Update dependency express to ^4.19.0 (main)

Open mend-for-github-com[bot] opened this issue 1 year ago • 0 comments

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`^4.14.1` -> `^4.19.0`

By merging this PR, the issue #57 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
Medium	6.1	CVE-2024-29041

Release Notes

expressjs/express (express)

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: [email protected]

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: [email protected]
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: [email protected]
deps: [email protected]
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: [email protected]
- deps: [email protected]
- perf: remove unnecessary object clone
deps: [email protected]

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: [email protected]
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Add priority option
- Fix expires option to reject invalid dates
deps: [email protected]
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: [email protected]
- Remove set content headers that break response
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Prevent loss of async hooks context
deps: [email protected]
deps: [email protected]
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.18
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- pref: ignore empty http tokens
deps: [email protected]
- deps: [email protected]
deps: [email protected]

`v4.17.1`

Compare Source

===================

Revert "Improve error message for null/undefined to res.status"

`v4.17.0`

Compare Source

===================

Add express.raw to parse bodies into Buffer
Add express.text to parse bodies into string
Improve error message for non-strings to res.sendFile
Improve error message for null/undefined to res.status
Support multiple hosts in X-Forwarded-Host
deps: accepts@~1.3.7
deps: [email protected]
- Add encoding MIK
- Add petabyte (pb) support
- Fix parsing array brackets after index
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.17
deps: [email protected]
deps: [email protected]
- Add SameSite=None support
deps: finalhandler@~1.1.2
- Set stricter Content-Security-Policy header
- deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
deps: parseurl@~1.3.3
deps: proxy-addr@~2.0.5
- deps: [email protected]
deps: [email protected]
- Fix parsing array brackets after index
deps: range-parser@~1.2.1
deps: [email protected]
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: [email protected]
- deps: [email protected]
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant path.normalize call
deps: [email protected]
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: [email protected]
deps: [email protected]
deps: statuses@~1.5.0
- Add 103 Early Hints
deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

`v4.16.4`

Compare Source

===================

Fix issue where "Request aborted" may be logged in res.sendfile
Fix JSDoc for Router constructor
deps: [email protected]
- Fix deprecation warnings on Node.js 10+
- Fix stack trace for strict json parse error
- deps: depd@~1.1.2
- deps: http-errors@~1.6.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.16
deps: proxy-addr@~2.0.4
- deps: [email protected]
deps: [email protected]
deps: [email protected]

`v4.16.3`

Compare Source

===================

deps: accepts@~1.3.5
- deps: mime-types@~2.1.18
deps: depd@~1.1.2
- perf: remove argument reassignment
deps: encodeurl@~1.0.2
- Fix encoding % as last character
deps: [email protected]
- Fix 404 output for bad / missing pathnames
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
deps: proxy-addr@~2.0.3
- deps: [email protected]
deps: [email protected]
- Fix incorrect end tag in default error & redirects
- deps: depd@~1.1.2
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
deps: [email protected]
- Fix incorrect end tag in redirects
- deps: encodeurl@~1.0.2
- deps: [email protected]
deps: statuses@~1.4.0
deps: type-is@~1.6.16
- deps: mime-types@~2.1.18

`v4.16.2`

Compare Source

===================

Fix TypeError in res.send when given Buffer and ETag header set
perf: skip parsing of entire X-Forwarded-Proto header

`v4.16.1`

Compare Source

===================

deps: [email protected]
deps: [email protected]
- Fix regression when root is incorrectly set to a file
- deps: [email protected]

`v4.16.0`

Compare Source

===================

Add "json escape" setting for res.json and res.jsonp
Add express.json and express.urlencoded to parse bodies
Add options argument to res.download
Improve error message when autoloading invalid view engine
Improve error messages when non-function provided as middleware
Skip Buffer encoding when not generating ETag for small response
Use safe-buffer for improved Buffer API
deps: accepts@~1.3.4
- deps: mime-types@~2.1.16
deps: content-type@~1.0.4
- perf: remove argument reassignment
- perf: skip parameter parsing when no parameters
deps: etag@~1.8.1
- perf: replace regular expression with substring
deps: [email protected]
- Use res.headersSent when available
deps: parseurl@~1.3.2
- perf: reduce overhead for full URLs
- perf: unroll the "fast-path" RegExp
deps: proxy-addr@~2.0.2
- Fix trimming leading / trailing OWS in X-Forwarded-For
- deps: forwarded@~0.1.2
- deps: [email protected]
- perf: reduce overhead when no X-Forwarded-For header
deps: [email protected]
- Fix parsing & compacting very deep objects
deps: [email protected]
- Add 70 new types for file extensions
- Add immutable option
- Fix missing </html> in default error & redirects
- Set charset as "UTF-8" for .js and .json
- Use instance methods on steam to check for listeners
- deps: [email protected]
- perf: improve path validation speed
deps: [email protected]
- Add 70 new types for file extensions
- Add immutable option
- Set charset as "UTF-8" for .js and .json
- deps: [email protected]
deps: [email protected]
deps: [email protected]
deps: vary@~1.1.2
- perf: improve header token parsing speed
perf: re-use options object when generating ETags
perf: remove dead .charset set in res.jsonp

