search

vital-ws / cve-based

0 stars 0 forks source link

Update dependency express to v3.11.0 [SECURITY] #33

Open developer-platform-dev[bot] opened 1 year ago

developer-platform-dev[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
express (source) 3.0.0 -> 3.11.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2014-6393

Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

Recommendation

For express 3.x, update express to version 3.11 or later. For express 4.x, update express to version 4.5 or later.

Release Notes

expressjs/express (express) ### [`v3.11.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3110--2014-06-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.5...3.11.0) \=================== - deprecate things with `depd` module - deps: buffer-crc32@​0.2.3 - deps: connect@2.20.2 - deprecate `verify` option to `json` -- use `body-parser` npm module instead - deprecate `verify` option to `urlencoded` -- use `body-parser` npm module instead - deprecate things with `depd` module - use `finalhandler` for final response handling - use `media-typer` to parse `content-type` for charset - deps: body-parser@1.4.3 - deps: connect-timeout@1.1.1 - deps: cookie-parser@1.3.1 - deps: csurf@1.2.2 - deps: errorhandler@1.1.0 - deps: express-session@1.4.0 - deps: multiparty@3.2.9 - deps: serve-index@1.1.2 - deps: type-is@1.3.1 - deps: vhost@2.0.0 ### [`v3.10.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3105--2014-06-11) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.4...3.10.5) \=================== - deps: connect@2.19.6 - deps: body-parser@1.3.1 - deps: compression@1.0.7 - deps: debug@1.0.2 - deps: serve-index@1.1.1 - deps: serve-static@1.2.3 - deps: debug@1.0.2 - deps: send@0.4.3 - Do not throw uncatchable error on file open race condition - Use `escape-html` for HTML escaping - deps: debug@1.0.2 - deps: finished@1.2.2 - deps: fresh@0.2.2 ### [`v3.10.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3104--2014-06-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.3...3.10.4) \=================== - deps: connect@2.19.5 - fix "event emitter leak" warnings - deps: csurf@1.2.1 - deps: debug@1.0.1 - deps: serve-static@1.2.2 - deps: type-is@1.2.1 - deps: debug@1.0.1 - deps: send@0.4.2 - fix "event emitter leak" warnings - deps: finished@1.2.1 - deps: debug@1.0.1 ### [`v3.10.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3103--2014-06-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.2...3.10.3) \=================== - use `vary` module for `res.vary` - deps: connect@2.19.4 - deps: errorhandler@1.0.2 - deps: method-override@2.0.2 - deps: serve-favicon@2.0.1 - deps: debug@1.0.0 ### [`v3.10.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3102--2014-06-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.1...3.10.2) \=================== - deps: connect@2.19.3 - deps: compression@1.0.6 ### [`v3.10.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3101--2014-06-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.10.0...3.10.1) \=================== - deps: connect@2.19.2 - deps: compression@1.0.4 - deps: proxy-addr@1.0.1 ### [`v3.10.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#3100--2014-06-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.9.0...3.10.0) \=================== - deps: connect@2.19.1 - deprecate `methodOverride()` -- use `method-override` npm module instead - deps: body-parser@1.3.0 - deps: method-override@2.0.1 - deps: multiparty@3.2.8 - deps: response-time@2.0.0 - deps: serve-static@1.2.1 - deps: methods@1.0.1 - deps: send@0.4.1 - Send `max-age` in `Cache-Control` in correct format ### [`v3.9.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#390--2014-05-30) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.1...3.9.0) \================== - custom etag control with `app.set('etag', val)` - `app.set('etag', function(body, encoding){ return '"etag"' })` custom etag generation - `app.set('etag', 'weak')` weak tag - `app.set('etag', 'strong')` strong etag - `app.set('etag', false)` turn off - `app.set('etag', true)` standard etag - Include ETag in HEAD requests - mark `res.send` ETag as weak and reduce collisions - update connect to 2.18.0 - deps: compression@1.0.3 - deps: serve-index@1.1.0 - deps: serve-static@1.2.0 - update send to 0.4.0 - Calculate ETag with md5 for reduced collisions - Ignore stream errors after request ends - deps: debug@0.8.1 ### [`v3.8.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#381--2014-05-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.8.0...3.8.1) \================== - update connect to 2.17.3 - deps: body-parser@1.2.2 - deps: express-session@1.2.1 - deps: method-override@1.0.2 ### [`v3.8.