Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency express to v3.21.0 #53

Merged
merged 1 commit into from
Jul 23, 2023

Conversation

uriel-mend-app[bot]
Copy link
Contributor

@uriel-mend-app uriel-mend-app bot commented Mar 22, 2023

This PR contains the following updates:

Package Type Update Change
express (source) dependencies minor 3.0.0 -> 3.21.0

This PR resolves the vulnerability described in Issue #16


Version 3.0.0
Risk Change Critical High Medium Low
N/A 0 4 8 0
Version 3.21.0
Risk Change Critical High Medium Low
-50% 0 (--) 2 (-2 ) 1 (-7 ) 2 (+2)
Version 3.21.2
Risk Change Critical High Medium Low
-50% 0 (--) 2 (-2 ) 1 (-7 ) 2 (+2)

Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.


Release Notes

expressjs/express

v3.21.0

Compare Source

===================

  • deps: basic-auth@1.0.2
    • perf: enable strict mode
    • perf: hoist regular expression
    • perf: parse with regular expressions
    • perf: remove argument reassignment
  • deps: connect@2.30.0
    • deps: body-parser@~1.13.1
    • deps: bytes@2.1.0
    • deps: compression@~1.5.0
    • deps: cookie@0.1.3
    • deps: cookie-parser@~1.3.5
    • deps: csurf@~1.8.3
    • deps: errorhandler@~1.4.0
    • deps: express-session@~1.11.3
    • deps: finalhandler@0.4.0
    • deps: fresh@0.3.0
    • deps: morgan@~1.6.0
    • deps: serve-favicon@~2.3.0
    • deps: serve-index@~1.7.0
    • deps: serve-static@~1.10.0
    • deps: type-is@~1.6.3
  • deps: cookie@0.1.3
    • perf: deduce the scope of try-catch deopt
    • perf: remove argument reassignments
  • deps: escape-html@1.0.2
  • deps: etag@~1.7.0
    • Always include entity length in ETags for hash length extensions
    • Generate non-Stats ETags using MD5 only (no longer CRC32)
    • Improve stat performance by removing hashing
    • Improve support for JXcore
    • Remove base64 padding in ETags to shorten
    • Support "fake" stats objects in environments without fs
    • Use MD5 instead of MD4 in weak ETags over 1KB
  • deps: fresh@0.3.0
    • Add weak ETag matching support
  • deps: mkdirp@0.5.1
    • Work in global strict mode
  • deps: send@0.13.0
    • Allow Node.js HTTP server to set Date response header
    • Fix incorrectly removing Content-Location on 304 response
    • Improve the default redirect response headers
    • Send appropriate headers on default error response
    • Use http-errors for standard emitted errors
    • Use statuses instead of http module for status messages
    • deps: escape-html@1.0.2
    • deps: etag@~1.7.0
    • deps: fresh@0.3.0
    • deps: on-finished@~2.3.0
    • perf: enable strict mode
    • perf: remove unnecessary array allocations

v3.20.3

Compare Source

===================

  • deps: connect@2.29.2
    • deps: body-parser@~1.12.4
    • deps: compression@~1.4.4
    • deps: connect-timeout@~1.6.2
    • deps: debug@~2.2.0
    • deps: depd@~1.0.1
    • deps: errorhandler@~1.3.6
    • deps: finalhandler@0.3.6
    • deps: method-override@~2.3.3
    • deps: morgan@~1.5.3
    • deps: qs@2.4.2
    • deps: response-time@~2.3.1
    • deps: serve-favicon@~2.2.1
    • deps: serve-index@~1.6.4
    • deps: serve-static@~1.9.3
    • deps: type-is@~1.6.2
  • deps: debug@~2.2.0
    • deps: ms@0.7.1
  • deps: depd@~1.0.1
  • deps: proxy-addr@~1.0.8
    • deps: ipaddr.js@1.0.1
  • deps: send@0.12.3
    • deps: debug@~2.2.0
    • deps: depd@~1.0.1
    • deps: etag@~1.6.0
    • deps: ms@0.7.1
    • deps: on-finished@~2.2.1

