Update dependency express to v3.21.0

[uriel-mend-app]

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	3.0.0 -> 3.21.0

This PR resolves the vulnerability described in Issue #16

---

Version 3.0.0

Risk Change	Critical	High	Medium	Low
N/A	0	4	8	0

Version 3.21.0

Risk Change	Critical	High	Medium	Low
-50%	0 (--)	2 (-2 )	1 (-7 )	2 (+2)

Version 3.21.2

Risk Change	Critical	High	Medium	Low
-50%	0 (--)	2 (-2 )	1 (-7 )	2 (+2)

Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.

---

Release Notes

expressjs/express

v3.21.0

Compare Source

===================

• deps: basic-auth@1.0.2
  • perf: enable strict mode
  • perf: hoist regular expression
  • perf: parse with regular expressions
  • perf: remove argument reassignment
• deps: connect@2.30.0
  • deps: body-parser@~1.13.1
  • deps: bytes@2.1.0
  • deps: compression@~1.5.0
  • deps: cookie@0.1.3
  • deps: cookie-parser@~1.3.5
  • deps: csurf@~1.8.3
  • deps: errorhandler@~1.4.0
  • deps: express-session@~1.11.3
  • deps: finalhandler@0.4.0
  • deps: fresh@0.3.0
  • deps: morgan@~1.6.0
  • deps: serve-favicon@~2.3.0
  • deps: serve-index@~1.7.0
  • deps: serve-static@~1.10.0
  • deps: type-is@~1.6.3
• deps: cookie@0.1.3
  • perf: deduce the scope of try-catch deopt
  • perf: remove argument reassignments
• deps: escape-html@1.0.2
• deps: etag@~1.7.0
  • Always include entity length in ETags for hash length extensions
  • Generate non-Stats ETags using MD5 only (no longer CRC32)
  • Improve stat performance by removing hashing
  • Improve support for JXcore
  • Remove base64 padding in ETags to shorten
  • Support "fake" stats objects in environments without fs
  • Use MD5 instead of MD4 in weak ETags over 1KB
• deps: fresh@0.3.0
  • Add weak ETag matching support
• deps: mkdirp@0.5.1
  • Work in global strict mode
• deps: send@0.13.0
  • Allow Node.js HTTP server to set Date response header
  • Fix incorrectly removing Content-Location on 304 response
  • Improve the default redirect response headers
  • Send appropriate headers on default error response
  • Use http-errors for standard emitted errors
  • Use statuses instead of http module for status messages
  • deps: escape-html@1.0.2
  • deps: etag@~1.7.0
  • deps: fresh@0.3.0
  • deps: on-finished@~2.3.0
  • perf: enable strict mode
  • perf: remove unnecessary array allocations

v3.20.3

Compare Source

===================

• deps: connect@2.29.2
  • deps: body-parser@~1.12.4
  • deps: compression@~1.4.4
  • deps: connect-timeout@~1.6.2
  • deps: debug@~2.2.0
  • deps: depd@~1.0.1
  • deps: errorhandler@~1.3.6
  • deps: finalhandler@0.3.6
  • deps: method-override@~2.3.3
  • deps: morgan@~1.5.3
  • deps: qs@2.4.2
  • deps: response-time@~2.3.1
  • deps: serve-favicon@~2.2.1
  • deps: serve-index@~1.6.4
  • deps: serve-static@~1.9.3
  • deps: type-is@~1.6.2
• deps: debug@~2.2.0
  • deps: ms@0.7.1
• deps: depd@~1.0.1
• deps: proxy-addr@~1.0.8
  • deps: ipaddr.js@1.0.1
• deps: send@0.12.3
  • deps: debug@~2.2.0
  • deps: depd@~1.0.1
  • deps: etag@~1.6.0
  • deps: ms@0.7.1
  • deps: on-finished@~2.2.1

