res.vary(). Closes [#1682](https://togithub.com/expressjs/express/issues/1682)
- update connect
### [`v3.3.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#338--2013-09-02)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.7...3.3.8)
\==================
- update connect
### [`v3.3.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#337--2013-08-28)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.6...3.3.7)
\==================
- update connect
### [`v3.3.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#336--2013-08-27)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.5...3.3.6)
\==================
- Revert "remove charset from json responses. Closes [#1631](https://togithub.com/expressjs/express/issues/1631)" (causes issues in some clients)
- add: req.accepts take an argument list
### [`v3.3.5`](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5)
### [`v3.3.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#334--2013-07-08)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.3...3.3.4)
\==================
- update send and connect
### [`v3.3.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#333--2013-07-04)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.2...3.3.3)
\==================
- update connect
### [`v3.3.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#332--2013-07-03)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.1...3.3.2)
\==================
- update connect
- update send
- remove .version export
### [`v3.3.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#331--2013-06-27)
[Compare Source](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1)
\==================
- update connect
### [`v3.3.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#330--2013-06-26)
[Compare Source](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0)
\==================
- update connect
- add support for multiple X-Forwarded-Proto values. Closes [#1646](https://togithub.com/expressjs/express/issues/1646)
- change: remove charset from json responses. Closes [#1631](https://togithub.com/expressjs/express/issues/1631)
- change: return actual booleans from req.accept\* functions
- fix jsonp callback array throw
### [`v3.2.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#326--2013-06-02)
[Compare Source](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6)
\==================
- update connect
### [`v3.2.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#325--2013-05-21)
[Compare Source](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5)
\==================
- update connect
- update node-cookie
- add: throw a meaningful error when there is no default engine
- change generation of ETags with res.send() to GET requests only. Closes [#1619](https://togithub.com/expressjs/express/issues/1619)
### [`v3.2.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#324--2013-05-09)
[Compare Source](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4)
\==================
- fix `req.subdomains` when no Host is present
- fix `req.host` when no Host is present, return undefined
### [`v3.2.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#323--2013-05-07)
[Compare Source](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3)
\==================
- update connect / qs
### [`v3.2.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#322--2013-05-03)
[Compare Source](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2)
\==================
- update qs
### [`v3.2.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#321--2013-04-29)
[Compare Source](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1)
\==================
- add app.VERB() paths array deprecation warning
- update connect
- update qs and remove all ~ semver crap
- fix: accept number as value of Signed Cookie
### [`v3.2.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#320--2013-04-15)
[Compare Source](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0)
\==================
- add "view" constructor setting to override view behaviour
- add req.acceptsEncoding(name)
- add req.acceptedEncodings
- revert cookie signature change causing session race conditions
- fix sorting of Accept values of the same quality
### [`v3.1.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#312--2013-04-12)
[Compare Source](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2)
\==================
- add support for custom Accept parameters
- update cookie-signature
### [`v3.1.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#311--2013-04-01)
[Compare Source](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1)
\==================
- add X-Forwarded-Host support to `req.host`
- fix relative redirects
- update mkdirp
- update buffer-crc32
- remove legacy app.configure() method from app template.
### [`v3.1.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#310--2013-01-25)
[Compare Source](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0)
\==================
- add support for leading "." in "view engine" setting
- add array support to `res.set()`
- add node 0.8.x to travis.yml
- add "subdomain offset" setting for tweaking `req.subdomains`
- add `res.location(url)` implementing `res.redirect()`-like setting of Location
- use app.get() for x-powered-by setting for inheritance
- fix colons in passwords for `req.auth`
### [`v3.0.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#306--2013-01-04)
[Compare Source](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6)
\==================
- add http verb methods to Router
- update connect
- fix mangling of the `res.cookie()` options object
- fix jsonp whitespace escape. Closes [#1132](https://togithub.com/expressjs/express/issues/1132)
### [`v3.0.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#305--2012-12-19)
[Compare Source](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5)
\==================
- add throwing when a non-function is passed to a route
- fix: explicitly remove Transfer-Encoding header from 204 and 304 responses
- revert "add 'etag' option"
### [`v3.0.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#304--2012-12-05)
[Compare Source](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4)
\==================
- add 'etag' option to disable `res.send()` Etags
- add escaping of urls in text/plain in `res.redirect()`
for old browsers interpreting as html
- change crc32 module for a more liberal license
- update connect
### [`v3.0.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#303--2012-11-13)
[Compare Source](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3)
\==================
- update connect
- update cookie module
- fix cookie max-age
### [`v3.0.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#302--2012-11-08)
[Compare Source](https://togithub.com/expressjs/express/compare/3.0.1...3.0.2)
\==================
- add OPTIONS to cors example. Closes [#1398](https://togithub.com/expressjs/express/issues/1398)
- fix route chaining regression. Closes [#1397](https://togithub.com/expressjs/express/issues/1397)
### [`v3.0.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#301--2012-11-01)
\==================
- update connect
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
3.0.0
->3.21.0
This PR resolves the vulnerability described in Issue #16
Version 3.0.0
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | N/A | 0 | 4 | 8 | 0 |Version 3.21.0
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | -50% | 0 (--) | 2 (-2 ) | 1 (-7 ) | 2 (+2) |Version 3.21.2
| Risk Change | Critical | High | Medium | Low | | --- | --- | --- | --- | --- | | -50% | 0 (--) | 2 (-2 ) | 1 (-7 ) | 2 (+2) |Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.
