Update dependency express to ^4.21.1 (main)

[mend-for-github-com[bot]]

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	^4.14.1 -> ^4.21.1

By merging this PR, the issue #57 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	Reachability
High	7.5	CVE-2024-45296
High	7.5	CVE-2024-52798
Medium	6.1	CVE-2024-29041
Medium	5.3	CVE-2024-47764
Medium	5.0	CVE-2024-43796

---

Release Notes

expressjs/express (express)

v4.21.1

Compare Source

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in #​6029
• Release: 4.21.1 by @​UlisesGascon in #​6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in #​5935
• finalhandler@​1.3.1 by @​wesleytodd in #​5954
• fix(deps): serve-static@​1.16.2 by @​wesleytodd in #​5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in #​5946

New Contributors

• @​agadzinski93 made their first contribution in #​5946

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

v4.20.0

Compare Source

==========

• deps: serve-static@​0.16.0
  • Remove link renderization in html while redirecting
• deps: send@​0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@​0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@​0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

• Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

• Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@​0.6.0

v4.18.3

Compare Source

==========

• Fix routing requests without method
• deps: body-parser@​1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@​2.5.2
• deps: cookie@​0.6.0
  • Add partitioned option

v4.18.2

Compare Source

===================

• Fix regression routing a large stack in a single route
• deps: body-parser@​1.20.1
  • deps: qs@​6.11.0
  • perf: remove unnecessary object clone
• deps: qs@​6.11.0

v4.18.1

Compare Source

===================

• Fix hanging on large stack of sync routes

v4.18.0

Compare Source

===================

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: body-parser@​1.20.0
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@​2.0.0
  • deps: http-errors@​2.0.0
  • deps: on-finished@​2.4.1
  • deps: qs@​6.10.3
  • deps: raw-body@​2.5.1
• deps: cookie@​0.5.0
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: depd@​2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: finalhandler@​1.2.0
  • Remove set content headers that break response
  • deps: on-finished@​2.4.1
  • deps: statuses@​2.0.1
• deps: on-finished@​2.4.1
  • Prevent loss of async hooks context
• deps: qs@​6.10.3
• deps: send@​0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@​2.0.0
  • deps: destroy@​1.2.0
  • deps: http-errors@​2.0.0
  • deps: on-finished@​2.4.1
  • deps: statuses@​2.0.1
• deps: serve-static@​1.15.0
  • deps: send@​0.18.0
• deps: statuses@​2.0.1
  • Remove code 306
  • Rename 425 Unordered Collection to standard 425 Too Early

v4.17.3

Compare Source

===================

• deps: accepts@~1.3.8
  • deps: mime-types@~2.1.34
  • deps: negotiator@​0.6.3
• deps: body-parser@​1.19.2
  • deps: bytes@​3.1.2
  • deps: qs@​6.9.7
  • deps: raw-body@​2.4.3
• deps: cookie@​0.4.2
• deps: qs@​6.9.7
  • Fix handling of __proto__ keys
• pref: remove unnecessary regexp for trust proxy

v4.17.2

Compare Source

===================

• Fix handling of undefined in res.jsonp
• Fix handling of undefined when "json escape" is enabled
• Fix incorrect middleware execution with unanchored RegExps
• Fix res.jsonp(obj, status) deprecation message
• Fix typo in res.is JSDoc
• deps: body-parser@​1.19.1
  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
  • deps: qs@​6.9.6
  • deps: raw-body@​2.4.2
  • deps: safe-buffer@​5.2.1
  • deps: type-is@~1.6.18
• deps: content-disposition@​0.5.4
  • deps: safe-buffer@​5.2.1
• deps: cookie@​0.4.1
  • Fix maxAge option to reject invalid values
• deps: proxy-addr@~2.0.7
  • Use req.socket over deprecated req.connection
  • deps: forwarded@​0.2.0
  • deps: ipaddr.js@​1.9.1
• deps: qs@​6.9.6
• deps: safe-buffer@​5.2.1
• deps: send@​0.17.2
  • deps: http-errors@​1.8.1
  • deps: ms@​2.1.3
  • pref: ignore empty http tokens
• deps: serve-static@​1.14.2
  • deps: send@​0.17.2
• deps: setprototypeof@​1.2.0