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#380--2014-05-21) [Compare Source](https://togithub.com/expressjs/express/compare/3.7.0...3.8.0) \================== - keep previous `Content-Type` for `res.jsonp` - set proper `charset` in `Content-Type` for `res.send` - update connect to 2.17.1 - fix `res.charset` appending charset when `content-type` has one - deps: express-session@1.2.0 - deps: morgan@1.1.1 - deps: serve-index@1.0.3 ### [`v3.7.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#370--2014-05-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.6.0...3.7.0) \================== - proper proxy trust with `app.set('trust proxy', trust)` - `app.set('trust proxy', 1)` trust first hop - `app.set('trust proxy', 'loopback')` trust loopback addresses - `app.set('trust proxy', '10.0.0.1')` trust single IP - `app.set('trust proxy', '10.0.0.1/16')` trust subnet - `app.set('trust proxy', '10.0.0.1, 10.0.0.2')` trust list - `app.set('trust proxy', false)` turn off - `app.set('trust proxy', true)` trust everything - update connect to 2.16.2 - deprecate `res.headerSent` -- use `res.headersSent` - deprecate `res.on("header")` -- use on-headers module instead - fix edge-case in `res.appendHeader` that would append in wrong order - json: use body-parser - urlencoded: use body-parser - dep: bytes@1.0.0 - dep: cookie-parser@1.1.0 - dep: csurf@1.2.0 - dep: express-session@1.1.0 - dep: method-override@1.0.1 ### [`v3.6.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#360--2014-05-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.3...3.6.0) \================== - deprecate `app.del()` -- use `app.delete()` instead - deprecate `res.json(obj, status)` -- use `res.json(status, obj)` instead - the edge-case `res.json(status, num)` requires `res.status(status).json(num)` - deprecate `res.jsonp(obj, status)` -- use `res.jsonp(status, obj)` instead - the edge-case `res.jsonp(status, num)` requires `res.status(status).jsonp(num)` - support PURGE method - add `app.purge` - add `router.purge` - include PURGE in `app.all` - update connect to 2.15.0 - Add `res.appendHeader` - Call error stack even when response has been sent - Patch `res.headerSent` to return Boolean - Patch `res.headersSent` for node.js 0.8 - Prevent default 404 handler after response sent - dep: compression@1.0.2 - dep: connect-timeout@1.1.0 - dep: debug@^0.8.0 - dep: errorhandler@1.0.1 - dep: express-session@1.0.4 - dep: morgan@1.0.1 - dep: serve-favicon@2.0.0 - dep: serve-index@1.0.2 - update debug to 0.8.0 - add `enable()` method - change from stderr to stdout - update methods to 1.0.0 - add PURGE - update mkdirp to 0.5.0 ### [`v3.5.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#353--2014-05-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.2...3.5.3) \================== - fix `req.host` for IPv6 literals - fix `res.jsonp` error if callback param is object ### [`v3.5.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#352--2014-04-24) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.1...3.5.2) \================== - update connect to 2.14.5 - update cookie to 0.1.2 - update mkdirp to 0.4.0 - update send to 0.3.0 ### [`v3.5.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#351--2014-03-25) [Compare Source](https://togithub.com/expressjs/express/compare/3.5.0...3.5.1) \================== - pin less-middleware in generated app ### [`v3.5.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#350--2014-03-06) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.8...3.5.0) \================== - bump deps ### [`v3.4.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#348--2014-01-13) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.7...3.4.8) \================== - prevent incorrect automatic OPTIONS responses [#​1868](https://togithub.com/expressjs/express/issues/1868) [@​dpatti](https://togithub.com/dpatti) - update binary and examples for jade 1.0 [#​1876](https://togithub.com/expressjs/express/issues/1876) [@​yossi](https://togithub.com/yossi), [#​1877](https://togithub.com/expressjs/express/issues/1877) [@​reqshark](https://togithub.com/reqshark), [#​1892](https://togithub.com/expressjs/express/issues/1892) [@​matheusazzi](https://togithub.com/matheusazzi) - throw 400 in case of malformed paths [@​rlidwka](https://togithub.com/rlidwka) ### [`v3.4.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#347--2013-12-10) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.6...3.4.7) \================== - update connect ### [`v3.4.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#346--2013-12-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.5...3.4.6) \================== - update connect (raw-body) ### [`v3.4.