v3.20.2

Compare Source

===================

• deps: connect@2.29.1
  • deps: body-parser@~1.12.2
  • deps: compression@~1.4.3
  • deps: connect-timeout@~1.6.1
  • deps: debug@~2.1.3
  • deps: errorhandler@~1.3.5
  • deps: express-session@~1.10.4
  • deps: finalhandler@0.3.4
  • deps: method-override@~2.3.2
  • deps: morgan@~1.5.2
  • deps: qs@2.4.1
  • deps: serve-index@~1.6.3
  • deps: serve-static@~1.9.2
  • deps: type-is@~1.6.1
• deps: debug@~2.1.3
  • Fix high intensity foreground color for bold
  • deps: ms@0.7.0
• deps: merge-descriptors@1.0.0
• deps: proxy-addr@~1.0.7
  • deps: ipaddr.js@0.1.9
• deps: send@0.12.2
  • Throw errors early for invalid extensions or index options
  • deps: debug@~2.1.3

v3.20.1

Compare Source

===================

• Fix req.host when using "trust proxy" hops count
• Fix req.protocol/req.secure when using "trust proxy" hops count

v3.20.0

Compare Source

===================

• Fix "trust proxy" setting to inherit when app is mounted
• Generate ETags for all request responses
  • No longer restricted to only responses for GET and HEAD requests
• Use content-type to parse Content-Type headers
• deps: connect@2.29.0
  • Use content-type to parse Content-Type headers
  • deps: body-parser@~1.12.0
  • deps: compression@~1.4.1
  • deps: connect-timeout@~1.6.0
  • deps: cookie-parser@~1.3.4
  • deps: cookie-signature@1.0.6
  • deps: csurf@~1.7.0
  • deps: errorhandler@~1.3.4
  • deps: express-session@~1.10.3
  • deps: http-errors@~1.3.1
  • deps: response-time@~2.3.0
  • deps: serve-index@~1.6.2
  • deps: serve-static@~1.9.1
  • deps: type-is@~1.6.0
• deps: cookie-signature@1.0.6
• deps: send@0.12.1
  • Always read the stat size from the file
  • Fix mutating passed-in options
  • deps: mime@1.3.4

v3.19.2

Compare Source

===================

• deps: connect@2.28.3
  • deps: compression@~1.3.1
  • deps: csurf@~1.6.6
  • deps: errorhandler@~1.3.3
  • deps: express-session@~1.10.2
  • deps: serve-index@~1.6.1
  • deps: type-is@~1.5.6
• deps: proxy-addr@~1.0.6
  • deps: ipaddr.js@0.1.8

v3.19.1

Compare Source

===================

• deps: connect@2.28.2
  • deps: body-parser@~1.10.2
  • deps: serve-static@~1.8.1
• deps: send@0.11.1
  • Fix root path disclosure

v3.19.0

Compare Source

===================

• Fix OPTIONS responses to include the HEAD method property
• Use readline for prompt in express(1)
• deps: commander@2.6.0
• deps: connect@2.28.1
  • deps: body-parser@~1.10.1
  • deps: compression@~1.3.0
  • deps: connect-timeout@~1.5.0
  • deps: csurf@~1.6.4
  • deps: debug@~2.1.1
  • deps: errorhandler@~1.3.2
  • deps: express-session@~1.10.1
  • deps: finalhandler@0.3.3
  • deps: method-override@~2.3.1
  • deps: morgan@~1.5.1
  • deps: serve-favicon@~2.2.0
  • deps: serve-index@~1.6.0
  • deps: serve-static@~1.8.0
  • deps: type-is@~1.5.5
• deps: debug@~2.1.1
• deps: methods@~1.1.1
• deps: proxy-addr@~1.0.5
  • deps: ipaddr.js@0.1.6
• deps: send@0.11.0
  • deps: debug@~2.1.1
  • deps: etag@~1.5.1
  • deps: ms@0.7.0
  • deps: on-finished@~2.2.0

v3.18.6

Compare Source

===================

• Fix exception in req.fresh/req.stale without response headers

v3.18.5

Compare Source

===================

• deps: connect@2.27.6
  • deps: compression@~1.2.2
  • deps: express-session@~1.9.3
  • deps: http-errors@~1.2.8
  • deps: serve-index@~1.5.3
  • deps: type-is@~1.5.4

