Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 #237

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1 #237

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented Dec 3, 2019

Snyk has created this PR to upgrade express from 4.12.4 to 4.17.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
  • The recommended version is 20 versions ahead of your current version.
  • The recommended version was released 6 months ago, on 2019-05-26.

The recommended version fixes:

Severity Issue Exploit Maturity
Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908		 No Known Exploit
Release notes
Package name: express
  • 4.17.1 - 2019-05-26
    • Revert "Improve error message for null/undefined to res.status"
  • 4.17.0 - 2019-05-17
    • Add express.raw to parse bodies into Buffer
    • Add express.text to parse bodies into string
    • Improve error message for non-strings to res.sendFile
    • Improve error message for null/undefined to res.status
    • Support multiple hosts in X-Forwarded-Host
    • deps: accepts@~1.3.7
    • deps: body-parser@1.19.0
      • Add encoding MIK
      • Add petabyte (pb) support
      • Fix parsing array brackets after index
      • deps: bytes@3.1.0
      • deps: http-errors@1.7.2
      • deps: iconv-lite@0.4.24
      • deps: qs@6.7.0
      • deps: raw-body@2.4.0
      • deps: type-is@~1.6.17
    • deps: content-disposition@0.5.3
    • deps: cookie@0.4.0
      • Add SameSite=None support
    • deps: finalhandler@~1.1.2
      • Set stricter Content-Security-Policy header
      • deps: parseurl@~1.3.3
      • deps: statuses@~1.5.0
    • deps: parseurl@~1.3.3
    • deps: proxy-addr@~2.0.5
      • deps: ipaddr.js@1.9.0
    • deps: qs@6.7.0
      • Fix parsing array brackets after index
    • deps: range-parser@~1.2.1
    • deps: send@0.17.1
      • Set stricter CSP header in redirect & error responses
      • deps: http-errors@~1.7.2
      • deps: mime@1.6.0
      • deps: ms@2.1.1
      • deps: range-parser@~1.2.1
      • deps: statuses@~1.5.0
      • perf: remove redundant path.normalize call
    • deps: serve-static@1.14.1
      • Set stricter CSP header in redirect response
      • deps: parseurl@~1.3.3
      • deps: send@0.17.1
    • deps: setprototypeof@1.1.1
    • deps: statuses@~1.5.0
      • Add 103 Early Hints
    • deps: type-is@~1.6.18
      • deps: mime-types@~2.1.24
      • perf: prevent internal throw on invalid type
  • 4.16.4 - 2018-10-11
    • Fix issue where "Request aborted" may be logged in res.sendfile
    • Fix JSDoc for Router constructor
    • deps: body-parser@1.18.3
      • Fix deprecation warnings on Node.js 10+
      • Fix stack trace for strict json parse error
      • deps: depd@~1.1.2
      • deps: http-errors@~1.6.3
      • deps: iconv-lite@0.4.23
      • deps: qs@6.5.2
      • deps: raw-body@2.3.3
      • deps: type-is@~1.6.16
    • deps: proxy-addr@~2.0.4
      • deps: ipaddr.js@1.8.0
    • deps: qs@6.5.2
    • deps: safe-buffer@5.1.2
  • 4.16.3 - 2018-03-12
    • deps: accepts@~1.3.5
      • deps: mime-types@~2.1.18
    • deps: depd@~1.1.2
      • perf: remove argument reassignment
    • deps: encodeurl@~1.0.2
      • Fix encoding % as last character
    • deps: finalhandler@1.1.1
      • Fix 404 output for bad / missing pathnames
      • deps: encodeurl@~1.0.2
      • deps: statuses@~1.4.0
    • deps: proxy-addr@~2.0.3
      • deps: ipaddr.js@1.6.0
    • deps: send@0.16.2
      • Fix incorrect end tag in default error & redirects
      • deps: depd@~1.1.2
      • deps: encodeurl@~1.0.2
      • deps: statuses@~1.4.0
    • deps: serve-static@1.13.2
      • Fix incorrect end tag in redirects
      • deps: encodeurl@~1.0.2
      • deps: send@0.16.2