Release Notes
expressjs/express
### [`v3.21.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3210--2015-06-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.3...3.21.0) \=================== - deps: basic-auth@1.0.2 - perf: enable strict mode - perf: hoist regular expression - perf: parse with regular expressions - perf: remove argument reassignment - deps: connect@2.30.0 - deps: body-parser@~1.13.1 - deps: bytes@2.1.0 - deps: compression@~1.5.0 - deps: cookie@0.1.3 - deps: cookie-parser@~1.3.5 - deps: csurf@~1.8.3 - deps: errorhandler@~1.4.0 - deps: express-session@~1.11.3 - deps: finalhandler@0.4.0 - deps: fresh@0.3.0 - deps: morgan@~1.6.0 - deps: serve-favicon@~2.3.0 - deps: serve-index@~1.7.0 - deps: serve-static@~1.10.0 - deps: type-is@~1.6.3 - deps: cookie@0.1.3 - perf: deduce the scope of try-catch deopt - perf: remove argument reassignments - deps: escape-html@1.0.2 - deps: etag@~1.7.0 - Always include entity length in ETags for hash length extensions - Generate non-Stats ETags using MD5 only (no longer CRC32) - Improve stat performance by removing hashing - Improve support for JXcore - Remove base64 padding in ETags to shorten - Support "fake" stats objects in environments without fs - Use MD5 instead of MD4 in weak ETags over 1KB - deps: fresh@0.3.0 - Add weak `ETag` matching support - deps: mkdirp@0.5.1 - Work in global strict mode - deps: send@0.13.0 - Allow Node.js HTTP server to set `Date` response header - Fix incorrectly removing `Content-Location` on 304 response - Improve the default redirect response headers - Send appropriate headers on default error response - Use `http-errors` for standard emitted errors - Use `statuses` instead of `http` module for status messages - deps: escape-html@1.0.2 - deps: etag@~1.7.0 - deps: fresh@0.3.0 - deps: on-finished@~2.3.0 - perf: enable strict mode - perf: remove unnecessary array allocations ### [`v3.20.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3203--2015-05-17) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.2...3.20.3) \=================== - deps: connect@2.29.2 - deps: body-parser@~1.12.4 - deps: compression@~1.4.4 - deps: connect-timeout@~1.6.2 - deps: debug@~2.2.0 - deps: depd@~1.0.1 - deps: errorhandler@~1.3.6 - deps: finalhandler@0.3.6 - deps: method-override@~2.3.3 - deps: morgan@~1.5.3 - deps: qs@2.4.2 - deps: response-time@~2.3.1 - deps: serve-favicon@~2.2.1 - deps: serve-index@~1.6.4 - deps: serve-static@~1.9.3 - deps: type-is@~1.6.2 - deps: debug@~2.2.0 - deps: ms@0.7.1 - deps: depd@~1.0.1 - deps: proxy-addr@~1.0.8 - deps: ipaddr.js@1.0.1 - deps: send@0.12.3 - deps: debug@~2.2.0 - deps: depd@~1.0.1 - deps: etag@~1.6.0 - deps: ms@0.7.1 - deps: on-finished@~2.2.1 ### [`v3.20.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3202--2015-03-16) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.1...3.20.2) \=================== - deps: connect@2.29.1 - deps: body-parser@~1.12.2 - deps: compression@~1.4.3 - deps: connect-timeout@~1.6.1 - deps: debug@~2.1.3 - deps: errorhandler@~1.3.5 - deps: express-session@~1.10.4 - deps: finalhandler@0.3.4 - deps: method-override@~2.3.2 - deps: morgan@~1.5.2 - deps: qs@2.4.1 - deps: serve-index@~1.6.3 - deps: serve-static@~1.9.2 - deps: type-is@~1.6.1 - deps: debug@~2.1.3 - Fix high intensity foreground color for bold - deps: ms@0.7.0 - deps: merge-descriptors@1.0.0 - deps: proxy-addr@~1.0.7 - deps: ipaddr.js@0.1.9 - deps: send@0.12.2 - Throw errors early for invalid `extensions` or `index` options - deps: debug@~2.1.3 ### [`v3.20.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3201--2015-02-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.20.0...3.20.1) \=================== - Fix `req.host` when using "trust proxy" hops count - Fix `req.protocol`/`req.secure` when using "trust proxy" hops count ### [`v3.20.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3200--2015-02-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.2...3.20.0) \=================== - Fix `"trust proxy"` setting to inherit when app is mounted - Generate `ETag`s for all request responses - No longer restricted to only responses for `GET` and `HEAD` requests - Use `content-type` to parse `Content-Type` headers - deps: connect@2.29.0 - Use `content-type` to parse `Content-Type` headers - deps: body-parser@~1.12.0 - deps: compression@~1.4.1 - deps: connect-timeout@~1.6.0 - deps: cookie-parser@~1.3.4 - deps: cookie-signature@1.0.6 - deps: csurf@~1.7.0 - deps: errorhandler@~1.3.4 - deps: express-session@~1.10.3 - deps: http-errors@~1.3.1 - deps: response-time@~2.3.0 - deps: serve-index@~1.6.2 - deps: serve-static@~1.9.1 - deps: type-is@~1.6.0 - deps: cookie-signature@1.0.6 - deps: send@0.12.1 - Always read the stat size from the file - Fix mutating passed-in `options` - deps: mime@1.3.4 ### [`v3.19.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3192--2015-02-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.1...3.19.2) \=================== - deps: connect@2.28.3 - deps: compression@~1.3.1 - deps: csurf@~1.6.6 - deps: errorhandler@~1.3.3 - deps: express-session@~1.10.2 - deps: serve-index@~1.6.1 - deps: type-is@~1.5.6 - deps: proxy-addr@~1.0.6 - deps: ipaddr.js@0.1.8 ### [`v3.19.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3191--2015-01-20) [Compare Source](https://togithub.com/expressjs/express/compare/3.19.0...3.19.1) \=================== - deps: connect@2.28.2 - deps: body-parser@~1.10.2 - deps: serve-static@~1.8.1 - deps: send@0.11.1 - Fix root path disclosure ### [`v3.19.