v3.18.4

Compare Source

===================

• deps: connect@2.27.4
  • deps: body-parser@~1.9.3
  • deps: compression@~1.2.1
  • deps: errorhandler@~1.2.3
  • deps: express-session@~1.9.2
  • deps: qs@2.3.3
  • deps: serve-favicon@~2.1.7
  • deps: serve-static@~1.5.1
  • deps: type-is@~1.5.3
• deps: etag@~1.5.1
• deps: proxy-addr@~1.0.4
  • deps: ipaddr.js@0.1.5

v3.18.3

Compare Source

===================

• deps: connect@2.27.3
  • Correctly invoke async callback asynchronously
  • deps: csurf@~1.6.3

v3.18.2

Compare Source

===================

• deps: connect@2.27.2
  • Fix handling of URLs containing :// in the path
  • deps: body-parser@~1.9.2
  • deps: qs@2.3.2

v3.18.1

Compare Source

===================

• Fix internal utils.merge deprecation warnings
• deps: connect@2.27.1
  • deps: body-parser@~1.9.1
  • deps: express-session@~1.9.1
  • deps: finalhandler@0.3.2
  • deps: morgan@~1.4.1
  • deps: qs@2.3.0
  • deps: serve-static@~1.7.1
• deps: send@0.10.1
  • deps: on-finished@~2.1.1

v3.18.0

Compare Source

===================

• Use content-disposition module for res.attachment/res.download
  • Sends standards-compliant Content-Disposition header
  • Full Unicode support
• Use etag module to generate ETag headers
• deps: connect@2.27.0
  • Use http-errors module for creating errors
  • Use utils-merge module for merging objects
  • deps: body-parser@~1.9.0
  • deps: compression@~1.2.0
  • deps: connect-timeout@~1.4.0
  • deps: debug@~2.1.0
  • deps: depd@~1.0.0
  • deps: express-session@~1.9.0
  • deps: finalhandler@0.3.1
  • deps: method-override@~2.3.0
  • deps: morgan@~1.4.0
  • deps: response-time@~2.2.0
  • deps: serve-favicon@~2.1.6
  • deps: serve-index@~1.5.0
  • deps: serve-static@~1.7.0
• deps: debug@~2.1.0
  • Implement DEBUG_FD env variable support
• deps: depd@~1.0.0
• deps: send@0.10.0
  • deps: debug@~2.1.0
  • deps: depd@~1.0.0
  • deps: etag@~1.5.0

v3.17.8

Compare Source

===================

• deps: connect@2.26.6
  • deps: compression@~1.1.2
  • deps: csurf@~1.6.2
  • deps: errorhandler@~1.2.2

v3.17.7

Compare Source

===================

• deps: connect@2.26.5
  • Fix accepting non-object arguments to logger
  • deps: serve-static@~1.6.4

v3.17.6

Compare Source

===================

• deps: connect@2.26.4
  • deps: morgan@~1.3.2
  • deps: type-is@~1.5.2

v3.17.5

Compare Source

===================

• deps: connect@2.26.3
  • deps: body-parser@~1.8.4
  • deps: serve-favicon@~2.1.5
  • deps: serve-static@~1.6.3
• deps: proxy-addr@~1.0.3
  • Use forwarded npm module
• deps: send@0.9.3
  • deps: etag@~1.4.0

v3.17.4

Compare Source

===================

• deps: connect@2.26.2
  • deps: body-parser@~1.8.3
  • deps: qs@2.2.4

v3.17.3

Compare Source

===================

• deps: proxy-addr@~1.0.2
  • Fix a global leak when multiple subnets are trusted
  • deps: ipaddr.js@0.1.3

v3.17.2

Compare Source

===================

• Use crc instead of buffer-crc32 for speed
• deps: connect@2.26.1
  • deps: body-parser@~1.8.2
  • deps: depd@0.4.5
  • deps: express-session@~1.8.2
  • deps: morgan@~1.3.1
  • deps: serve-favicon@~2.1.3
  • deps: serve-static@~1.6.2
• deps: depd@0.4.5
• deps: send@0.9.2
  • deps: depd@0.4.5
  • deps: etag@~1.3.1
  • deps: range-parser@~1.0.2