v3.20.2

Compare Source

===================

  • deps: connect@2.29.1
    • deps: body-parser@~1.12.2
    • deps: compression@~1.4.3
    • deps: connect-timeout@~1.6.1
    • deps: debug@~2.1.3
    • deps: errorhandler@~1.3.5
    • deps: express-session@~1.10.4
    • deps: finalhandler@0.3.4
    • deps: method-override@~2.3.2
    • deps: morgan@~1.5.2
    • deps: qs@2.4.1
    • deps: serve-index@~1.6.3
    • deps: serve-static@~1.9.2
    • deps: type-is@~1.6.1
  • deps: debug@~2.1.3
    • Fix high intensity foreground color for bold
    • deps: ms@0.7.0
  • deps: merge-descriptors@1.0.0
  • deps: proxy-addr@~1.0.7
    • deps: ipaddr.js@0.1.9
  • deps: send@0.12.2
    • Throw errors early for invalid extensions or index options
    • deps: debug@~2.1.3

v3.20.1

Compare Source

===================

  • Fix req.host when using "trust proxy" hops count
  • Fix req.protocol/req.secure when using "trust proxy" hops count

v3.20.0

Compare Source

===================

  • Fix "trust proxy" setting to inherit when app is mounted
  • Generate ETags for all request responses
    • No longer restricted to only responses for GET and HEAD requests
  • Use content-type to parse Content-Type headers
  • deps: connect@2.29.0
    • Use content-type to parse Content-Type headers
    • deps: body-parser@~1.12.0
    • deps: compression@~1.4.1
    • deps: connect-timeout@~1.6.0
    • deps: cookie-parser@~1.3.4
    • deps: cookie-signature@1.0.6
    • deps: csurf@~1.7.0
    • deps: errorhandler@~1.3.4
    • deps: express-session@~1.10.3
    • deps: http-errors@~1.3.1
    • deps: response-time@~2.3.0
    • deps: serve-index@~1.6.2
    • deps: serve-static@~1.9.1
    • deps: type-is@~1.6.0
  • deps: cookie-signature@1.0.6
  • deps: send@0.12.1
    • Always read the stat size from the file
    • Fix mutating passed-in options
    • deps: mime@1.3.4

v3.19.2

Compare Source

===================

  • deps: connect@2.28.3
    • deps: compression@~1.3.1
    • deps: csurf@~1.6.6
    • deps: errorhandler@~1.3.3
    • deps: express-session@~1.10.2
    • deps: serve-index@~1.6.1
    • deps: type-is@~1.5.6
  • deps: proxy-addr@~1.0.6
    • deps: ipaddr.js@0.1.8

v3.19.1

Compare Source

===================

  • deps: connect@2.28.2
    • deps: body-parser@~1.10.2
    • deps: serve-static@~1.8.1
  • deps: send@0.11.1
    • Fix root path disclosure

v3.19.0

Compare Source

===================

  • Fix OPTIONS responses to include the HEAD method property
  • Use readline for prompt in express(1)
  • deps: commander@2.6.0
  • deps: connect@2.28.1
    • deps: body-parser@~1.10.1
    • deps: compression@~1.3.0
    • deps: connect-timeout@~1.5.0
    • deps: csurf@~1.6.4
    • deps: debug@~2.1.1
    • deps: errorhandler@~1.3.2
    • deps: express-session@~1.10.1
    • deps: finalhandler@0.3.3
    • deps: method-override@~2.3.1
    • deps: morgan@~1.5.1
    • deps: serve-favicon@~2.2.0
    • deps: serve-index@~1.6.0
    • deps: serve-static@~1.8.0
    • deps: type-is@~1.5.5
  • deps: debug@~2.1.1
  • deps: methods@~1.1.1
  • deps: proxy-addr@~1.0.5
    • deps: ipaddr.js@0.1.6
  • deps: send@0.11.0
    • deps: debug@~2.1.1
    • deps: etag@~1.5.1
    • deps: ms@0.7.0
    • deps: on-finished@~2.2.0

v3.18.6

Compare Source

===================

  • Fix exception in req.fresh/req.stale without response headers

v3.18.5

Compare Source

===================

  • deps: connect@2.27.6
    • deps: compression@~1.2.2
    • deps: express-session@~1.9.3
    • deps: http-errors@~1.2.8
    • deps: serve-index@~1.5.3
    • deps: type-is@~1.5.4