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3190--2015-01-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.6...3.19.0) \=================== - Fix `OPTIONS` responses to include the `HEAD` method property - Use `readline` for prompt in `express(1)` - deps: commander@2.6.0 - deps: connect@2.28.1 - deps: body-parser@~1.10.1 - deps: compression@~1.3.0 - deps: connect-timeout@~1.5.0 - deps: csurf@~1.6.4 - deps: debug@~2.1.1 - deps: errorhandler@~1.3.2 - deps: express-session@~1.10.1 - deps: finalhandler@0.3.3 - deps: method-override@~2.3.1 - deps: morgan@~1.5.1 - deps: serve-favicon@~2.2.0 - deps: serve-index@~1.6.0 - deps: serve-static@~1.8.0 - deps: type-is@~1.5.5 - deps: debug@~2.1.1 - deps: methods@~1.1.1 - deps: proxy-addr@~1.0.5 - deps: ipaddr.js@0.1.6 - deps: send@0.11.0 - deps: debug@~2.1.1 - deps: etag@~1.5.1 - deps: ms@0.7.0 - deps: on-finished@~2.2.0 ### [`v3.18.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3186--2014-12-12) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.5...3.18.6) \=================== - Fix exception in `req.fresh`/`req.stale` without response headers ### [`v3.18.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3185--2014-12-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.4...3.18.5) \=================== - deps: connect@2.27.6 - deps: compression@~1.2.2 - deps: express-session@~1.9.3 - deps: http-errors@~1.2.8 - deps: serve-index@~1.5.3 - deps: type-is@~1.5.4 ### [`v3.18.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3184--2014-11-23) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.3...3.18.4) \=================== - deps: connect@2.27.4 - deps: body-parser@~1.9.3 - deps: compression@~1.2.1 - deps: errorhandler@~1.2.3 - deps: express-session@~1.9.2 - deps: qs@2.3.3 - deps: serve-favicon@~2.1.7 - deps: serve-static@~1.5.1 - deps: type-is@~1.5.3 - deps: etag@~1.5.1 - deps: proxy-addr@~1.0.4 - deps: ipaddr.js@0.1.5 ### [`v3.18.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3183--2014-11-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.2...3.18.3) \=================== - deps: connect@2.27.3 - Correctly invoke async callback asynchronously - deps: csurf@~1.6.3 ### [`v3.18.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3182--2014-10-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.1...3.18.2) \=================== - deps: connect@2.27.2 - Fix handling of URLs containing `://` in the path - deps: body-parser@~1.9.2 - deps: qs@2.3.2 ### [`v3.18.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3181--2014-10-22) [Compare Source](https://togithub.com/expressjs/express/compare/3.18.0...3.18.1) \=================== - Fix internal `utils.merge` deprecation warnings - deps: connect@2.27.1 - deps: body-parser@~1.9.1 - deps: express-session@~1.9.1 - deps: finalhandler@0.3.2 - deps: morgan@~1.4.1 - deps: qs@2.3.0 - deps: serve-static@~1.7.1 - deps: send@0.10.1 - deps: on-finished@~2.1.1 ### [`v3.18.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3180--2014-10-17) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.8...3.18.0) \=================== - Use `content-disposition` module for `res.attachment`/`res.download` - Sends standards-compliant `Content-Disposition` header - Full Unicode support - Use `etag` module to generate `ETag` headers - deps: connect@2.27.0 - Use `http-errors` module for creating errors - Use `utils-merge` module for merging objects - deps: body-parser@~1.9.0 - deps: compression@~1.2.0 - deps: connect-timeout@~1.4.0 - deps: debug@~2.1.0 - deps: depd@~1.0.0 - deps: express-session@~1.9.0 - deps: finalhandler@0.3.1 - deps: method-override@~2.3.0 - deps: morgan@~1.4.0 - deps: response-time@~2.2.0 - deps: serve-favicon@~2.1.6 - deps: serve-index@~1.5.0 - deps: serve-static@~1.7.0 - deps: debug@~2.1.0 - Implement `DEBUG_FD` env variable support - deps: depd@~1.0.0 - deps: send@0.10.0 - deps: debug@~2.1.0 - deps: depd@~1.0.0 - deps: etag@~1.5.0 ### [`v3.17.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3178--2014-10-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.7...3.17.8) \=================== - deps: connect@2.26.6 - deps: compression@~1.1.2 - deps: csurf@~1.6.2 - deps: errorhandler@~1.2.2 ### [`v3.17.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3177--2014-10-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.6...3.17.7) \=================== - deps: connect@2.26.5 - Fix accepting non-object arguments to `logger` - deps: serve-static@~1.6.4 ### [`v3.17.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3176--2014-10-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.5...3.17.6) \=================== - deps: connect@2.26.4 - deps: morgan@~1.3.2 - deps: type-is@~1.5.2 ### [`v3.17.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3175--2014-09-24) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.4...3.17.5) \=================== - deps: connect@2.26.3 - deps: body-parser@~1.8.4 - deps: serve-favicon@~2.1.5 - deps: serve-static@~1.6.3 - deps: proxy-addr@~1.0.3 - Use `forwarded` npm module - deps: send@0.9.3 - deps: etag@~1.4.0 ### [`v3.17.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3174--2014-09-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.3...3.17.4) \=================== - deps: connect@2.26.2 - deps: body-parser@~1.8.3 - deps: qs@2.2.4 ### [`v3.17.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3173--2014-09-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.2...3.17.3) \=================== - deps: proxy-addr@~1.0.2 - Fix a global leak when multiple subnets are trusted - deps: ipaddr.js@0.1.3 ### [`v3.17.