v3.17.1

Compare Source

===================

• Fix error in req.subdomains on empty host

v3.17.0

Compare Source

===================

• Support X-Forwarded-Host in req.subdomains
• Support IP address host in req.subdomains
• deps: connect@2.26.0
  • deps: body-parser@~1.8.1
  • deps: compression@~1.1.0
  • deps: connect-timeout@~1.3.0
  • deps: cookie-parser@~1.3.3
  • deps: cookie-signature@1.0.5
  • deps: csurf@~1.6.1
  • deps: debug@~2.0.0
  • deps: errorhandler@~1.2.0
  • deps: express-session@~1.8.1
  • deps: finalhandler@0.2.0
  • deps: fresh@0.2.4
  • deps: media-typer@0.3.0
  • deps: method-override@~2.2.0
  • deps: morgan@~1.3.0
  • deps: qs@2.2.3
  • deps: serve-favicon@~2.1.3
  • deps: serve-index@~1.2.1
  • deps: serve-static@~1.6.1
  • deps: type-is@~1.5.1
  • deps: vhost@~3.0.0
• deps: cookie-signature@1.0.5
• deps: debug@~2.0.0
• deps: fresh@0.2.4
• deps: media-typer@0.3.0
  • Throw error when parameter format invalid on parse
• deps: range-parser@~1.0.2
• deps: send@0.9.1
  • Add lastModified option
  • Use etag to generate ETag header
  • deps: debug@~2.0.0
  • deps: fresh@0.2.4
• deps: vary@~1.0.0
  • Accept valid Vary header string as field

v3.16.10

Compare Source

====================

• deps: connect@2.25.10
  • deps: serve-static@~1.5.4
• deps: send@0.8.5
  • Fix a path traversal issue when using root
  • Fix malicious path detection for empty string path

v3.16.9

Compare Source

===================

• deps: connect@2.25.9
  • deps: body-parser@~1.6.7
  • deps: qs@2.2.2

v3.16.8

Compare Source

===================

• deps: connect@2.25.8
  • deps: body-parser@~1.6.6
  • deps: csurf@~1.4.1
  • deps: qs@2.2.0

v3.16.7

Compare Source

===================

• deps: connect@2.25.7
  • deps: body-parser@~1.6.5
  • deps: express-session@~1.7.6
  • deps: morgan@~1.2.3
  • deps: serve-static@~1.5.3
• deps: send@0.8.3
  • deps: destroy@1.0.3
  • deps: on-finished@2.1.0

v3.16.6

Compare Source

===================

• deps: connect@2.25.6
  • deps: body-parser@~1.6.4
  • deps: qs@1.2.2
  • deps: serve-static@~1.5.2
• deps: send@0.8.2
  • Work around fd leak in Node.js 0.10 for fs.ReadStream

v3.16.5

Compare Source

===================

• deps: connect@2.25.5
  • Fix backwards compatibility in logger

v3.16.4

Compare Source

===================

• Fix original URL parsing in res.location
• deps: connect@2.25.4
  • Fix query middleware breaking with argument
  • deps: body-parser@~1.6.3
  • deps: compression@~1.0.11
  • deps: connect-timeout@~1.2.2
  • deps: express-session@~1.7.5
  • deps: method-override@~2.1.3
  • deps: on-headers@~1.0.0
  • deps: parseurl@~1.3.0
  • deps: qs@1.2.1
  • deps: response-time@~2.0.1
  • deps: serve-index@~1.1.6
  • deps: serve-static@~1.5.1
• deps: parseurl@~1.3.0

v3.16.3

Compare Source

===================

• deps: connect@2.25.3
  • deps: multiparty@3.3.2

v3.16.2

Compare Source

===================

• deps: connect@2.25.2
  • deps: body-parser@~1.6.2
  • deps: qs@1.2.0

v3.16.1

Compare Source

====================

• deps: connect@2.25.10
  • deps: serve-static@~1.5.4
• deps: send@0.8.5
  • Fix a path traversal issue when using root
  • Fix malicious path detection for empty string path