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#345--2013-11-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.4...3.4.5) \================== - update connect - res.location: remove leading ./ [#​1802](https://togithub.com/expressjs/express/issues/1802) [@​kapouer](https://togithub.com/kapouer) - res.redirect: fix \`res.redirect('toString') [#​1829](https://togithub.com/expressjs/express/issues/1829) [@​michaelficarra](https://togithub.com/michaelficarra) - res.send: always send ETag when content-length > 0 - router: add Router.all() method ### [`v3.4.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#344--2013-10-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.3...3.4.4) \================== - update connect - update supertest - update methods - express(1): replace bodyParser() with urlencoded() and json() [#​1795](https://togithub.com/expressjs/express/issues/1795) [@​chirag04](https://togithub.com/chirag04) ### [`v3.4.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#343--2013-10-23) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.2...3.4.3) \================== - update connect ### [`v3.4.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#342--2013-10-18) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.1...3.4.2) \================== - update connect - downgrade commander ### [`v3.4.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#341--2013-10-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.4.0...3.4.1) \================== - update connect - update commander - jsonp: check if callback is a function - router: wrap encodeURIComponent in a try/catch [#​1735](https://togithub.com/expressjs/express/issues/1735) ([@​lxe](https://togithub.com/lxe)) - res.format: now includes charset [@​1747](https://togithub.com/1747) ([@​sorribas](https://togithub.com/sorribas)) - res.links: allow multiple calls [@​1746](https://togithub.com/1746) ([@​sorribas](https://togithub.com/sorribas)) ### [`v3.4.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#340--2013-09-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.8...3.4.0) \================== - add res.vary(). Closes [#​1682](https://togithub.com/expressjs/express/issues/1682) - update connect ### [`v3.3.8`](https://togithub.com/expressjs/express/blob/HEAD/History.md#338--2013-09-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.7...3.3.8) \================== - update connect ### [`v3.3.7`](https://togithub.com/expressjs/express/blob/HEAD/History.md#337--2013-08-28) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.6...3.3.7) \================== - update connect ### [`v3.3.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#336--2013-08-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.5...3.3.6) \================== - Revert "remove charset from json responses. Closes [#​1631](https://togithub.com/expressjs/express/issues/1631)" (causes issues in some clients) - add: req.accepts take an argument list ### [`v3.3.5`](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.4...3.3.5) ### [`v3.3.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#334--2013-07-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.3...3.3.4) \================== - update send and connect ### [`v3.3.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#333--2013-07-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.2...3.3.3) \================== - update connect ### [`v3.3.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#332--2013-07-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.1...3.3.2) \================== - update connect - update send - remove .version export ### [`v3.3.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#331--2013-06-27) [Compare Source](https://togithub.com/expressjs/express/compare/3.3.0...3.3.1) \================== - update connect ### [`v3.3.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#330--2013-06-26) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.6...3.3.0) \================== - update connect - add support for multiple X-Forwarded-Proto values. Closes [#​1646](https://togithub.com/expressjs/express/issues/1646) - change: remove charset from json responses. Closes [#​1631](https://togithub.com/expressjs/express/issues/1631) - change: return actual booleans from req.accept\* functions - fix jsonp callback array throw ### [`v3.2.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#326--2013-06-02) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.5...3.2.6) \================== - update connect ### [`v3.2.