    • deps: statuses@~1.4.0
    • deps: type-is@~1.6.16
      • deps: mime-types@~2.1.18
  • 4.16.2 - 2017-10-10
    • Fix TypeError in res.send when given Buffer and ETag header set
    • perf: skip parsing of entire X-Forwarded-Proto header
  • 4.16.1 - 2017-09-29
    • deps: send@0.16.1
    • deps: serve-static@1.13.1
      • Fix regression when root is incorrectly set to a file
      • deps: send@0.16.1
  • 4.16.0 - 2017-09-28
    • Add "json escape" setting for res.json and res.jsonp
    • Add express.json and express.urlencoded to parse bodies
    • Add options argument to res.download
    • Improve error message when autoloading invalid view engine
    • Improve error messages when non-function provided as middleware
    • Skip Buffer encoding when not generating ETag for small response
    • Use safe-buffer for improved Buffer API
    • deps: accepts@~1.3.4
      • deps: mime-types@~2.1.16
    • deps: content-type@~1.0.4
      • perf: remove argument reassignment
      • perf: skip parameter parsing when no parameters
    • deps: etag@~1.8.1
      • perf: replace regular expression with substring
    • deps: finalhandler@1.1.0
      • Use res.headersSent when available
    • deps: parseurl@~1.3.2
      • perf: reduce overhead for full URLs
      • perf: unroll the "fast-path" RegExp
    • deps: proxy-addr@~2.0.2
      • Fix trimming leading / trailing OWS in X-Forwarded-For
      • deps: forwarded@~0.1.2
      • deps: ipaddr.js@1.5.2
      • perf: reduce overhead when no X-Forwarded-For header
    • deps: qs@6.5.1
      • Fix parsing & compacting very deep objects
    • deps: send@0.16.0
      • Add 70 new types for file extensions
      • Add immutable option
      • Fix missing </html> in default error & redirects
      • Set charset as "UTF-8" for .js and .json
      • Use instance methods on steam to check for listeners
      • deps: mime@1.4.1
      • perf: improve path validation speed
    • deps: serve-static@1.13.0
      • Add 70 new types for file extensions
      • Add immutable option
      • Set charset as "UTF-8" for .js and .json
      • deps: send@0.16.0
    • deps: setprototypeof@1.1.0
    • deps: utils-merge@1.0.1
    • deps: vary@~1.1.2
      • perf: improve header token parsing speed
    • perf: re-use options object when generating ETags
    • perf: remove dead .charset set in res.jsonp
  • 4.15.5 - 2017-09-25
    • deps: debug@2.6.9
    • deps: finalhandler@~1.0.6
      • deps: debug@2.6.9
      • deps: parseurl@~1.3.2
    • deps: fresh@0.5.2
      • Fix handling of modified headers with invalid dates
      • perf: improve ETag match loop
      • perf: improve If-None-Match token parsing
    • deps: send@0.15.6
      • Fix handling of modified headers with invalid dates
      • deps: debug@2.6.9
      • deps: etag@~1.8.1
      • deps: fresh@0.5.2
      • perf: improve If-Match token parsing
    • deps: serve-static@1.12.6
      • deps: parseurl@~1.3.2
      • deps: send@0.15.6
      • perf: improve slash collapsing
  • 4.15.4 - 2017-08-07
  • 4.15.3 - 2017-05-17
  • 4.15.2 - 2017-03-06
  • 4.15.1 - 2017-03-06
  • 4.15.0 - 2017-03-01
  • 4.14.1 - 2017-01-28
  • 4.14.0 - 2016-06-16
  • 4.13.4 - 2016-01-22
  • 4.13.3 - 2015-08-03
  • 4.13.2 - 2015-07-31
  • 4.13.1 - 2015-07-06
  • 4.13.0 - 2015-06-21
  • 4.12.4 - 2015-05-18 
from <a href="https://github.com/expressjs/express/releases">express GitHub release notes</a>
Commit messages
Package name: express
  • fefd729 Add debug message when loading view engine
  • bbed802 build: support Node.js 7.x
  • c63424a deps: debug@2.6.1
  • 906164b deps: qs@6.3.1
  • 485b6f8 perf: improve req.ips performance
  • 92c859d deps: finalhandler@~1.0.0