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3172--2014-09-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.1...3.17.2) \=================== - Use `crc` instead of `buffer-crc32` for speed - deps: connect@2.26.1 - deps: body-parser@~1.8.2 - deps: depd@0.4.5 - deps: express-session@~1.8.2 - deps: morgan@~1.3.1 - deps: serve-favicon@~2.1.3 - deps: serve-static@~1.6.2 - deps: depd@0.4.5 - deps: send@0.9.2 - deps: depd@0.4.5 - deps: etag@~1.3.1 - deps: range-parser@~1.0.2 ### [`v3.17.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3171--2014-09-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.17.0...3.17.1) \=================== - Fix error in `req.subdomains` on empty host ### [`v3.17.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3170--2014-09-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.10...3.17.0) \=================== - Support `X-Forwarded-Host` in `req.subdomains` - Support IP address host in `req.subdomains` - deps: connect@2.26.0 - deps: body-parser@~1.8.1 - deps: compression@~1.1.0 - deps: connect-timeout@~1.3.0 - deps: cookie-parser@~1.3.3 - deps: cookie-signature@1.0.5 - deps: csurf@~1.6.1 - deps: debug@~2.0.0 - deps: errorhandler@~1.2.0 - deps: express-session@~1.8.1 - deps: finalhandler@0.2.0 - deps: fresh@0.2.4 - deps: media-typer@0.3.0 - deps: method-override@~2.2.0 - deps: morgan@~1.3.0 - deps: qs@2.2.3 - deps: serve-favicon@~2.1.3 - deps: serve-index@~1.2.1 - deps: serve-static@~1.6.1 - deps: type-is@~1.5.1 - deps: vhost@~3.0.0 - deps: cookie-signature@1.0.5 - deps: debug@~2.0.0 - deps: fresh@0.2.4 - deps: media-typer@0.3.0 - Throw error when parameter format invalid on parse - deps: range-parser@~1.0.2 - deps: send@0.9.1 - Add `lastModified` option - Use `etag` to generate `ETag` header - deps: debug@~2.0.0 - deps: fresh@0.2.4 - deps: vary@~1.0.0 - Accept valid `Vary` header string as `field` ### [`v3.16.10`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.9...3.16.10) \==================== - deps: connect@2.25.10 - deps: serve-static@~1.5.4 - deps: send@0.8.5 - Fix a path traversal issue when using `root` - Fix malicious path detection for empty string path ### [`v3.16.9`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3169--2014-08-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.8...3.16.9) \=================== - deps: connect@2.25.9 - deps: body-parser@~1.6.7 - deps: qs@2.2.2 ### [`v3.16.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3168--2014-08-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.7...3.16.8) \=================== - deps: connect@2.25.8 - deps: body-parser@~1.6.6 - deps: csurf@~1.4.1 - deps: qs@2.2.0 ### [`v3.16.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3167--2014-08-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.6...3.16.7) \=================== - deps: connect@2.25.7 - deps: body-parser@~1.6.5 - deps: express-session@~1.7.6 - deps: morgan@~1.2.3 - deps: serve-static@~1.5.3 - deps: send@0.8.3 - deps: destroy@1.0.3 - deps: on-finished@2.1.0 ### [`v3.16.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3166--2014-08-14) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.5...3.16.6) \=================== - deps: connect@2.25.6 - deps: body-parser@~1.6.4 - deps: qs@1.2.2 - deps: serve-static@~1.5.2 - deps: send@0.8.2 - Work around `fd` leak in Node.js 0.10 for `fs.ReadStream` ### [`v3.16.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3165--2014-08-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.4...3.16.5) \=================== - deps: connect@2.25.5 - Fix backwards compatibility in `logger` ### [`v3.16.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3164--2014-08-10) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.3...3.16.4) \=================== - Fix original URL parsing in `res.location` - deps: connect@2.25.4 - Fix `query` middleware breaking with argument - deps: body-parser@~1.6.3 - deps: compression@~1.0.11 - deps: connect-timeout@~1.2.2 - deps: express-session@~1.7.5 - deps: method-override@~2.1.3 - deps: on-headers@~1.0.0 - deps: parseurl@~1.3.0 - deps: qs@1.2.1 - deps: response-time@~2.0.1 - deps: serve-index@~1.1.6 - deps: serve-static@~1.5.1 - deps: parseurl@~1.3.0 ### [`v3.16.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3163--2014-08-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.2...3.16.3) \=================== - deps: connect@2.25.3 - deps: multiparty@3.3.2 ### [`v3.16.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3162--2014-08-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.1...3.16.2) \=================== - deps: connect@2.25.2 - deps: body-parser@~1.6.2 - deps: qs@1.2.0 ### [`v3.16.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#31610--2014-09-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.16.0...3.16.1) \==================== - deps: connect@2.25.10 - deps: serve-static@~1.5.4 - deps: send@0.8.5 - Fix a path traversal issue when using `root` - Fix malicious path detection for empty string path ### [`v3.16.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3160--2014-08-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.3...3.16.0) \=================== - deps: connect@2.25.0 - deps: body-parser@~1.6.0 - deps: compression@~1.0.10 - deps: csurf@~1.4.0 - deps: express-session@~1.7.4 - deps: qs@1.0.2 - deps: serve-static@~1.5.0 - deps: send@0.8.1 - Add `extensions` option ### [`v3.15.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3153--2014-08-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.2...3.15.3) \=================== - fix `res.sendfile` regression for serving directory index files - deps: connect@2.24.3 - deps: serve-index@~1.1.5 - deps: serve-static@~1.4.4 - deps: send@0.7.4 - Fix incorrect 403 on Windows and Node.js 0.11 - Fix serving index files without root dir ### [`v3.15.