v3.16.0

Compare Source

===================

• deps: connect@2.25.0
  • deps: body-parser@~1.6.0
  • deps: compression@~1.0.10
  • deps: csurf@~1.4.0
  • deps: express-session@~1.7.4
  • deps: qs@1.0.2
  • deps: serve-static@~1.5.0
• deps: send@0.8.1
  • Add extensions option

v3.15.3

Compare Source

===================

• fix res.sendfile regression for serving directory index files
• deps: connect@2.24.3
  • deps: serve-index@~1.1.5
  • deps: serve-static@~1.4.4
• deps: send@0.7.4
  • Fix incorrect 403 on Windows and Node.js 0.11
  • Fix serving index files without root dir

v3.15.2

Compare Source

===================

• deps: connect@2.24.2
  • deps: body-parser@~1.5.2
  • deps: depd@0.4.4
  • deps: express-session@~1.7.2
  • deps: morgan@~1.2.2
  • deps: serve-static@~1.4.2
• deps: depd@0.4.4
  • Work-around v8 generating empty stack traces
• deps: send@0.7.2
  • deps: depd@0.4.4

v3.15.1

Compare Source

===================

• deps: connect@2.24.1
  • deps: body-parser@~1.5.1
  • deps: depd@0.4.3
  • deps: express-session@~1.7.1
  • deps: morgan@~1.2.1
  • deps: serve-index@~1.1.4
  • deps: serve-static@~1.4.1
• deps: depd@0.4.3
  • Fix exception when global Error.stackTraceLimit is too low
• deps: send@0.7.1
  • deps: depd@0.4.3

v3.15.0

Compare Source

===================

• Fix req.protocol for proxy-direct connections
• Pass options from res.sendfile to send
• deps: connect@2.24.0
  • deps: body-parser@~1.5.0
  • deps: compression@~1.0.9
  • deps: connect-timeout@~1.2.1
  • deps: debug@1.0.4
  • deps: depd@0.4.2
  • deps: express-session@~1.7.0
  • deps: finalhandler@0.1.0
  • deps: method-override@~2.1.2
  • deps: morgan@~1.2.0
  • deps: multiparty@3.3.1
  • deps: parseurl@~1.2.0
  • deps: serve-static@~1.4.0
• deps: debug@1.0.4
• deps: depd@0.4.2
  • Add TRACE_DEPRECATION environment variable
  • Remove non-standard grey color from color output
  • Support --no-deprecation argument
  • Support --trace-deprecation argument
• deps: parseurl@~1.2.0
  • Cache URLs based on original value
  • Remove no-longer-needed URL mis-parse work-around
  • Simplify the "fast-path" RegExp
• deps: send@0.7.0
  • Add dotfiles option
  • Cap maxAge value to 1 year
  • deps: debug@1.0.4
  • deps: depd@0.4.2

v3.14.0

Compare Source

===================

• add explicit "Rosetta Flash JSONP abuse" protection
  • previous versions are not vulnerable; this is just explicit protection
• deprecate res.redirect(url, status) -- use res.redirect(status, url) instead
• fix res.send(status, num) to send num as json (not error)
• remove unnecessary escaping when res.jsonp returns JSON response
• deps: basic-auth@1.0.0
  • support empty password
  • support empty username
• deps: connect@2.23.0
  • deps: debug@1.0.3
  • deps: express-session@~1.6.4
  • deps: method-override@~2.1.0
  • deps: parseurl@~1.1.3
  • deps: serve-static@~1.3.1
• deps: debug@1.0.3
  • Add support for multiple wildcards in namespaces
• deps: methods@1.1.0
  • add CONNECT
• deps: parseurl@~1.1.3
  • faster parsing of href-only URLs

v3.13.0

Compare Source

===================

• add deprecation message to app.configure
• add deprecation message to req.auth
• use basic-auth to parse Authorization header
• deps: connect@2.22.0
  • deps: csurf@~1.3.0
  • deps: express-session@~1.6.1
  • deps: multiparty@3.3.0
  • deps: serve-static@~1.3.0
• deps: send@0.5.0
  • Accept string for maxage (converted by ms)
  • Include link in default redirect response