  • f2bbd10 deps: update example dependencies
  • 9f4dbae deps: etag@~1.8.0
  • cd7d241 build: test against Node.js 8.x nightly
  • f87abb3 Remove usage of res._headers private field
  • a9f15aa deps: fresh@0.5.0
  • 034165c Use statuses instead of http module for status messages
  • 8de1230 lint: remove unreachable code
  • 7bc5f1a lint: consolidate layer match failure path
  • 668f545 Skip routing when req.url is not set
  • 12ff56e Use Object.create to setup request & response prototypes
  • 6022567 Use setprototypeof module to replace __proto__ setting
  • 1b43166 deps: send@0.15.0
  • acc4a61 deps: serve-static@1.12.0
  • 1f71fae tests: add lone "*" route tests
  • 081b811 perf: add fast match path for "*" route
  • 8b6dc6c Use "%o" in path debug to tell types apart
  • 51f5290 Fix case where router.use skipped requests routes did not
  • 9722202 Add next("router") to exit from router
  • 146a13e build: Node.js@4.8
  • 7247554 build: Node.js@6.10
  • f59de6a build: Node.js@7.7
  • 7f96896 deps: update example dependencies
  • 504a51c 4.15.0
  • 6d9b127 build: Node.js@7.6
  • 4012846 examples: use static assets in search example
  • b4550fb Use ejs instead of jade within engine jsdoc
  • 7027b37 lint: remove unused err argument
  • dc8acc8 tests: use supertest expect for simple assertions
  • c0089d9 deps: send@0.15.1
  • 67168fe deps: serve-static@1.12.1
  • 8eb95ae examples: use path.join instead of concatenation
  • eece385 tests: use path.join instead of concatenation
  • 57d3dfd examples: merge the jade example into ejs
  • d32ed68 4.15.1
  • 85c96fd deps: qs@6.4.0
  • 05fd1e4 deps: update example dependencies
  • d43b074 4.15.2
  • 64dd446 docs: remove dead link to translated readme
  • f44368f examples: replace jade with ejs in view-locals
  • a1fffda build: should@11.2.1
  • 1b6ad08 deps: debug@2.6.3
  • 245fa89 examples: replace jade with ejs in route-separation
  • 2189ff1 lint: remove trailing new lines from docs
  • efd7032 build: Add .editorconfig
  • dbf092d deps: vary@~1.1.1
  • 8acaa9a deps: finalhandler@~1.0.1
  • 3763d73 examples: replace jade with hbs in mvc example
  • aabf780 docs: fix the security issues heading format
  • 347d4db deps: proxy-addr@~1.1.4
  • c087a45 Fix typo in variable name setPrototypeOf
  • df4f271 deps: type-is@~1.6.15
  • 2d1dade deps: serve-static@1.12.2
  • 1b6e700 deps: send@0.15.2
  • a13938e tests: add tests for res.location('back')
  • de41c0b Fix res.cookie jsdoc comment
  • 5ea2a8f build: Node.js@7.9
  • ae0b630 Fix error when res.set cannot add charset to Content-Type
  • 1ba9a9a deps: update example dependencies
  • ad4456c deps: send@0.15.3
  • 58cfc99 deps: serve-static@1.12.3
  • bc2986f deps: finalhandler@~1.0.3
  • 6549469 build: mocha@3.4.1
  • 5cf473d deps: debug@2.6.7
  • 6da454c 4.15.3
  • fde8f64 examples: fix route in params example
  • 60f87f8 examples: fix posts link in route-separation example
  • cf37240 examples: fix reference error in view-constructor
  • 9f019c8 examples: add comment about Redis install in examples
  • 9467a39 build: Node.js@7.10
  • 48777dc build: mocha@3.4.2
  • deffce5 deps: qs@6.5.0
  • bd5951e deps: debug@2.6.8
  • 1adee79 deps: update example dependencies
  • 04beebb build: Node.js@6.11
  • 43dff4c docs: fix GitHub capitalization
  • 5e16f40 examples: use 1-based visitor count in cookie-sessions
  • 582381b deps: proxy-addr@~1.1.5
  • 3eb16c2 deps: depd@~1.1.1
  • b2af101 build: ejs@2.5.7
  • daf66be examples: fix path join in ejs example
  • 85770a7 deps: finalhandler@~1.0.4
  • e0aa8bf build: mocha@3.5.0
  • 713d2ae tests: fix incorrect should usage
  • 56e90e3 lint: add eslint rules that cover editorconfig
  • 1dbaae5 deps: update example dependencies