`v4.15.5`

Compare Source

===================

deps: [email protected]
deps: finalhandler@~1.0.6
- deps: [email protected]
- deps: parseurl@~1.3.2
deps: [email protected]
- Fix handling of modified headers with invalid dates
- perf: improve ETag match loop
- perf: improve If-None-Match token parsing
deps: [email protected]
- Fix handling of modified headers with invalid dates
- deps: [email protected]
- deps: etag@~1.8.1
- deps: [email protected]
- perf: improve If-Match token parsing
deps: [email protected]
- deps: parseurl@~1.3.2
- deps: [email protected]
- perf: improve slash collapsing

`v4.15.4`

Compare Source

===================

deps: [email protected]
deps: depd@~1.1.1
- Remove unnecessary Buffer loading
deps: finalhandler@~1.0.4
- deps: [email protected]
deps: proxy-addr@~1.1.5
- Fix array argument being altered
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: depd@~1.1.1
- deps: http-errors@~1.6.2
deps: [email protected]
- deps: [email protected]

`v4.15.3`

Compare Source

===================

Fix error when res.set cannot add charset to Content-Type
deps: [email protected]
- Fix DEBUG_MAX_ARRAY_LENGTH
- deps: [email protected]
deps: finalhandler@~1.0.3
- Fix missing </html> in HTML document
- deps: [email protected]
deps: proxy-addr@~1.1.4
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
deps: type-is@~1.6.15
- deps: mime-types@~2.1.15
deps: vary@~1.1.1
- perf: hoist regular expression

`v4.15.2`

Compare Source

===================

deps: [email protected]
- Fix regression parsing keys starting with [

`v4.15.1`

Compare Source

===================

deps: [email protected]
- Fix issue when Date.parse does not return NaN on invalid date
- Fix strict violation in broken environments
deps: [email protected]
- Fix issue when Date.parse does not return NaN on invalid date
- deps: [email protected]

`v4.15.0`

Compare Source

===================

Add debug message when loading view engine
Add next("router") to exit from router
Fix case where router.use skipped requests routes did not
Remove usage of res._headers private field
- Improves compatibility with Node.js 8 nightly
Skip routing when req.url is not set
Use %o in path debug to tell types apart
Use Object.create to setup request & response prototypes
Use setprototypeof module to replace __proto__ setting
Use statuses instead of http module for status messages
deps: [email protected]
- Allow colors in workers
- Deprecated DEBUG_FD environment variable set to 3 or higher
- Fix error when running under React Native
- Use same color for same namespace
- deps: [email protected]
deps: etag@~1.8.0
- Use SHA1 instead of MD5 for ETag hashing
- Works with FIPS 140-2 OpenSSL configuration
deps: finalhandler@~1.0.0
- Fix exception when err cannot be converted to a string
- Fully URL-encode the pathname in the 404
- Only include the pathname in the 404 message
- Send complete HTML document
- Set Content-Security-Policy: default-src 'self' header
- deps: [email protected]
deps: [email protected]
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- perf: delay reading header values until needed
- perf: enable strict mode
- perf: hoist regular expressions
- perf: remove duplicate conditional
- perf: remove unnecessary boolean coercions
- perf: skip checking modified time if ETag check failed
- perf: skip parsing If-None-Match when no ETag header
- perf: use Date.parse instead of new Date
deps: [email protected]
- Fix array parsing from skipping empty values
- Fix compacting nested arrays
deps: [email protected]
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: [email protected]
- deps: etag@~1.8.0
- deps: [email protected]
- deps: http-errors@~1.6.1
deps: [email protected]
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Send complete HTML document in redirect response
- Set default CSP header in redirect response
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: [email protected]
perf: add fast match path for * route
perf: improve req.ips performance

[ ] If you want to rebase/retry this PR, check this box

Apr 30 '24 04:04 mend-for-github-com[bot]