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3152--2014-07-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.1...3.15.2) \=================== - deps: connect@2.24.2 - deps: body-parser@~1.5.2 - deps: depd@0.4.4 - deps: express-session@~1.7.2 - deps: morgan@~1.2.2 - deps: serve-static@~1.4.2 - deps: depd@0.4.4 - Work-around v8 generating empty stack traces - deps: send@0.7.2 - deps: depd@0.4.4 ### [`v3.15.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3151--2014-07-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.15.0...3.15.1) \=================== - deps: connect@2.24.1 - deps: body-parser@~1.5.1 - deps: depd@0.4.3 - deps: express-session@~1.7.1 - deps: morgan@~1.2.1 - deps: serve-index@~1.1.4 - deps: serve-static@~1.4.1 - deps: depd@0.4.3 - Fix exception when global `Error.stackTraceLimit` is too low - deps: send@0.7.1 - deps: depd@0.4.3 ### [`v3.15.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3150--2014-07-22) [Compare Source](https://togithub.com/expressjs/express/compare/3.14.0...3.15.0) \=================== - Fix `req.protocol` for proxy-direct connections - Pass options from `res.sendfile` to `send` - deps: connect@2.24.0 - deps: body-parser@~1.5.0 - deps: compression@~1.0.9 - deps: connect-timeout@~1.2.1 - deps: debug@1.0.4 - deps: depd@0.4.2 - deps: express-session@~1.7.0 - deps: finalhandler@0.1.0 - deps: method-override@~2.1.2 - deps: morgan@~1.2.0 - deps: multiparty@3.3.1 - deps: parseurl@~1.2.0 - deps: serve-static@~1.4.0 - deps: debug@1.0.4 - deps: depd@0.4.2 - Add `TRACE_DEPRECATION` environment variable - Remove non-standard grey color from color output - Support `--no-deprecation` argument - Support `--trace-deprecation` argument - deps: parseurl@~1.2.0 - Cache URLs based on original value - Remove no-longer-needed URL mis-parse work-around - Simplify the "fast-path" `RegExp` - deps: send@0.7.0 - Add `dotfiles` option - Cap `maxAge` value to 1 year - deps: debug@1.0.4 - deps: depd@0.4.2 ### [`v3.14.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3140--2014-07-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.13.0...3.14.0) \=================== - add explicit "Rosetta Flash JSONP abuse" protection - previous versions are not vulnerable; this is just explicit protection - deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead - fix `res.send(status, num)` to send `num` as json (not error) - remove unnecessary escaping when `res.jsonp` returns JSON response - deps: basic-auth@1.0.0 - support empty password - support empty username - deps: connect@2.23.0 - deps: debug@1.0.3 - deps: express-session@~1.6.4 - deps: method-override@~2.1.0 - deps: parseurl@~1.1.3 - deps: serve-static@~1.3.1 - deps: debug@1.0.3 - Add support for multiple wildcards in namespaces - deps: methods@1.1.0 - add `CONNECT` - deps: parseurl@~1.1.3 - faster parsing of href-only URLs ### [`v3.13.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3130--2014-07-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.12.1...3.13.0) \=================== - add deprecation message to `app.configure` - add deprecation message to `req.auth` - use `basic-auth` to parse `Authorization` header - deps: connect@2.22.0 - deps: csurf@~1.3.0 - deps: express-session@~1.6.1 - deps: multiparty@3.3.0 - deps: serve-static@~1.3.0 - deps: send@0.5.0 - Accept string for `maxage` (converted by `ms`) - Include link in default redirect response ### [`v3.12.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3121--2014-06-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.12.0...3.12.1) \=================== - deps: connect@2.21.1 - deps: cookie-parser@1.3.2 - deps: cookie-signature@1.0.4 - deps: express-session@~1.5.2 - deps: type-is@~1.3.2 - deps: cookie-signature@1.0.4 - fix for timing attacks ### [`v3.12.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3120--2014-06-21) [Compare Source](https://togithub.com/expressjs/express/compare/3.11.0...3.12.0) \=================== - use `media-typer` to alter content-type charset - deps: connect@2.21.0 - deprecate `connect(middleware)` -- use `app.use(middleware)` instead - deprecate `connect.createServer()` -- use `connect()` instead - fix `res.setHeader()` patch to work with get -> append -> set pattern - deps: compression@~1.0.8 - deps: errorhandler@~1.1.1 - deps: express-session@~1.5.0 - deps: serve-index@~1.1.3 ### [`v3.11.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3110--2014-06-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.5...3.11.0) \=================== - deprecate things with `depd` module - deps: buffer-crc32@0.2.3 - deps: connect@2.20.2 - deprecate `verify` option to `json` -- use `body-parser` npm module instead - deprecate `verify` option to `urlencoded` -- use `body-parser` npm module instead - deprecate things with `depd` module - use `finalhandler` for final response handling - use `media-typer` to parse `content-type` for charset - deps: body-parser@1.4.3 - deps: connect-timeout@1.1.1 - deps: cookie-parser@1.3.1 - deps: csurf@1.2.2 - deps: errorhandler@1.1.0 - deps: express-session@1.4.0 - deps: multiparty@3.2.9 - deps: serve-index@1.1.2 - deps: type-is@1.3.1 - deps: vhost@2.0.0 ### [`v3.10.