  • 44881fa docs: update collaborator guide for lint script
  • e006622 lint: remove all unused varaibles
  • e2d725e deps: send@0.15.4
  • a50f109 deps: serve-static@1.12.4
  • a4bd437 4.15.4
  • 48817a7 build: remove minor pin for nightly
  • 78e5510 build: mocha@3.5.3
  • b208b24 build: should@13.0.1
  • de5fb62 deps: update example dependencies
  • 9e067ad deps: fresh@0.5.2
  • 9e0fa7f deps: send@0.15.5
  • 961dbff deps: serve-static@1.12.5
  • d7da225 build: should@13.1.0
  • 19a2eeb tests: check render error without engine-specific message
  • 9395db4 deps: debug@2.6.9
  • bd1672f deps: finalhandler@~1.0.6
  • 7137bf5 deps: send@0.15.6
  • 40435ec deps: serve-static@1.12.6
  • ea3d605 4.15.5
  • 94fdb67 build: support Node.js 8.x
  • c3fb7e5 build: test against Node.js 9.x nightly
  • 80f1ea9 Improve error message when autoloading invalid view engine
  • 48940e6 Skip Buffer encoding when not generating ETag for small response
  • 550043c deps: setprototypeof@1.1.0
  • 9a99c15 deps: accepts@~1.3.4
  • 70589c3 deps: content-type@~1.0.4
  • e62bb8b deps: etag@~1.8.1
  • ad7d96d deps: qs@6.5.1
  • 5cc761c deps: parseurl@~1.3.2
  • 673d51f deps: utils-merge@1.0.1
  • c2f4fb5 deps: finalhandler@1.1.0
  • 02a9d5f deps: proxy-addr@~2.0.2
  • d9d09b8 perf: re-use options object when generating ETags
  • fa272ed docs: fix typo in jsdoc comment
  • 12c3712 Use safe-buffer for improved Buffer API
  • 2df1ad2 Improve error messages when non-function provided as middleware
  • 44591fe deps: vary@~1.1.2
  • 95fb5cc perf: remove dead .charset set in res.jsonp
  • a24fd0c Add options to res.download
  • 628438d deps: update example dependencies
  • 7154014 Add "escape json" setting for res.json and res.jsonp
  • ddeb713 tests: add maxAge option tests for res.sendFile
  • 4196458 deps: send@0.16.0
  • 86f5df0 deps: serve-static@1.13.0
  • c0136d8 Add express.json and express.urlencoded to parse bodies
  • 8d4ceb6 docs: add more information to installation
  • f974d22 4.16.0
  • 6d9b13c deps: send@0.16.1
  • 6f823e4 deps: serve-static@1.13.1
  • e3f7f51 4.16.1
  • de129c2 tests: run mocha with --no-exit to detect hangs
  • 48aba21 docs: add missing history for res.download change
  • b7817ab Fix TypeError in res.send when given Buffer and ETag header set
  • b97faff perf: skip parsing of entire "X-Forwarded-Proto" header
  • 351396f 4.16.2
  • 53bee25 examples: use https github url
  • 950f442 tests: separate res.send() chain test
  • 187d1f5 docs: remove gratipay badges
  • a743d5b build: marked@0.3.9
  • b49af6a build: should@13.2.0
  • 1780ed1 build: Node.js@6.12
  • fe0bc40 build: Node.js@8.9
  • b4020ec build: should@13.2.1
  • 086e56f build: marked@0.3.12
  • 68e824c build: remove Node.js 8 nightly build
  • f448a96 deps: depd@~1.1.2
  • 3235726 deps: encodeurl@~1.0.2
  • c6f12a8 deps: statuses@~1.4.0
  • f8fba68 tests: use supertest expect to test body
  • 94a6cbf tests: remove unnecessary functions for supertest
  • 276a808 deps: send@0.16.2
  • cbaa046 deps: serve-static@1.13.2
  • 98b0b66 build: use yaml eslint configuration
  • 80e6469 examples: add full urls to web-service example
  • 972ada9 tests: remove duplicate block in router test
  • 40e04ec lint: remove usages of "=="
  • f3c5f7e build: test against Node.js 10.x nightly
  • 0083372 deps: proxy-addr@~2.0.3
  • e69a29d deps: type-is@~1.6.16
  • 0e88dce deps: accepts@~1.3.5
  • d3bdc3b build: marked@0.3.17
  • 76bf96e deps: finalhandler@1.1.1
  • 3ed5090 4.16.3
  • 02c7535 build: Node.js@4.9
  • 3d8ca8a build: Node.js@6.14
  • ac89f6f build: Node.js@8.11
  • f95dbc2 build: should@13.2.3
  • c39d7d9 build: Node.js@8.12
  • d5b33cf build: update example dependencies