v3.18.4

Compare Source

===================

  • deps: connect@2.27.4
    • deps: body-parser@~1.9.3
    • deps: compression@~1.2.1
    • deps: errorhandler@~1.2.3
    • deps: express-session@~1.9.2
    • deps: qs@2.3.3
    • deps: serve-favicon@~2.1.7
    • deps: serve-static@~1.5.1
    • deps: type-is@~1.5.3
  • deps: etag@~1.5.1
  • deps: proxy-addr@~1.0.4
    • deps: ipaddr.js@0.1.5

v3.18.3

Compare Source

===================

  • deps: connect@2.27.3
    • Correctly invoke async callback asynchronously
    • deps: csurf@~1.6.3

v3.18.2

Compare Source

===================

  • deps: connect@2.27.2
    • Fix handling of URLs containing :// in the path
    • deps: body-parser@~1.9.2
    • deps: qs@2.3.2

v3.18.1

Compare Source

===================

  • Fix internal utils.merge deprecation warnings
  • deps: connect@2.27.1
    • deps: body-parser@~1.9.1
    • deps: express-session@~1.9.1
    • deps: finalhandler@0.3.2
    • deps: morgan@~1.4.1
    • deps: qs@2.3.0
    • deps: serve-static@~1.7.1
  • deps: send@0.10.1
    • deps: on-finished@~2.1.1

v3.18.0

Compare Source

===================

  • Use content-disposition module for res.attachment/res.download
    • Sends standards-compliant Content-Disposition header
    • Full Unicode support
  • Use etag module to generate ETag headers
  • deps: connect@2.27.0
    • Use http-errors module for creating errors
    • Use utils-merge module for merging objects
    • deps: body-parser@~1.9.0
    • deps: compression@~1.2.0
    • deps: connect-timeout@~1.4.0
    • deps: debug@~2.1.0
    • deps: depd@~1.0.0
    • deps: express-session@~1.9.0
    • deps: finalhandler@0.3.1
    • deps: method-override@~2.3.0
    • deps: morgan@~1.4.0
    • deps: response-time@~2.2.0
    • deps: serve-favicon@~2.1.6
    • deps: serve-index@~1.5.0
    • deps: serve-static@~1.7.0
  • deps: debug@~2.1.0
    • Implement DEBUG_FD env variable support
  • deps: depd@~1.0.0
  • deps: send@0.10.0
    • deps: debug@~2.1.0
    • deps: depd@~1.0.0
    • deps: etag@~1.5.0

v3.17.8

Compare Source

===================

  • deps: connect@2.26.6
    • deps: compression@~1.1.2
    • deps: csurf@~1.6.2
    • deps: errorhandler@~1.2.2

v3.17.7

Compare Source

===================

  • deps: connect@2.26.5
    • Fix accepting non-object arguments to logger
    • deps: serve-static@~1.6.4

v3.17.6

Compare Source

===================

  • deps: connect@2.26.4
    • deps: morgan@~1.3.2
    • deps: type-is@~1.5.2

v3.17.5

Compare Source

===================

  • deps: connect@2.26.3
    • deps: body-parser@~1.8.4
    • deps: serve-favicon@~2.1.5
    • deps: serve-static@~1.6.3
  • deps: proxy-addr@~1.0.3
    • Use forwarded npm module
  • deps: send@0.9.3
    • deps: etag@~1.4.0

v3.17.4

Compare Source

===================

  • deps: connect@2.26.2
    • deps: body-parser@~1.8.3
    • deps: qs@2.2.4

v3.17.3

Compare Source

===================

  • deps: proxy-addr@~1.0.2
    • Fix a global leak when multiple subnets are trusted
    • deps: ipaddr.js@0.1.3

v3.17.2

Compare Source

===================

  • Use crc instead of buffer-crc32 for speed
  • deps: connect@2.26.1
    • deps: body-parser@~1.8.2
    • deps: depd@0.4.5
    • deps: express-session@~1.8.2
    • deps: morgan@~1.3.1
    • deps: serve-favicon@~2.1.3
    • deps: serve-static@~1.6.2
  • deps: depd@0.4.5
  • deps: send@0.9.2
    • deps: depd@0.4.5
    • deps: etag@~1.3.1
    • deps: range-parser@~1.0.2