v4.17.1

Compare Source

===================

• Revert "Improve error message for null/undefined to res.status"

v4.17.0

Compare Source

===================

• Add express.raw to parse bodies into Buffer
• Add express.text to parse bodies into string
• Improve error message for non-strings to res.sendFile
• Improve error message for null/undefined to res.status
• Support multiple hosts in X-Forwarded-Host
• deps: accepts@~1.3.7
• deps: body-parser@​1.19.0
  • Add encoding MIK
  • Add petabyte (pb) support
  • Fix parsing array brackets after index
  • deps: bytes@​3.1.0
  • deps: http-errors@​1.7.2
  • deps: iconv-lite@​0.4.24
  • deps: qs@​6.7.0
  • deps: raw-body@​2.4.0
  • deps: type-is@~1.6.17
• deps: content-disposition@​0.5.3
• deps: cookie@​0.4.0
  • Add SameSite=None support
• deps: finalhandler@~1.1.2
  • Set stricter Content-Security-Policy header
  • deps: parseurl@~1.3.3
  • deps: statuses@~1.5.0
• deps: parseurl@~1.3.3
• deps: proxy-addr@~2.0.5
  • deps: ipaddr.js@​1.9.0
• deps: qs@​6.7.0
  • Fix parsing array brackets after index
• deps: range-parser@~1.2.1
• deps: send@​0.17.1
  • Set stricter CSP header in redirect & error responses
  • deps: http-errors@~1.7.2
  • deps: mime@​1.6.0
  • deps: ms@​2.1.1
  • deps: range-parser@~1.2.1
  • deps: statuses@~1.5.0
  • perf: remove redundant path.normalize call
• deps: serve-static@​1.14.1
  • Set stricter CSP header in redirect response
  • deps: parseurl@~1.3.3
  • deps: send@​0.17.1
• deps: setprototypeof@​1.1.1
• deps: statuses@~1.5.0
  • Add 103 Early Hints
• deps: type-is@~1.6.18
  • deps: mime-types@~2.1.24
  • perf: prevent internal throw on invalid type

v4.16.4

Compare Source

===================

• Fix issue where "Request aborted" may be logged in res.sendfile
• Fix JSDoc for Router constructor
• deps: body-parser@​1.18.3
  • Fix deprecation warnings on Node.js 10+
  • Fix stack trace for strict json parse error
  • deps: depd@~1.1.2
  • deps: http-errors@~1.6.3
  • deps: iconv-lite@​0.4.23
  • deps: qs@​6.5.2
  • deps: raw-body@​2.3.3
  • deps: type-is@~1.6.16
• deps: proxy-addr@~2.0.4
  • deps: ipaddr.js@​1.8.0
• deps: qs@​6.5.2
• deps: safe-buffer@​5.1.2

v4.16.3

Compare Source

===================

• deps: accepts@~1.3.5
  • deps: mime-types@~2.1.18
• deps: depd@~1.1.2
  • perf: remove argument reassignment
• deps: encodeurl@~1.0.2
  • Fix encoding % as last character
• deps: finalhandler@​1.1.1
  • Fix 404 output for bad / missing pathnames
  • deps: encodeurl@~1.0.2
  • deps: statuses@~1.4.0
• deps: proxy-addr@~2.0.3
  • deps: ipaddr.js@​1.6.0
• deps: send@​0.16.2
  • Fix incorrect end tag in default error & redirects
  • deps: depd@~1.1.2
  • deps: encodeurl@~1.0.2
  • deps: statuses@~1.4.0
• deps: serve-static@​1.13.2
  • Fix incorrect end tag in redirects
  • deps: encodeurl@~1.0.2
  • deps: send@​0.16.2
• deps: statuses@~1.4.0
• deps: type-is@~1.6.16
  • deps: mime-types@~2.1.18

