Update dependency express to v4.20.0 #5

mend-for-github-com · 2022-11-29T01:26:52Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`4.16.3` -> `4.20.0`

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
High	7.5	CVE-2022-24999
Medium	6.1	CVE-2024-29041
Medium	5.0	CVE-2024-43796

Release Notes

expressjs/express (express)

`v4.20.0`

Compare Source

==========

deps: [email protected]
- Remove link renderization in html while redirecting
deps: [email protected]
- Remove link renderization in html while redirecting
deps: [email protected]
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: [email protected]
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

Compare Source

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

Compare Source

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: [email protected]

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: [email protected]
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: [email protected]
deps: [email protected]
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: [email protected]
- deps: [email protected]
- perf: remove unnecessary object clone
deps: [email protected]

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: [email protected]
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Add priority option
- Fix expires option to reject invalid dates
deps: [email protected]
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: [email protected]
- Remove set content headers that break response
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Prevent loss of async hooks context
deps: [email protected]
deps: [email protected]
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.18
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- pref: ignore empty http tokens
deps: [email protected]
- deps: [email protected]
deps: [email protected]

`v4.17.1`

Compare Source

===================

Revert "Improve error message for null/undefined to res.status"

`v4.17.0`

Compare Source

===================

Add express.raw to parse bodies into Buffer
Add express.text to parse bodies into string
Improve error message for non-strings to res.sendFile
Improve error message for null/undefined to res.status
Support multiple hosts in X-Forwarded-Host
deps: accepts@~1.3.7
deps: [email protected]
- Add encoding MIK
- Add petabyte (pb) support
- Fix parsing array brackets after index
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.17
deps: [email protected]
deps: [email protected]
- Add SameSite=None support
deps: finalhandler@~1.1.2
- Set stricter Content-Security-Policy header
- deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
deps: parseurl@~1.3.3
deps: proxy-addr@~2.0.5
- deps: [email protected]
deps: [email protected]
- Fix parsing array brackets after index
deps: range-parser@~1.2.1
deps: [email protected]
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: [email protected]
- deps: [email protected]
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant path.normalize call
deps: [email protected]
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: [email protected]
deps: [email protected]
deps: statuses@~1.5.0
- Add 103 Early Hints
deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

`v4.16.4`

Compare Source

===================

Fix issue where "Request aborted" may be logged in res.sendfile
Fix JSDoc for Router constructor
deps: [email protected]
- Fix deprecation warnings on Node.js 10+
- Fix stack trace for strict json parse error
- deps: depd@~1.1.2
- deps: http-errors@~1.6.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.16
deps: proxy-addr@~2.0.4
- deps: [email protected]
deps: [email protected]
deps: [email protected]

If you want to rebase/retry this PR, check this box

mend-for-github-com bot added the security fix Security fix generated by Mend label Nov 29, 2022

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.0~~ Update dependency express to v4.17.0 - autoclosed Mar 27, 2023

mend-for-github-com bot closed this Mar 27, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch March 27, 2023 19:23

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.0 - autoclosed~~ Update dependency express to v4.17.0 Mar 31, 2023

mend-for-github-com bot reopened this Mar 31, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch March 31, 2023 05:47

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.0~~ Update dependency express to v4.17.0 - autoclosed Jun 16, 2023

mend-for-github-com bot closed this Jun 16, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch June 16, 2023 04:14

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.0 - autoclosed~~ Update dependency express to v4.17.0 Jun 18, 2023

mend-for-github-com bot reopened this Jun 18, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch June 18, 2023 12:02

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from de25478 to 6ad4fde Compare June 18, 2023 12:02

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.0~~ Update dependency express to v4.17.0 - autoclosed Oct 9, 2023

mend-for-github-com bot closed this Oct 9, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch October 9, 2023 04:30

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.0 - autoclosed~~ Update dependency express to v4.17.0 Oct 10, 2023

mend-for-github-com bot reopened this Oct 10, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch October 10, 2023 04:56

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 6ad4fde to edd0cd6 Compare October 10, 2023 04:56

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.0~~ Update dependency express to v4.19.0 Apr 9, 2024

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from edd0cd6 to aaa399e Compare April 9, 2024 00:17

Update dependency express to v4.20.0

349a4c4

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from aaa399e to 349a4c4 Compare September 30, 2024 12:06

mend-for-github-com bot changed the title ~~Update dependency express to v4.19.0~~ Update dependency express to v4.20.0 Sep 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express to v4.20.0 #5

Update dependency express to v4.20.0 #5

mend-for-github-com bot commented Nov 29, 2022 •

edited

Loading

Update dependency express to v4.20.0 #5

Are you sure you want to change the base?

Update dependency express to v4.20.0 #5

Conversation

mend-for-github-com bot commented Nov 29, 2022 • edited Loading

Release Notes

mend-for-github-com bot commented Nov 29, 2022 •

edited

Loading