v3.17.1

Compare Source

===================

  • Fix error in req.subdomains on empty host

v3.17.0

Compare Source

===================

  • Support X-Forwarded-Host in req.subdomains
  • Support IP address host in req.subdomains
  • deps: connect@2.26.0
    • deps: body-parser@~1.8.1
    • deps: compression@~1.1.0
    • deps: connect-timeout@~1.3.0
    • deps: cookie-parser@~1.3.3
    • deps: cookie-signature@1.0.5
    • deps: csurf@~1.6.1
    • deps: debug@~2.0.0
    • deps: errorhandler@~1.2.0
    • deps: express-session@~1.8.1
    • deps: finalhandler@0.2.0
    • deps: fresh@0.2.4
    • deps: media-typer@0.3.0
    • deps: method-override@~2.2.0
    • deps: morgan@~1.3.0
    • deps: qs@2.2.3
    • deps: serve-favicon@~2.1.3
    • deps: serve-index@~1.2.1
    • deps: serve-static@~1.6.1
    • deps: type-is@~1.5.1
    • deps: vhost@~3.0.0
  • deps: cookie-signature@1.0.5
  • deps: debug@~2.0.0
  • deps: fresh@0.2.4
  • deps: media-typer@0.3.0
    • Throw error when parameter format invalid on parse
  • deps: range-parser@~1.0.2
  • deps: send@0.9.1
    • Add lastModified option
    • Use etag to generate ETag header
    • deps: debug@~2.0.0
    • deps: fresh@0.2.4
  • deps: vary@~1.0.0
    • Accept valid Vary header string as field

v3.16.10

Compare Source

====================

  • deps: connect@2.25.10
    • deps: serve-static@~1.5.4
  • deps: send@0.8.5
    • Fix a path traversal issue when using root
    • Fix malicious path detection for empty string path

v3.16.9

Compare Source

===================

  • deps: connect@2.25.9
    • deps: body-parser@~1.6.7
    • deps: qs@2.2.2

v3.16.8

Compare Source

===================

  • deps: connect@2.25.8
    • deps: body-parser@~1.6.6
    • deps: csurf@~1.4.1
    • deps: qs@2.2.0

v3.16.7

Compare Source

===================

  • deps: connect@2.25.7
    • deps: body-parser@~1.6.5
    • deps: express-session@~1.7.6
    • deps: morgan@~1.2.3
    • deps: serve-static@~1.5.3
  • deps: send@0.8.3
    • deps: destroy@1.0.3
    • deps: on-finished@2.1.0

v3.16.6

Compare Source

===================

  • deps: connect@2.25.6
    • deps: body-parser@~1.6.4
    • deps: qs@1.2.2
    • deps: serve-static@~1.5.2
  • deps: send@0.8.2
    • Work around fd leak in Node.js 0.10 for fs.ReadStream

v3.16.5

Compare Source

===================

  • deps: connect@2.25.5
    • Fix backwards compatibility in logger

v3.16.4

Compare Source

===================

  • Fix original URL parsing in res.location
  • deps: connect@2.25.4
    • Fix query middleware breaking with argument
    • deps: body-parser@~1.6.3
    • deps: compression@~1.0.11
    • deps: connect-timeout@~1.2.2
    • deps: express-session@~1.7.5
    • deps: method-override@~2.1.3
    • deps: on-headers@~1.0.0
    • deps: parseurl@~1.3.0
    • deps: qs@1.2.1
    • deps: response-time@~2.0.1
    • deps: serve-index@~1.1.6
    • deps: serve-static@~1.5.1
  • deps: parseurl@~1.3.0

v3.16.3

Compare Source

===================

  • deps: connect@2.25.3
    • deps: multiparty@3.3.2

v3.16.2

Compare Source

===================

  • deps: connect@2.25.2
    • deps: body-parser@~1.6.2
    • deps: qs@1.2.0

v3.16.1

Compare Source

====================

  • deps: connect@2.25.10
    • deps: serve-static@~1.5.4
  • deps: send@0.8.5
    • Fix a path traversal issue when using root
    • Fix malicious path detection for empty string path