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3105--2014-06-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.4...3.10.5) \=================== - deps: connect@2.19.6 - deps: body-parser@1.3.1 - deps: compression@1.0.7 - deps: debug@1.0.2 - deps: serve-index@1.1.1 - deps: serve-static@1.2.3 - deps: debug@1.0.2 - deps: send@0.4.3 - Do not throw uncatchable error on file open race condition - Use `escape-html` for HTML escaping - deps: debug@1.0.2 - deps: finished@1.2.2 - deps: fresh@0.2.2 ### [`v3.10.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3104--2014-06-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.3...3.10.4) \=================== - deps: connect@2.19.5 - fix "event emitter leak" warnings - deps: csurf@1.2.1 - deps: debug@1.0.1 - deps: serve-static@1.2.2 - deps: type-is@1.2.1 - deps: debug@1.0.1 - deps: send@0.4.2 - fix "event emitter leak" warnings - deps: finished@1.2.1 - deps: debug@1.0.1 ### [`v3.10.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3103--2014-06-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.2...3.10.3) \=================== - use `vary` module for `res.vary` - deps: connect@2.19.4 - deps: errorhandler@1.0.2 - deps: method-override@2.0.2 - deps: serve-favicon@2.0.1 - deps: debug@1.0.0 ### [`v3.10.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3102--2014-06-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.1...3.10.2) \=================== - deps: connect@2.19.3 - deps: compression@1.0.6 ### [`v3.10.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3101--2014-06-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.0...3.10.1) \=================== - deps: connect@2.19.2 - deps: compression@1.0.4 - deps: proxy-addr@1.0.1 ### [`v3.10.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3100--2014-06-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.9.0...3.10.0) \=================== - deps: connect@2.19.1 - deprecate `methodOverride()` -- use `method-override` npm module instead - deps: body-parser@1.3.0 - deps: method-override@2.0.1 - deps: multiparty@3.2.8 - deps: response-time@2.0.0 - deps: serve-static@1.2.1 - deps: methods@1.0.1 - deps: send@0.4.1 - Send `max-age` in `Cache-Control` in correct format ### [`v3.9.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#390--2014-05-30) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.1...3.9.0) \================== - custom etag control with `app.set('etag', val)` - `app.set('etag', function(body, encoding){ return '"etag"' })` custom etag generation - `app.set('etag', 'weak')` weak tag - `app.set('etag', 'strong')` strong etag - `app.set('etag', false)` turn off - `app.set('etag', true)` standard etag - Include ETag in HEAD requests - mark `res.send` ETag as weak and reduce collisions - update connect to 2.18.0 - deps: compression@1.0.3 - deps: serve-index@1.1.0 - deps: serve-static@1.2.0 - update send to 0.4.0 - Calculate ETag with md5 for reduced collisions - Ignore stream errors after request ends - deps: debug@0.8.1 ### [`v3.8.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#381--2014-05-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.0...3.8.1) \================== - update connect to 2.17.3 - deps: body-parser@1.2.2 - deps: express-session@1.2.1 - deps: method-override@1.0.2 ### [`v3.8.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#380--2014-05-21) [Compare Source](https://togithub.com/expressjs/express/compare/3.7.0...3.8.0) \================== - keep previous `Content-Type` for `res.jsonp` - set proper `charset` in `Content-Type` for `res.send` - update connect to 2.17.1 - fix `res.charset` appending charset when `content-type` has one - deps: express-session@1.2.0 - deps: morgan@1.1.1 - deps: serve-index@1.0.3 ### [`v3.7.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#370--2014-05-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.6.0...3.7.0) \================== - proper proxy trust with `app.set('trust proxy', trust)` - `app.set('trust proxy', 1)` trust first hop - `app.set('trust proxy', 'loopback')` trust loopback addresses - `app.set('trust proxy', '10.0.0.1')` trust single IP - `app.set('trust proxy', '10.0.0.1/16')` trust subnet - `app.set('trust proxy', '10.0.0.1, 10.0.0.2')` trust list - `app.set('trust proxy', false)` turn off - `app.set('trust proxy', true)` trust everything - update connect to 2.16.2 - deprecate `res.headerSent` -- use `res.headersSent` - deprecate `res.on("header")` -- use on-headers module instead - fix edge-case in `res.appendHeader` that would append in wrong order - json: use body-parser - urlencoded: use body-parser - dep: bytes@1.0.0 - dep: cookie-parser@1.1.0 - dep: csurf@1.2.0 - dep: express-session@1.1.0 - dep: method-override@1.0.1 ### [`v3.6.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#360--2014-05-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.3...3.6.0) \================== - deprecate `app.del()` -- use `app.delete()` instead - deprecate `res.json(obj, status)` -- use `res.json(status, obj)` instead - the edge-case `res.json(status, num)` requires `res.status(status).json(num)` - deprecate `res.jsonp(obj, status)` -- use `res.jsonp(status, obj)` instead - the edge-case `res.jsonp(status, num)` requires `res.status(status).jsonp(num)` - support PURGE method - add `app.purge` - add `router.purge` - include PURGE in `app.all` - update connect to 2.15.0 - Add `res.appendHeader` - Call error stack even when response has been sent - Patch `res.headerSent` to return Boolean - Patch `res.headersSent` for node.js 0.8 - Prevent default 404 handler after response sent - dep: compression@1.0.2 - dep: connect-timeout@1.1.0 - dep: debug@^0.8.0 - dep: errorhandler@1.0.1 - dep: express-session@1.0.4 - dep: morgan@1.0.1 - dep: serve-favicon@2.0.0 - dep: serve-index@1.0.2 - update debug to 0.8.0 - add `enable()` method - change from stderr to stdout - update methods to 1.0.0 - add PURGE - update mkdirp to 0.5.0 ### [`v3.5.