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#325--2013-05-21) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.4...3.2.5) \================== - update connect - update node-cookie - add: throw a meaningful error when there is no default engine - change generation of ETags with res.send() to GET requests only. Closes [#​1619](https://togithub.com/expressjs/express/issues/1619) ### [`v3.2.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#324--2013-05-09) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.3...3.2.4) \================== - fix `req.subdomains` when no Host is present - fix `req.host` when no Host is present, return undefined ### [`v3.2.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#323--2013-05-07) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.2...3.2.3) \================== - update connect / qs ### [`v3.2.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#322--2013-05-03) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.1...3.2.2) \================== - update qs ### [`v3.2.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#321--2013-04-29) [Compare Source](https://togithub.com/expressjs/express/compare/3.2.0...3.2.1) \================== - add app.VERB() paths array deprecation warning - update connect - update qs and remove all ~ semver crap - fix: accept number as value of Signed Cookie ### [`v3.2.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#320--2013-04-15) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.2...3.2.0) \================== - add "view" constructor setting to override view behaviour - add req.acceptsEncoding(name) - add req.acceptedEncodings - revert cookie signature change causing session race conditions - fix sorting of Accept values of the same quality ### [`v3.1.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#312--2013-04-12) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.1...3.1.2) \================== - add support for custom Accept parameters - update cookie-signature ### [`v3.1.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#311--2013-04-01) [Compare Source](https://togithub.com/expressjs/express/compare/3.1.0...3.1.1) \================== - add X-Forwarded-Host support to `req.host` - fix relative redirects - update mkdirp - update buffer-crc32 - remove legacy app.configure() method from app template. ### [`v3.1.0`](https://togithub.com/expressjs/express/blob/HEAD/History.md#310--2013-01-25) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.6...3.1.0) \================== - add support for leading "." in "view engine" setting - add array support to `res.set()` - add node 0.8.x to travis.yml - add "subdomain offset" setting for tweaking `req.subdomains` - add `res.location(url)` implementing `res.redirect()`-like setting of Location - use app.get() for x-powered-by setting for inheritance - fix colons in passwords for `req.auth` ### [`v3.0.6`](https://togithub.com/expressjs/express/blob/HEAD/History.md#306--2013-01-04) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.5...3.0.6) \================== - add http verb methods to Router - update connect - fix mangling of the `res.cookie()` options object - fix jsonp whitespace escape. Closes [#​1132](https://togithub.com/expressjs/express/issues/1132) ### [`v3.0.5`](https://togithub.com/expressjs/express/blob/HEAD/History.md#305--2012-12-19) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.4...3.0.5) \================== - add throwing when a non-function is passed to a route - fix: explicitly remove Transfer-Encoding header from 204 and 304 responses - revert "add 'etag' option" ### [`v3.0.4`](https://togithub.com/expressjs/express/blob/HEAD/History.md#304--2012-12-05) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.3...3.0.4) \================== - add 'etag' option to disable `res.send()` Etags - add escaping of urls in text/plain in `res.redirect()` for old browsers interpreting as html - change crc32 module for a more liberal license - update connect ### [`v3.0.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#303--2012-11-13) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.2...3.0.3) \================== - update connect - update cookie module - fix cookie max-age ### [`v3.0.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#302--2012-11-08) [Compare Source](https://togithub.com/expressjs/express/compare/3.0.1...3.0.2) \================== - add OPTIONS to cors example. Closes [#​1398](https://togithub.com/expressjs/express/issues/1398) - fix route chaining regression. Closes [#​1397](https://togithub.com/expressjs/express/issues/1397) ### [`v3.0.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#301--2012-11-01) \================== - update connect

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.