v3.16.0

Compare Source

===================

  • deps: connect@2.25.0
    • deps: body-parser@~1.6.0
    • deps: compression@~1.0.10
    • deps: csurf@~1.4.0
    • deps: express-session@~1.7.4
    • deps: qs@1.0.2
    • deps: serve-static@~1.5.0
  • deps: send@0.8.1
    • Add extensions option

v3.15.3

Compare Source

===================

  • fix res.sendfile regression for serving directory index files
  • deps: connect@2.24.3
    • deps: serve-index@~1.1.5
    • deps: serve-static@~1.4.4
  • deps: send@0.7.4
    • Fix incorrect 403 on Windows and Node.js 0.11
    • Fix serving index files without root dir

v3.15.2

Compare Source

===================

  • deps: connect@2.24.2
    • deps: body-parser@~1.5.2
    • deps: depd@0.4.4
    • deps: express-session@~1.7.2
    • deps: morgan@~1.2.2
    • deps: serve-static@~1.4.2
  • deps: depd@0.4.4
    • Work-around v8 generating empty stack traces
  • deps: send@0.7.2
    • deps: depd@0.4.4

v3.15.1

Compare Source

===================

  • deps: connect@2.24.1
    • deps: body-parser@~1.5.1
    • deps: depd@0.4.3
    • deps: express-session@~1.7.1
    • deps: morgan@~1.2.1
    • deps: serve-index@~1.1.4
    • deps: serve-static@~1.4.1
  • deps: depd@0.4.3
    • Fix exception when global Error.stackTraceLimit is too low
  • deps: send@0.7.1
    • deps: depd@0.4.3

v3.15.0

Compare Source

===================

  • Fix req.protocol for proxy-direct connections
  • Pass options from res.sendfile to send
  • deps: connect@2.24.0
    • deps: body-parser@~1.5.0
    • deps: compression@~1.0.9
    • deps: connect-timeout@~1.2.1
    • deps: debug@1.0.4
    • deps: depd@0.4.2
    • deps: express-session@~1.7.0
    • deps: finalhandler@0.1.0
    • deps: method-override@~2.1.2
    • deps: morgan@~1.2.0
    • deps: multiparty@3.3.1
    • deps: parseurl@~1.2.0
    • deps: serve-static@~1.4.0
  • deps: debug@1.0.4
  • deps: depd@0.4.2
    • Add TRACE_DEPRECATION environment variable
    • Remove non-standard grey color from color output
    • Support --no-deprecation argument
    • Support --trace-deprecation argument
  • deps: parseurl@~1.2.0
    • Cache URLs based on original value
    • Remove no-longer-needed URL mis-parse work-around
    • Simplify the "fast-path" RegExp
  • deps: send@0.7.0
    • Add dotfiles option
    • Cap maxAge value to 1 year
    • deps: debug@1.0.4
    • deps: depd@0.4.2

v3.14.0

Compare Source

===================

  • add explicit "Rosetta Flash JSONP abuse" protection
    • previous versions are not vulnerable; this is just explicit protection
  • deprecate res.redirect(url, status) -- use res.redirect(status, url) instead
  • fix res.send(status, num) to send num as json (not error)
  • remove unnecessary escaping when res.jsonp returns JSON response
  • deps: basic-auth@1.0.0
    • support empty password
    • support empty username
  • deps: connect@2.23.0
    • deps: debug@1.0.3
    • deps: express-session@~1.6.4
    • deps: method-override@~2.1.0
    • deps: parseurl@~1.1.3
    • deps: serve-static@~1.3.1
  • deps: debug@1.0.3
    • Add support for multiple wildcards in namespaces
  • deps: methods@1.1.0
    • add CONNECT
  • deps: parseurl@~1.1.3
    • faster parsing of href-only URLs

v3.13.0

Compare Source

===================

  • add deprecation message to app.configure
  • add deprecation message to req.auth
  • use basic-auth to parse Authorization header
  • deps: connect@2.22.0
    • deps: csurf@~1.3.0
    • deps: express-session@~1.6.1
    • deps: multiparty@3.3.0
    • deps: serve-static@~1.3.0
  • deps: send@0.5.0
    • Accept string for maxage (converted by ms)
    • Include link in default redirect response