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#353--2014-05-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.2...3.5.3) \================== - fix `req.host` for IPv6 literals - fix `res.jsonp` error if callback param is object ### [`v3.5.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#352--2014-04-24) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.1...3.5.2) \================== - update connect to 2.14.5 - update cookie to 0.1.2 - update mkdirp to 0.4.0 - update send to 0.3.0 ### [`v3.5.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#351--2014-03-25) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.0...3.5.1) \================== - pin less-middleware in generated app ### [`v3.5.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#350--2014-03-06) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.8...3.5.0) \================== - bump deps ### [`v3.4.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#348--2014-01-13) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.7...3.4.8) \================== - prevent incorrect automatic OPTIONS responses [#1868](https://togithub.com/expressjs/express/issues/1868) [@dpatti](https://togithub.com/dpatti) - update binary and examples for jade 1.0 [#1876](https://togithub.com/expressjs/express/issues/1876) [@yossi](https://togithub.com/yossi), [#1877](https://togithub.com/expressjs/express/issues/1877) [@reqshark](https://togithub.com/reqshark), [#1892](https://togithub.com/expressjs/express/issues/1892) [@matheusazzi](https://togithub.com/matheusazzi) - throw 400 in case of malformed paths [@rlidwka](https://togithub.com/rlidwka) ### [`v3.4.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#347--2013-12-10) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.6...3.4.7) \================== - update connect ### [`v3.4.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#346--2013-12-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.5...3.4.6) \================== - update connect (raw-body) ### [`v3.4.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#345--2013-11-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.4...3.4.5) \================== - update connect - res.location: remove leading ./ [#1802](https://togithub.com/expressjs/express/issues/1802) [@kapouer](https://togithub.com/kapouer) - res.redirect: fix \`res.redirect('toString') [#1829](https://togithub.com/expressjs/express/issues/1829) [@michaelficarra](https://togithub.com/michaelficarra) - res.send: always send ETag when content-length > 0 - router: add Router.all() method ### [`v3.4.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#344--2013-10-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.3...3.4.4) \================== - update connect - update supertest - update methods - express(1): replace bodyParser() with urlencoded() and json() [#1795](https://togithub.com/expressjs/express/issues/1795) [@chirag04](https://togithub.com/chirag04) ### [`v3.4.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#343--2013-10-23) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.2...3.4.3) \================== - update connect ### [`v3.4.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#342--2013-10-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.1...3.4.2) \================== - update connect - downgrade commander ### [`v3.4.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#341--2013-10-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.0...3.4.1) \================== - update connect - update commander - jsonp: check if callback is a function - router: wrap encodeURIComponent in a try/catch [#1735](https://togithub.com/expressjs/express/issues/1735) ([@lxe](https://togithub.com/lxe)) - res.format: now includes charset [@1747](https://togithub.com/1747) ([@sorribas](https://togithub.com/sorribas)) - res.links: allow multiple calls [@1746](https://togithub.com/1746) ([@sorribas](https://togithub.com/sorribas)) ### [`v3.4.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#340--2013-09-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.8...3.4.0) \================== - add res.vary(). Closes [#1682](https://togithub.com/expressjs/express/issues/1682) - update connect ### [`v3.3.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#338--2013-09-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.7...3.3.8) \================== - update connect ### [`v3.3.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#337--2013-08-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.6...3.3.7) \================== - update connect ### [`v3.3.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#336--2013-08-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.5...3.3.6) \================== - Revert "remove charset from json responses. Closes [#1631](https://togithub.com/expressjs/express/issues/1631)" (causes issues in some clients) - add: req.accepts take an argument list ### [`v3.3.5`](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) ### [`v3.3.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#334--2013-07-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.3...3.3.4) \================== - update send and connect ### [`v3.3.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#333--2013-07-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.2...3.3.3) \================== - update connect ### [`v3.3.