v4.16.2

Compare Source

===================

• Fix TypeError in res.send when given Buffer and ETag header set
• perf: skip parsing of entire X-Forwarded-Proto header

v4.16.1

Compare Source

===================

• deps: send@​0.16.1
• deps: serve-static@​1.13.1
  • Fix regression when root is incorrectly set to a file
  • deps: send@​0.16.1

v4.16.0

Compare Source

===================

• Add "json escape" setting for res.json and res.jsonp
• Add express.json and express.urlencoded to parse bodies
• Add options argument to res.download
• Improve error message when autoloading invalid view engine
• Improve error messages when non-function provided as middleware
• Skip Buffer encoding when not generating ETag for small response
• Use safe-buffer for improved Buffer API
• deps: accepts@~1.3.4
  • deps: mime-types@~2.1.16
• deps: content-type@~1.0.4
  • perf: remove argument reassignment
  • perf: skip parameter parsing when no parameters
• deps: etag@~1.8.1
  • perf: replace regular expression with substring
• deps: finalhandler@​1.1.0
  • Use res.headersSent when available
• deps: parseurl@~1.3.2
  • perf: reduce overhead for full URLs
  • perf: unroll the "fast-path" RegExp
• deps: proxy-addr@~2.0.2
  • Fix trimming leading / trailing OWS in X-Forwarded-For
  • deps: forwarded@~0.1.2
  • deps: ipaddr.js@​1.5.2
  • perf: reduce overhead when no X-Forwarded-For header
• deps: qs@​6.5.1
  • Fix parsing & compacting very deep objects
• deps: send@​0.16.0
  • Add 70 new types for file extensions
  • Add immutable option
  • Fix missing </html> in default error & redirects
  • Set charset as "UTF-8" for .js and .json
  • Use instance methods on steam to check for listeners
  • deps: mime@​1.4.1
  • perf: improve path validation speed
• deps: serve-static@​1.13.0
  • Add 70 new types for file extensions
  • Add immutable option
  • Set charset as "UTF-8" for .js and .json
  • deps: send@​0.16.0
• deps: setprototypeof@​1.1.0
• deps: utils-merge@​1.0.1
• deps: vary@~1.1.2
  • perf: improve header token parsing speed
• perf: re-use options object when generating ETags
• perf: remove dead .charset set in res.jsonp

v4.15.5

Compare Source

===================

• deps: debug@​2.6.9
• deps: finalhandler@~1.0.6
  • deps: debug@​2.6.9
  • deps: parseurl@~1.3.2
• deps: fresh@​0.5.2
  • Fix handling of modified headers with invalid dates
  • perf: improve ETag match loop
  • perf: improve If-None-Match token parsing
• deps: send@​0.15.6
  • Fix handling of modified headers with invalid dates
  • deps: debug@​2.6.9
  • deps: etag@~1.8.1
  • deps: fresh@​0.5.2
  • perf: improve If-Match token parsing
• deps: serve-static@​1.12.6
  • deps: parseurl@~1.3.2
  • deps: send@​0.15.6
  • perf: improve slash collapsing

v4.15.4

Compare Source

===================

• deps: debug@​2.6.8
• deps: depd@~1.1.1
  • Remove unnecessary Buffer loading
• deps: finalhandler@~1.0.4
  • deps: debug@​2.6.8
• deps: proxy-addr@~1.1.5
  • Fix array argument being altered
  • deps: ipaddr.js@​1.4.0
• deps: qs@​6.5.0
• deps: send@​0.15.4
  • deps: debug@​2.6.8
  • deps: depd@~1.1.1
  • deps: http-errors@~1.6.2
• deps: serve-static@​1.12.4
  • deps: send@​0.15.4

v4.15.3

Compare Source

===================

• Fix error when res.set cannot add charset to Content-Type
• deps: debug@​2.6.7
  • Fix DEBUG_MAX_ARRAY_LENGTH
  • deps: ms@​2.0.0
• deps: finalhandler@~1.0.3
  • Fix missing </html> in HTML document
  • deps: debug@​2.6.7
• deps: proxy-addr@~1.1.4
  • deps: ipaddr.js@​1.3.0
• deps: send@​0.15.3
  • deps: debug@​2.6.7
  • deps: ms@​2.0.0
• deps: serve-static@​1.12.3
  • deps: send@​0.15.3
• deps: type-is@~1.6.15
  • deps: mime-types@~2.1.15
• deps: vary@~1.1.1
  • perf: hoist regular expression

v4.15.2

Compare Source

===================

• deps: qs@​6.4.0
  • Fix regression parsing keys starting with [

v4.15.1

Compare Source

===================

• deps: send@​0.15.1
  • Fix issue when Date.parse does not return NaN on invalid date
  • Fix strict violation in broken environments
• deps: serve-static@​1.12.1
  • Fix issue when Date.parse does not return NaN on invalid date
  • deps: send@​0.15.1

v4.15.0

Compare Source

===================

• Add debug message when loading view engine
• Add next("router") to exit from router
• Fix case where router.use skipped requests routes did not
• Remove usage of res._headers private field
  • Improves compatibility with Node.js 8 nightly
• Skip routing when req.url is not set
• Use %o in path debug to tell types apart
• Use Object.create to setup request & response prototypes
• Use setprototypeof module to replace __proto__ setting
• Use statuses instead of http module for status messages
• deps: debug@​2.6.1
  • Allow colors in workers
  • Deprecated DEBUG_FD environment variable set to 3 or higher
  • Fix error when running under React Native
  • Use same color for same namespace
  • deps: ms@​0.7.2
• deps: etag@~1.8.0
  • Use SHA1 instead of MD5 for ETag hashing
  • Works with FIPS 140-2 OpenSSL configuration
• deps: finalhandler@~1.0.0
  • Fix exception when err cannot be converted to a string
  • Fully URL-encode the pathname in the 404
  • Only include the pathname in the 404 message
  • Send complete HTML document
  • Set Content-Security-Policy: default-src 'self' header
  • deps: debug@​2.6.1
• deps: fresh@​0.5.0
  • Fix false detection of no-cache request directive
  • Fix incorrect result when If-None-Match has both * and ETags
  • Fix weak ETag matching to match spec
  • perf: delay reading header values until needed
  • perf: enable strict mode
  • perf: hoist regular expressions
  • perf: remove duplicate conditional
  • perf: remove unnecessary boolean coercions
  • perf: skip checking modified time if ETag check failed
  • perf: skip parsing If-None-Match when no ETag header
  • perf: use Date.parse instead of new Date
• deps: qs@​6.3.1
  • Fix array parsing from skipping empty values
  • Fix compacting nested arrays
• deps: send@​0.15.0
  • Fix false detection of no-cache request directive
  • Fix incorrect result when If-None-Match has both * and ETags
  • Fix weak ETag matching to match spec
  • Remove usage of res._headers private field
  • Support If-Match and If-Unmodified-Since headers
  • Use res.getHeaderNames() when available
  • Use res.headersSent when available
  • deps: debug@​2.6.1
  • deps: etag@~1.8.0
  • deps: fresh@​0.5.0
  • deps: http-errors@~1.6.1
• deps: serve-static@​1.12.0
  • Fix false detection of no-cache request directive
  • Fix incorrect result when If-None-Match has both * and ETags
  • Fix weak ETag matching to match spec
  • Remove usage of res._headers private field
  • Send complete HTML document in redirect response
  • Set default CSP header in redirect response
  • Support If-Match and If-Unmodified-Since headers
  • Use res.getHeaderNames() when available
  • Use res.headersSent when available
  • deps: send@​0.15.0
• perf: add fast match path for * route
• perf: improve req.ips performance

---

• [ ] If you want to rebase/retry this PR, check this box