v3.12.1

Compare Source

===================

• deps: connect@2.21.1
  • deps: cookie-parser@1.3.2
  • deps: cookie-signature@1.0.4
  • deps: express-session@~1.5.2
  • deps: type-is@~1.3.2
• deps: cookie-signature@1.0.4
  • fix for timing attacks

v3.12.0

Compare Source

===================

• use media-typer to alter content-type charset
• deps: connect@2.21.0
  • deprecate connect(middleware) -- use app.use(middleware) instead
  • deprecate connect.createServer() -- use connect() instead
  • fix res.setHeader() patch to work with get -> append -> set pattern
  • deps: compression@~1.0.8
  • deps: errorhandler@~1.1.1
  • deps: express-session@~1.5.0
  • deps: serve-index@~1.1.3

v3.11.0

Compare Source

===================

• deprecate things with depd module
• deps: buffer-crc32@​0.2.3
• deps: connect@2.20.2
  • deprecate verify option to json -- use body-parser npm module instead
  • deprecate verify option to urlencoded -- use body-parser npm module instead
  • deprecate things with depd module
  • use finalhandler for final response handling
  • use media-typer to parse content-type for charset
  • deps: body-parser@1.4.3
  • deps: connect-timeout@1.1.1
  • deps: cookie-parser@1.3.1
  • deps: csurf@1.2.2
  • deps: errorhandler@1.1.0
  • deps: express-session@1.4.0
  • deps: multiparty@3.2.9
  • deps: serve-index@1.1.2
  • deps: type-is@1.3.1
  • deps: vhost@2.0.0

v3.10.5

Compare Source

===================

• deps: connect@2.19.6
  • deps: body-parser@1.3.1
  • deps: compression@1.0.7
  • deps: debug@1.0.2
  • deps: serve-index@1.1.1
  • deps: serve-static@1.2.3
• deps: debug@1.0.2
• deps: send@0.4.3
  • Do not throw uncatchable error on file open race condition
  • Use escape-html for HTML escaping
  • deps: debug@1.0.2
  • deps: finished@1.2.2
  • deps: fresh@0.2.2

v3.10.4

Compare Source

===================

• deps: connect@2.19.5
  • fix "event emitter leak" warnings
  • deps: csurf@1.2.1
  • deps: debug@1.0.1
  • deps: serve-static@1.2.2
  • deps: type-is@1.2.1
• deps: debug@1.0.1
• deps: send@0.4.2
  • fix "event emitter leak" warnings
  • deps: finished@1.2.1
  • deps: debug@1.0.1

v3.10.3

Compare Source

===================

• use vary module for res.vary
• deps: connect@2.19.4
  • deps: errorhandler@1.0.2
  • deps: method-override@2.0.2
  • deps: serve-favicon@2.0.1
• deps: debug@1.0.0

v3.10.2

Compare Source

===================

• deps: connect@2.19.3
  • deps: compression@1.0.6

v3.10.1

Compare Source

===================

• deps: connect@2.19.2
  • deps: compression@1.0.4
• deps: proxy-addr@1.0.1

v3.10.0

Compare Source

===================

• deps: connect@2.19.1
  • deprecate methodOverride() -- use method-override npm module instead
  • deps: body-parser@1.3.0
  • deps: method-override@2.0.1
  • deps: multiparty@3.2.8
  • deps: response-time@2.0.0
  • deps: serve-static@1.2.1
• deps: methods@1.0.1
• deps: send@0.4.1
  • Send max-age in Cache-Control in correct format

v3.9.0

Compare Source

==================

• custom etag control with app.set('etag', val)
  • app.set('etag', function(body, encoding){ return '"etag"' }) custom etag generation
  • app.set('etag', 'weak') weak tag
  • app.set('etag', 'strong') strong etag
  • app.set('etag', false) turn off
  • app.set('etag', true) standard etag
• Include ETag in HEAD requests
• mark res.send ETag as weak and reduce collisions
• update connect to 2.18.0
  • deps: compression@1.0.3
  • deps: serve-index@1.1.0
  • deps: serve-static@1.2.0
• update send to 0.4.0
  • Calculate ETag with md5 for reduced collisions
  • Ignore stream errors after request ends
  • deps: debug@0.8.1