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#332--2013-07-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.1...3.3.2) \================== - update connect - update send - remove .version export ### [`v3.3.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#331--2013-06-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) \================== - update connect ### [`v3.3.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#330--2013-06-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) \================== - update connect - add support for multiple X-Forwarded-Proto values. Closes [#1646](https://togithub.com/expressjs/express/issues/1646) - change: remove charset from json responses. Closes [#1631](https://togithub.com/expressjs/express/issues/1631) - change: return actual booleans from req.accept\* functions - fix jsonp callback array throw ### [`v3.2.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#326--2013-06-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) \================== - update connect ### [`v3.2.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#325--2013-05-21) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) \================== - update connect - update node-cookie - add: throw a meaningful error when there is no default engine - change generation of ETags with res.send() to GET requests only. Closes [#1619](https://togithub.com/expressjs/express/issues/1619) ### [`v3.2.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#324--2013-05-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) \================== - fix `req.subdomains` when no Host is present - fix `req.host` when no Host is present, return undefined ### [`v3.2.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#323--2013-05-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) \================== - update connect / qs ### [`v3.2.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#322--2013-05-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) \================== - update qs ### [`v3.2.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#321--2013-04-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) \================== - add app.VERB() paths array deprecation warning - update connect - update qs and remove all ~ semver crap - fix: accept number as value of Signed Cookie ### [`v3.2.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#320--2013-04-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) \================== - add "view" constructor setting to override view behaviour - add req.acceptsEncoding(name) - add req.acceptedEncodings - revert cookie signature change causing session race conditions - fix sorting of Accept values of the same quality ### [`v3.1.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#312--2013-04-12) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) \================== - add support for custom Accept parameters - update cookie-signature ### [`v3.1.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#311--2013-04-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) \================== - add X-Forwarded-Host support to `req.host` - fix relative redirects - update mkdirp - update buffer-crc32 - remove legacy app.configure() method from app template. ### [`v3.1.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#310--2013-01-25) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) \================== - add support for leading "." in "view engine" setting - add array support to `res.set()` - add node 0.8.x to travis.yml - add "subdomain offset" setting for tweaking `req.subdomains` - add `res.location(url)` implementing `res.redirect()`-like setting of Location - use app.get() for x-powered-by setting for inheritance - fix colons in passwords for `req.auth` ### [`v3.0.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#306--2013-01-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) \================== - add http verb methods to Router - update connect - fix mangling of the `res.cookie()` options object - fix jsonp whitespace escape. Closes [#1132](https://togithub.com/expressjs/express/issues/1132) ### [`v3.0.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#305--2012-12-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) \================== - add throwing when a non-function is passed to a route - fix: explicitly remove Transfer-Encoding header from 204 and 304 responses - revert "add 'etag' option" ### [`v3.0.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#304--2012-12-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) \================== - add 'etag' option to disable `res.send()` Etags - add escaping of urls in text/plain in `res.redirect()` for old browsers interpreting as html - change crc32 module for a more liberal license - update connect ### [`v3.0.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#303--2012-11-13) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) \================== - update connect - update cookie module - fix cookie max-age ### [`v3.0.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#302--2012-11-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.1...3.0.2) \================== - add OPTIONS to cors example. Closes [#1398](https://togithub.com/expressjs/express/issues/1398) - fix route chaining regression. Closes [#1397](https://togithub.com/expressjs/express/issues/1397) ### [`v3.0.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#301--2012-11-01) \================== - update connect