v3.12.1

Compare Source

===================

  • deps: connect@2.21.1
    • deps: cookie-parser@1.3.2
    • deps: cookie-signature@1.0.4
    • deps: express-session@~1.5.2
    • deps: type-is@~1.3.2
  • deps: cookie-signature@1.0.4
    • fix for timing attacks

v3.12.0

Compare Source

===================

  • use media-typer to alter content-type charset
  • deps: connect@2.21.0
    • deprecate connect(middleware) -- use app.use(middleware) instead
    • deprecate connect.createServer() -- use connect() instead
    • fix res.setHeader() patch to work with get -> append -> set pattern
    • deps: compression@~1.0.8
    • deps: errorhandler@~1.1.1
    • deps: express-session@~1.5.0
    • deps: serve-index@~1.1.3

v3.11.0

Compare Source

===================

  • deprecate things with depd module
  • deps: buffer-crc32@​0.2.3
  • deps: connect@2.20.2
    • deprecate verify option to json -- use body-parser npm module instead
    • deprecate verify option to urlencoded -- use body-parser npm module instead
    • deprecate things with depd module
    • use finalhandler for final response handling
    • use media-typer to parse content-type for charset
    • deps: body-parser@1.4.3
    • deps: connect-timeout@1.1.1
    • deps: cookie-parser@1.3.1
    • deps: csurf@1.2.2
    • deps: errorhandler@1.1.0
    • deps: express-session@1.4.0
    • deps: multiparty@3.2.9
    • deps: serve-index@1.1.2
    • deps: type-is@1.3.1
    • deps: vhost@2.0.0

v3.10.5

Compare Source

===================

  • deps: connect@2.19.6
    • deps: body-parser@1.3.1
    • deps: compression@1.0.7
    • deps: debug@1.0.2
    • deps: serve-index@1.1.1
    • deps: serve-static@1.2.3
  • deps: debug@1.0.2
  • deps: send@0.4.3
    • Do not throw uncatchable error on file open race condition
    • Use escape-html for HTML escaping
    • deps: debug@1.0.2
    • deps: finished@1.2.2
    • deps: fresh@0.2.2

v3.10.4

Compare Source

===================

  • deps: connect@2.19.5
    • fix "event emitter leak" warnings
    • deps: csurf@1.2.1
    • deps: debug@1.0.1
    • deps: serve-static@1.2.2
    • deps: type-is@1.2.1
  • deps: debug@1.0.1
  • deps: send@0.4.2
    • fix "event emitter leak" warnings
    • deps: finished@1.2.1
    • deps: debug@1.0.1

v3.10.3

Compare Source

===================

  • use vary module for res.vary
  • deps: connect@2.19.4
    • deps: errorhandler@1.0.2
    • deps: method-override@2.0.2
    • deps: serve-favicon@2.0.1
  • deps: debug@1.0.0

v3.10.2

Compare Source

===================

  • deps: connect@2.19.3
    • deps: compression@1.0.6

v3.10.1

Compare Source

===================

  • deps: connect@2.19.2
    • deps: compression@1.0.4
  • deps: proxy-addr@1.0.1

v3.10.0

Compare Source

===================

  • deps: connect@2.19.1
    • deprecate methodOverride() -- use method-override npm module instead
    • deps: body-parser@1.3.0
    • deps: method-override@2.0.1
    • deps: multiparty@3.2.8
    • deps: response-time@2.0.0
    • deps: serve-static@1.2.1
  • deps: methods@1.0.1
  • deps: send@0.4.1
    • Send max-age in Cache-Control in correct format

v3.9.0

Compare Source

==================

  • custom etag control with app.set('etag', val)
    • app.set('etag', function(body, encoding){ return '"etag"' }) custom etag generation
    • app.set('etag', 'weak') weak tag
    • app.set('etag', 'strong') strong etag
    • app.set('etag', false) turn off
    • app.set('etag', true) standard etag
  • Include ETag in HEAD requests
  • mark res.send ETag as weak and reduce collisions
  • update connect to 2.18.0
    • deps: compression@1.0.3
    • deps: serve-index@1.1.0
    • deps: serve-static@1.2.0
  • update send to 0.4.0
    • Calculate ETag with md5 for reduced collisions
    • Ignore stream errors after request ends
    • deps: debug@0.8.1