  • ede24da examples: fix typo in multi-router example
  • f3fa758 Fix JSDoc for Router constructor
  • 431f653 lint: move removed middlewares list to a variable
  • b4eb1f5 deps: qs@6.5.2
  • b8fb6a7 deps: body-parser@1.18.3
  • 4480fb9 deps: proxy-addr@~2.0.4
  • 5de1a08 build: supertest@2.0.0
  • 5e9de5d deps: safe-buffer@5.1.2
  • 3d10279 Fix issue where "Request aborted" may be logged in res.sendfile
  • 09d5654 build: restructure CI build steps
  • f07f368 build: mocha@5.2.0
  • 451ee5d build: supertest@3.3.0
  • 62a59b6 build: update example dependencies
  • dc538f6 4.16.4
  • d0421ac tests: use supertest to perform assertions
  • a6b119d build: coveralls@2.12.0
  • 6295b45 build: test against Node.js 11.x nightly
  • 003459b build: support Node.js 9.x
  • 44e539e build: support Node.js 10.x
  • 6bcdfef Improve error message for non-strings to res.sendFile
  • 8da5110 Improve error message for null/undefined to res.status
  • b93ffd4 Support multiple hosts in X-Forwarded-Host
  • 95c31f7 docs: fix typo in contributing
  • 0ae10bb docs: fix typos in history
  • 02f3933 examples: minor fixes to some examples
  • 186a206 docs: add listening address to example
  • 6f12eee docs: fix typo in jsdoc comment
  • b9b1b19 tests: fix typos in descriptions
  • 6eda52a docs: use const in readme example
  • 8a97346 tests: assert calls order in middleware basic tests
  • 9e5d1a3 build: test against Node.js 12.x nightly
  • cf5c813 build: hbs@4.0.4
  • 4218d04 build: marked@0.6.2
  • 952484f deps: content-disposition@0.5.3
  • 50eb5e4 deps: proxy-addr@~2.0.5
  • 0334120 deps: parseurl@~1.3.3
  • b02d3a1 docs: add link to contributing guide
  • 7eacdce deps: setprototypeof@1.1.1
  • 9afa1cf deps: statuses@~1.5.0
  • 40dbfa2 deps: accepts@~1.3.7
  • 6d9dd2d deps: type-is@~1.6.18
  • 32f5293 deps: qs@6.7.0
  • 2f782d8 deps: body-parser@1.19.0
  • 955f2a5 tests: add express.json test suite
  • 8b71f39 tests: add express.urlencoded test suite
  • 6f7a830 tests: add express.static test suite
  • 70a1947 deps: send@0.17.0
  • 60aacac deps: serve-static@1.14.0
  • 0bcdd88 Add express.raw to parse bodies into Buffer
  • 11192bd tests: add express.raw test suite
  • 7f4e37f Add express.text to parse bodies into string
  • bb5211f tests: add express.text test suite
  • 7b076bd build: Node.js@6.17
  • e917028 build: Node.js@8.16
  • c754c8a build: support Node.js 11.x
  • bc07a41 deps: finalhandler@~1.1.2
  • 8267c4b deps: send@0.17.1
  • 88f9733 deps: serve-static@1.14.1
  • da6f701 deps: range-parser@~1.2.1
  • e502dde build: Node.js@10.15
  • 5266f3a build: test against Node.js 13.x nightly
  • b9ecb9a build: support Node.js 12.x
  • efcb17d deps: cookie@0.4.0
  • 94e48a1 build: update example dependencies
  • b8e5056 tests: ignore unreachable line
  • 9dadca2 docs: remove Gratipay links
  • 10c7756 4.17.0
  • eed05a1 build: Node.js@12.3
  • 0a48e18 Revert "Improve error message for null/undefined to res.status"
  • e1b45eb 4.17.1

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@snyk-bot snyk-bot mentioned this pull request Jul 31, 2020
Open
This was referenced Jan 16, 2021
Open
Merged
@lili2311 lili2311 mentioned this pull request Feb 15, 2021
Open
This was referenced Jul 13, 2022
Closed
Merged
@BiancaStoita BiancaStoita mentioned this pull request Jul 27, 2022
Merged
This was referenced Oct 5, 2022
Open
Open
@Danytoader Danytoader mentioned this pull request Dec 19, 2023
Open
@kleddy17 kleddy17 mentioned this pull request Dec 19, 2023
Open
@AndreDalcher AndreDalcher mentioned this pull request Dec 19, 2023
Open
@harmanjot-06 harmanjot-06 mentioned this pull request Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot