Update dependency express to v4.21.1 #43

mend-for-github-com · 2022-11-29T07:04:34Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`4.17.1` -> `4.21.1`
express (source)	dependencies	minor	`4.17.1` -> `4.19.0`
express (source)	dependencies	patch	`4.17.1` -> `4.17.2`

By merging this PR, the issue #42 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability
High	7.5	CVE-2024-45296
High	7.5	CVE-2024-52798
Medium	5.3	CVE-2024-47764

By merging this PR, the issue #42 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability
Medium	6.1	CVE-2024-29041

By merging this PR, the issue #42 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability
High	7.5	CVE-2022-24999

Release Notes

expressjs/express (express)

==========

deps: serve-static@0.16.0
- Remove link renderization in html while redirecting
deps: send@0.19.0
- Remove link renderization in html while redirecting
deps: body-parser@0.6.0
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: path-to-regexp@0.1.10
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

Compare Source

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

Compare Source

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: cookie@0.6.0

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: body-parser@1.20.2
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: raw-body@2.5.2
deps: cookie@0.6.0
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
deps: qs@6.11.0

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: body-parser@1.20.0
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: depd@2.0.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: qs@6.10.3
- deps: raw-body@2.5.1
deps: cookie@0.5.0
- Add priority option
- Fix expires option to reject invalid dates
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: finalhandler@1.2.0
- Remove set content headers that break response
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: on-finished@2.4.1
- Prevent loss of async hooks context
deps: qs@6.10.3
deps: send@0.18.0
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: depd@2.0.0
- deps: destroy@1.2.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: serve-static@1.15.0
- deps: send@0.18.0
deps: statuses@2.0.1
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: negotiator@0.6.3
deps: body-parser@1.19.2
- deps: bytes@3.1.2
- deps: qs@6.9.7
- deps: raw-body@2.4.3
deps: cookie@0.4.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: body-parser@1.19.1
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: qs@6.9.6
- deps: raw-body@2.4.2
- deps: safe-buffer@5.2.1
- deps: type-is@~1.6.18
deps: content-disposition@0.5.4
- deps: safe-buffer@5.2.1
deps: cookie@0.4.1
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: forwarded@0.2.0
- deps: ipaddr.js@1.9.1
deps: qs@6.9.6
deps: safe-buffer@5.2.1
deps: send@0.17.2
- deps: http-errors@1.8.1
- deps: ms@2.1.3
- pref: ignore empty http tokens
deps: serve-static@1.14.2
- deps: send@0.17.2
deps: setprototypeof@1.2.0

If you want to rebase/retry this PR, check this box

mend-for-github-com bot added the security fix Security fix generated by Mend label Nov 29, 2022

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.17.2 - autoclosed Mar 27, 2023

mend-for-github-com bot closed this Mar 27, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch March 27, 2023 01:42

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2 - autoclosed~~ Update dependency express to v4.17.2 Mar 30, 2023

mend-for-github-com bot reopened this Mar 30, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch March 30, 2023 10:26

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.17.2 - autoclosed Jun 16, 2023

mend-for-github-com bot closed this Jun 16, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch June 16, 2023 04:14

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2 - autoclosed~~ Update dependency express to v4.17.2 Jun 19, 2023

mend-for-github-com bot reopened this Jun 19, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch June 19, 2023 20:36

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 216a3e5 to 923969b Compare June 19, 2023 20:36

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 923969b to 1b03e35 Compare July 17, 2023 16:50

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 1b03e35 to 3db5dbe Compare August 29, 2023 04:57

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 3db5dbe to 34db2ce Compare November 29, 2023 06:14

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 34db2ce to c4244af Compare January 2, 2024 05:10

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from c4244af to f63726a Compare April 8, 2024 18:41

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.19.0 Apr 8, 2024

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from f63726a to fa18eba Compare October 28, 2024 07:00

mend-for-github-com bot changed the title ~~Update dependency express to v4.19.0~~ Update dependency express to v4.21.2 Dec 6, 2024

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 5 times, most recently from 00b6502 to 887d4c9 Compare January 30, 2025 00:10

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from f898393 to 6794928 Compare February 8, 2025 08:23

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from 9872944 to 7fc7f48 Compare February 16, 2025 10:11

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 4 times, most recently from bb633e8 to b51f843 Compare February 28, 2025 18:18

mend-for-github-com bot changed the title ~~Update dependency express to v4.21.2~~ Update dependency express to v4.21.1 Feb 28, 2025

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from 267abe5 to 2babf01 Compare March 7, 2025 11:50

mend-for-github-com bot changed the title ~~Update dependency express to v4.21.1~~ Update dependency express to v4.17.2 Mar 31, 2025

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 2babf01 to 2ccce39 Compare March 31, 2025 10:37

Update dependency express to v4.21.1

2d87370

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.21.1 Apr 30, 2025

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 2ccce39 to 2d87370 Compare April 30, 2025 10:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express to v4.21.1 #43

Update dependency express to v4.21.1 #43

Update dependency express to v4.21.1 #43

Are you sure you want to change the base?

Update dependency express to v4.21.1 #43

Conversation

Release Notes

What's Changed

What's Changed

New Contributors