v3.8.1

Compare Source

==================

  • update connect to 2.17.3
    • deps: body-parser@1.2.2
    • deps: express-session@1.2.1
    • deps: method-override@1.0.2

v3.8.0

Compare Source

==================

  • keep previous Content-Type for res.jsonp
  • set proper charset in Content-Type for res.send
  • update connect to 2.17.1
    • fix res.charset appending charset when content-type has one
    • deps: express-session@1.2.0
    • deps: morgan@1.1.1
    • deps: serve-index@1.0.3

v3.7.0

Compare Source

==================

  • proper proxy trust with app.set('trust proxy', trust)
    • app.set('trust proxy', 1) trust first hop
    • app.set('trust proxy', 'loopback') trust loopback addresses
    • app.set('trust proxy', '10.0.0.1') trust single IP
    • app.set('trust proxy', '10.0.0.1/16') trust subnet
    • app.set('trust proxy', '10.0.0.1, 10.0.0.2') trust list
    • app.set('trust proxy', false) turn off
    • app.set('trust proxy', true) trust everything
  • update connect to 2.16.2
    • deprecate res.headerSent -- use res.headersSent
    • deprecate res.on("header") -- use on-headers module instead
    • fix edge-case in res.appendHeader that would append in wrong order
    • json: use body-parser
    • urlencoded: use body-parser
    • dep: bytes@1.0.0
    • dep: cookie-parser@1.1.0
    • dep: csurf@1.2.0
    • dep: express-session@1.1.0
    • dep: method-override@1.0.1

v3.6.0

Compare Source

==================

  • deprecate app.del() -- use app.delete() instead
  • deprecate res.json(obj, status) -- use res.json(status, obj) instead
    • the edge-case res.json(status, num) requires res.status(status).json(num)
  • deprecate res.jsonp(obj, status) -- use res.jsonp(status, obj) instead
    • the edge-case res.jsonp(status, num) requires res.status(status).jsonp(num)
  • support PURGE method
    • add app.purge
    • add router.purge
    • include PURGE in app.all
  • update connect to 2.15.0
    • Add res.appendHeader
    • Call error stack even when response has been sent
    • Patch res.headerSent to return Boolean
    • Patch res.headersSent for node.js 0.8
    • Prevent default 404 handler after response sent
    • dep: compression@1.0.2
    • dep: connect-timeout@1.1.0
    • dep: debug@^0.8.0
    • dep: errorhandler@1.0.1
    • dep: express-session@1.0.4
    • dep: morgan@1.0.1
    • dep: serve-favicon@2.0.0
    • dep: serve-index@1.0.2
  • update debug to 0.8.0
    • add enable() method
    • change from stderr to stdout
  • update methods to 1.0.0
    • add PURGE
  • update mkdirp to 0.5.0

v3.5.3

Compare Source

==================

  • fix req.host for IPv6 literals
  • fix res.jsonp error if callback param is object

v3.5.2

Compare Source

==================

  • update connect to 2.14.5
  • update cookie to 0.1.2
  • update mkdirp to 0.4.0
  • update send to 0.3.0

v3.5.1

Compare Source

==================

  • pin less-middleware in generated app

v3.5.0

Compare Source

==================

  • bump deps

v3.4.8

Compare Source

==================

v3.4.7

Compare Source

==================

  • update connect

v3.4.6

Compare Source

==================

  • update connect (raw-body)

v3.4.5

Compare Source

==================

v3.4.4

Compare Source

==================

  • update connect
  • update supertest
  • update methods
  • express(1): replace bodyParser() with urlencoded() and json() #​1795 @​chirag04

v3.4.3

Compare Source

==================

  • update connect

v3.4.2

Compare Source

==================

  • update connect
  • downgrade commander

v3.4.1

Compare Source

==================

v3.4.0

Compare Source

==================

  • add res.vary(). Closes #​1682
  • update connect

v3.3.8

Compare Source

==================

  • update connect

v3.3.7

Compare Source

==================

  • update connect

v3.3.6

Compare Source

==================

  • Revert "remove charset from json responses. Closes #​1631" (causes issues in some clients)
  • add: req.accepts take an argument list