v3.8.1

Compare Source

==================

• update connect to 2.17.3
  • deps: body-parser@1.2.2
  • deps: express-session@1.2.1
  • deps: method-override@1.0.2

v3.8.0

Compare Source

==================

• keep previous Content-Type for res.jsonp
• set proper charset in Content-Type for res.send
• update connect to 2.17.1
  • fix res.charset appending charset when content-type has one
  • deps: express-session@1.2.0
  • deps: morgan@1.1.1
  • deps: serve-index@1.0.3

v3.7.0

Compare Source

==================

• proper proxy trust with app.set('trust proxy', trust)
  • app.set('trust proxy', 1) trust first hop
  • app.set('trust proxy', 'loopback') trust loopback addresses
  • app.set('trust proxy', '10.0.0.1') trust single IP
  • app.set('trust proxy', '10.0.0.1/16') trust subnet
  • app.set('trust proxy', '10.0.0.1, 10.0.0.2') trust list
  • app.set('trust proxy', false) turn off
  • app.set('trust proxy', true) trust everything
• update connect to 2.16.2
  • deprecate res.headerSent -- use res.headersSent
  • deprecate res.on("header") -- use on-headers module instead
  • fix edge-case in res.appendHeader that would append in wrong order
  • json: use body-parser
  • urlencoded: use body-parser
  • dep: bytes@1.0.0
  • dep: cookie-parser@1.1.0
  • dep: csurf@1.2.0
  • dep: express-session@1.1.0
  • dep: method-override@1.0.1

v3.6.0

Compare Source

==================

• deprecate app.del() -- use app.delete() instead
• deprecate res.json(obj, status) -- use res.json(status, obj) instead
  • the edge-case res.json(status, num) requires res.status(status).json(num)
• deprecate res.jsonp(obj, status) -- use res.jsonp(status, obj) instead
  • the edge-case res.jsonp(status, num) requires res.status(status).jsonp(num)
• support PURGE method
  • add app.purge
  • add router.purge
  • include PURGE in app.all
• update connect to 2.15.0
  • Add res.appendHeader
  • Call error stack even when response has been sent
  • Patch res.headerSent to return Boolean
  • Patch res.headersSent for node.js 0.8
  • Prevent default 404 handler after response sent
  • dep: compression@1.0.2
  • dep: connect-timeout@1.1.0
  • dep: debug@^0.8.0
  • dep: errorhandler@1.0.1
  • dep: express-session@1.0.4
  • dep: morgan@1.0.1
  • dep: serve-favicon@2.0.0
  • dep: serve-index@1.0.2
• update debug to 0.8.0
  • add enable() method
  • change from stderr to stdout
• update methods to 1.0.0
  • add PURGE
• update mkdirp to 0.5.0

v3.5.3

Compare Source

==================

• fix req.host for IPv6 literals
• fix res.jsonp error if callback param is object

v3.5.2

Compare Source

==================

• update connect to 2.14.5
• update cookie to 0.1.2
• update mkdirp to 0.4.0
• update send to 0.3.0

v3.5.1

Compare Source

==================

• pin less-middleware in generated app

v3.5.0

Compare Source

==================

• bump deps

v3.4.8

Compare Source

==================

• prevent incorrect automatic OPTIONS responses #​1868 @​dpatti
• update binary and examples for jade 1.0 #​1876 @​yossi, #​1877 @​reqshark, #​1892 @​matheusazzi
• throw 400 in case of malformed paths @​rlidwka

v3.4.7

Compare Source

==================

• update connect

v3.4.6

Compare Source

==================

• update connect (raw-body)

v3.4.5

Compare Source

==================

• update connect
• res.location: remove leading ./ #​1802 @​kapouer
• res.redirect: fix `res.redirect('toString') #​1829 @​michaelficarra
• res.send: always send ETag when content-length > 0
• router: add Router.all() method

v3.4.4

Compare Source

==================

• update connect
• update supertest
• update methods
• express(1): replace bodyParser() with urlencoded() and json() #​1795 @​chirag04

v3.4.3

Compare Source

==================

• update connect

v3.4.2

Compare Source

==================

• update connect
• downgrade commander

v3.4.1

Compare Source

==================

• update connect
• update commander
• jsonp: check if callback is a function
• router: wrap encodeURIComponent in a try/catch #​1735 (@​lxe)
• res.format: now includes charset @​1747 (@​sorribas)
• res.links: allow multiple calls @​1746 (@​sorribas)

v3.4.0

Compare Source

==================

• add res.vary(). Closes #​1682
• update connect

v3.3.8

Compare Source

==================

• update connect

v3.3.7

Compare Source

==================

• update connect

v3.3.6

Compare Source

==================

• Revert "remove charset from json responses. Closes #​1631" (causes issues in some clients)
• add: req.accepts take an argument list

v3.3.5

Compare Source

v3.3.4

Compare Source

==================

• update send and connect

v3.3.3

Compare Source

==================

• update connect

v3.3.2

Compare Source

==================

• update connect
• update send
• remove .version export

v3.3.1

Compare Source

==================

• update connect

v3.3.0

Compare Source

==================

• update connect
• add support for multiple X-Forwarded-Proto values. Closes #​1646
• change: remove charset from json responses. Closes #​1631
• change: return actual booleans from req.accept* functions
• fix jsonp callback array throw

v3.2.6

Compare Source

==================

• update connect

v3.2.5

Compare Source

==================

• update connect
• update node-cookie
• add: throw a meaningful error when there is no default engine
• change generation of ETags with res.send() to GET requests only. Closes #​1619

v3.2.4

Compare Source

==================

• fix req.subdomains when no Host is present
• fix req.host when no Host is present, return undefined

v3.2.3

Compare Source

==================

• update connect / qs

v3.2.2

Compare Source

==================

• update qs

v3.2.1

Compare Source

==================

• add app.VERB() paths array deprecation warning
• update connect
• update qs and remove all ~ semver crap
• fix: accept number as value of Signed Cookie

v3.2.0

Compare Source

==================

• add "view" constructor setting to override view behaviour
• add req.acceptsEncoding(name)
• add req.acceptedEncodings
• revert cookie signature change causing session race conditions
• fix sorting of Accept values of the same quality

v3.1.2

Compare Source

==================

• add support for custom Accept parameters
• update cookie-signature

v3.1.1

Compare Source

==================

• add X-Forwarded-Host support to req.host
• fix relative redirects
• update mkdirp
• update buffer-crc32
• remove legacy app.configure() method from app template.

v3.1.0

Compare Source

==================

• add support for leading "." in "view engine" setting
• add array support to res.set()
• add node 0.8.x to travis.yml
• add "subdomain offset" setting for tweaking req.subdomains
• add res.location(url) implementing res.redirect()-like setting of Location
• use app.get() for x-powered-by setting for inheritance
• fix colons in passwords for req.auth

v3.0.6

Compare Source

==================

• add http verb methods to Router
• update connect
• fix mangling of the res.cookie() options object
• fix jsonp whitespace escape. Closes #​1132

v3.0.5

Compare Source

==================

• add throwing when a non-function is passed to a route
• fix: explicitly remove Transfer-Encoding header from 204 and 304 responses
• revert "add 'etag' option"

v3.0.4

Compare Source

==================

• add 'etag' option to disable res.send() Etags
• add escaping of urls in text/plain in res.redirect()
  for old browsers interpreting as html
• change crc32 module for a more liberal license
• update connect

v3.0.3

Compare Source

==================

• update connect
• update cookie module
• fix cookie max-age

v3.0.2

Compare Source

==================

• add OPTIONS to cors example. Closes #​1398
• fix route chaining regression. Closes #​1397

v3.0.1

==================

• update connect

---

• If you want to rebase/retry this PR, click this checkbox.