v3.3.5

Compare Source

v3.3.4

Compare Source

==================

  • update send and connect

v3.3.3

Compare Source

==================

  • update connect

v3.3.2

Compare Source

==================

  • update connect
  • update send
  • remove .version export

v3.3.1

Compare Source

==================

  • update connect

v3.3.0

Compare Source

==================

  • update connect
  • add support for multiple X-Forwarded-Proto values. Closes #​1646
  • change: remove charset from json responses. Closes #​1631
  • change: return actual booleans from req.accept* functions
  • fix jsonp callback array throw

v3.2.6

Compare Source

==================

  • update connect

v3.2.5

Compare Source

==================

  • update connect
  • update node-cookie
  • add: throw a meaningful error when there is no default engine
  • change generation of ETags with res.send() to GET requests only. Closes #​1619

v3.2.4

Compare Source

==================

  • fix req.subdomains when no Host is present
  • fix req.host when no Host is present, return undefined

v3.2.3

Compare Source

==================

  • update connect / qs

v3.2.2

Compare Source

==================

  • update qs

v3.2.1

Compare Source

==================

  • add app.VERB() paths array deprecation warning
  • update connect
  • update qs and remove all ~ semver crap
  • fix: accept number as value of Signed Cookie

v3.2.0

Compare Source

==================

  • add "view" constructor setting to override view behaviour
  • add req.acceptsEncoding(name)
  • add req.acceptedEncodings
  • revert cookie signature change causing session race conditions
  • fix sorting of Accept values of the same quality

v3.1.2

Compare Source

==================

  • add support for custom Accept parameters
  • update cookie-signature

v3.1.1

Compare Source

==================

  • add X-Forwarded-Host support to req.host
  • fix relative redirects
  • update mkdirp
  • update buffer-crc32
  • remove legacy app.configure() method from app template.

v3.1.0

Compare Source

==================

  • add support for leading "." in "view engine" setting
  • add array support to res.set()
  • add node 0.8.x to travis.yml
  • add "subdomain offset" setting for tweaking req.subdomains
  • add res.location(url) implementing res.redirect()-like setting of Location
  • use app.get() for x-powered-by setting for inheritance
  • fix colons in passwords for req.auth

v3.0.6

Compare Source

==================

  • add http verb methods to Router
  • update connect
  • fix mangling of the res.cookie() options object
  • fix jsonp whitespace escape. Closes #​1132

v3.0.5

Compare Source

==================

  • add throwing when a non-function is passed to a route
  • fix: explicitly remove Transfer-Encoding header from 204 and 304 responses
  • revert "add 'etag' option"

v3.0.4

Compare Source

==================

  • add 'etag' option to disable res.send() Etags
  • add escaping of urls in text/plain in res.redirect()
    for old browsers interpreting as html
  • change crc32 module for a more liberal license
  • update connect

v3.0.3

Compare Source

==================

  • update connect
  • update cookie module
  • fix cookie max-age

v3.0.2

Compare Source

==================

  • add OPTIONS to cors example. Closes #​1398
  • fix route chaining regression. Closes #​1397

v3.0.1

==================

  • update connect

  • If you want to rebase/retry this PR, click this checkbox.

@uriel-mend-app uriel-mend-app bot added the security fix Security fix generated by Mend label Mar 22, 2023
@uriel-mend-app uriel-mend-app bot changed the title Update dependency express to v3.21.0 Update dependency express to v3.21.0 - autoclosed Apr 3, 2023
@uriel-mend-app uriel-mend-app bot closed this Apr 3, 2023
@uriel-mend-app uriel-mend-app bot deleted the whitesource-remediate/express-3.x branch April 3, 2023 10:33
@uriel-mend-app uriel-mend-app bot changed the title Update dependency express to v3.21.0 - autoclosed Update dependency express to v3.21.0 Apr 3, 2023
@uriel-mend-app uriel-mend-app bot restored the whitesource-remediate/express-3.x branch April 3, 2023 10:37
@uriel-mend-app uriel-mend-app bot reopened this Apr 3, 2023
@uriel-naor uriel-naor merged commit c17f76c into main Jul 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security fix Security fix generated by Mend
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant