Update dependency express to v3.21.0 - autoclosed #4

uriel-mend-app · 2023-02-26T08:47:36Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`3.0.0` -> `3.21.0`

Mend ensures you have the greatest risk reduction (highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.

Version 3.21.0

Risk Change	Critical	High	Medium	Low
-50%	0 (--)	2 (-2 )	1 (-7 )	2 (+2)

Version 3.0.0

Risk Change	Critical	High	Medium	Low
N/A	0	4	8	0

Version 3.21.2

Risk Change	Critical	High	Medium	Low
-50%	0 (--)	2 (-2 )	1 (-7 )	2 (+2)

By merging this PR, the number of vulnerabilities in issue #16 will be resolved in part or in full.

Release Notes

expressjs/express

`v3.21.0`

Compare Source

===================

deps: [email protected]
- perf: enable strict mode
- perf: hoist regular expression
- perf: parse with regular expressions
- perf: remove argument reassignment
deps: [email protected]
- deps: body-parser@~1.13.1
- deps: [email protected]
- deps: compression@~1.5.0
- deps: [email protected]
- deps: cookie-parser@~1.3.5
- deps: csurf@~1.8.3
- deps: errorhandler@~1.4.0
- deps: express-session@~1.11.3
- deps: [email protected]
- deps: [email protected]
- deps: morgan@~1.6.0
- deps: serve-favicon@~2.3.0
- deps: serve-index@~1.7.0
- deps: serve-static@~1.10.0
- deps: type-is@~1.6.3
deps: [email protected]
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
deps: [email protected]
deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
deps: [email protected]
- Add weak ETag matching support
deps: [email protected]
- Work in global strict mode
deps: [email protected]
- Allow Node.js HTTP server to set Date response header
- Fix incorrectly removing Content-Location on 304 response
- Improve the default redirect response headers
- Send appropriate headers on default error response
- Use http-errors for standard emitted errors
- Use statuses instead of http module for status messages
- deps: [email protected]
- deps: etag@~1.7.0
- deps: [email protected]
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations

`v3.20.3`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.12.4
- deps: compression@~1.4.4
- deps: connect-timeout@~1.6.2
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: errorhandler@~1.3.6
- deps: [email protected]
- deps: method-override@~2.3.3
- deps: morgan@~1.5.3
- deps: [email protected]
- deps: response-time@~2.3.1
- deps: serve-favicon@~2.2.1
- deps: serve-index@~1.6.4
- deps: serve-static@~1.9.3
- deps: type-is@~1.6.2
deps: debug@~2.2.0
- deps: [email protected]
deps: depd@~1.0.1
deps: proxy-addr@~1.0.8
- deps: [email protected]
deps: [email protected]
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: [email protected]
- deps: on-finished@~2.2.1

`v3.20.2`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.12.2
- deps: compression@~1.4.3
- deps: connect-timeout@~1.6.1
- deps: debug@~2.1.3
- deps: errorhandler@~1.3.5
- deps: express-session@~1.10.4
- deps: [email protected]
- deps: method-override@~2.3.2
- deps: morgan@~1.5.2
- deps: [email protected]
- deps: serve-index@~1.6.3
- deps: serve-static@~1.9.2
- deps: type-is@~1.6.1
deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: [email protected]
deps: [email protected]
deps: proxy-addr@~1.0.7
- deps: [email protected]
deps: [email protected]
- Throw errors early for invalid extensions or index options
- deps: debug@~2.1.3

`v3.20.1`

Compare Source

===================

Fix req.host when using "trust proxy" hops count
Fix req.protocol/req.secure when using "trust proxy" hops count

`v3.20.0`

Compare Source

===================

Fix "trust proxy" setting to inherit when app is mounted
Generate ETags for all request responses
- No longer restricted to only responses for GET and HEAD requests
Use content-type to parse Content-Type headers
deps: [email protected]
- Use content-type to parse Content-Type headers
- deps: body-parser@~1.12.0
- deps: compression@~1.4.1
- deps: connect-timeout@~1.6.0
- deps: cookie-parser@~1.3.4
- deps: [email protected]
- deps: csurf@~1.7.0
- deps: errorhandler@~1.3.4
- deps: express-session@~1.10.3
- deps: http-errors@~1.3.1
- deps: response-time@~2.3.0
- deps: serve-index@~1.6.2
- deps: serve-static@~1.9.1
- deps: type-is@~1.6.0
deps: [email protected]
deps: [email protected]
- Always read the stat size from the file
- Fix mutating passed-in options
- deps: [email protected]

`v3.19.2`

Compare Source

===================

deps: [email protected]
- deps: compression@~1.3.1
- deps: csurf@~1.6.6
- deps: errorhandler@~1.3.3
- deps: express-session@~1.10.2
- deps: serve-index@~1.6.1
- deps: type-is@~1.5.6
deps: proxy-addr@~1.0.6
- deps: [email protected]

`v3.19.1`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.10.2
- deps: serve-static@~1.8.1
deps: [email protected]
- Fix root path disclosure

`v3.19.0`

Compare Source

===================

Fix OPTIONS responses to include the HEAD method property
Use readline for prompt in express(1)
deps: [email protected]
deps: [email protected]
- deps: body-parser@~1.10.1
- deps: compression@~1.3.0
- deps: connect-timeout@~1.5.0
- deps: csurf@~1.6.4
- deps: debug@~2.1.1
- deps: errorhandler@~1.3.2
- deps: express-session@~1.10.1
- deps: [email protected]
- deps: method-override@~2.3.1
- deps: morgan@~1.5.1
- deps: serve-favicon@~2.2.0
- deps: serve-index@~1.6.0
- deps: serve-static@~1.8.0
- deps: type-is@~1.5.5
deps: debug@~2.1.1
deps: methods@~1.1.1
deps: proxy-addr@~1.0.5
- deps: [email protected]
deps: [email protected]
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: [email protected]
- deps: on-finished@~2.2.0

`v3.18.6`

Compare Source

===================

Fix exception in req.fresh/req.stale without response headers

`v3.18.5`

Compare Source

===================

deps: [email protected]
- deps: compression@~1.2.2
- deps: express-session@~1.9.3
- deps: http-errors@~1.2.8
- deps: serve-index@~1.5.3
- deps: type-is@~1.5.4

`v3.18.4`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.9.3
- deps: compression@~1.2.1
- deps: errorhandler@~1.2.3
- deps: express-session@~1.9.2
- deps: [email protected]
- deps: serve-favicon@~2.1.7
- deps: serve-static@~1.5.1
- deps: type-is@~1.5.3
deps: etag@~1.5.1
deps: proxy-addr@~1.0.4
- deps: [email protected]

`v3.18.3`

Compare Source

===================

deps: [email protected]
- Correctly invoke async callback asynchronously
- deps: csurf@~1.6.3

`v3.18.2`

Compare Source

===================

deps: [email protected]
- Fix handling of URLs containing :// in the path
- deps: body-parser@~1.9.2
- deps: [email protected]

`v3.18.1`

Compare Source

===================

Fix internal utils.merge deprecation warnings
deps: [email protected]
- deps: body-parser@~1.9.1
- deps: express-session@~1.9.1
- deps: [email protected]
- deps: morgan@~1.4.1
- deps: [email protected]
- deps: serve-static@~1.7.1
deps: [email protected]
- deps: on-finished@~2.1.1

`v3.18.0`

Compare Source

===================

Use content-disposition module for res.attachment/res.download
- Sends standards-compliant Content-Disposition header
- Full Unicode support
Use etag module to generate ETag headers
deps: [email protected]
- Use http-errors module for creating errors
- Use utils-merge module for merging objects
- deps: body-parser@~1.9.0
- deps: compression@~1.2.0
- deps: connect-timeout@~1.4.0
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: express-session@~1.9.0
- deps: [email protected]
- deps: method-override@~2.3.0
- deps: morgan@~1.4.0
- deps: response-time@~2.2.0
- deps: serve-favicon@~2.1.6
- deps: serve-index@~1.5.0
- deps: serve-static@~1.7.0
deps: debug@~2.1.0
- Implement DEBUG_FD env variable support
deps: depd@~1.0.0
deps: [email protected]
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: etag@~1.5.0

`v3.17.8`

Compare Source

===================

deps: [email protected]
- deps: compression@~1.1.2
- deps: csurf@~1.6.2
- deps: errorhandler@~1.2.2

`v3.17.7`

Compare Source

===================

deps: [email protected]
- Fix accepting non-object arguments to logger
- deps: serve-static@~1.6.4

`v3.17.6`

Compare Source

===================

deps: [email protected]
- deps: morgan@~1.3.2
- deps: type-is@~1.5.2

`v3.17.5`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.8.4
- deps: serve-favicon@~2.1.5
- deps: serve-static@~1.6.3
deps: proxy-addr@~1.0.3
- Use forwarded npm module
deps: [email protected]
- deps: etag@~1.4.0

`v3.17.4`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.8.3
- deps: [email protected]

`v3.17.3`

Compare Source

===================

deps: proxy-addr@~1.0.2
- Fix a global leak when multiple subnets are trusted
- deps: [email protected]

`v3.17.2`

Compare Source

===================

Use crc instead of buffer-crc32 for speed
deps: [email protected]
- deps: body-parser@~1.8.2
- deps: [email protected]
- deps: express-session@~1.8.2
- deps: morgan@~1.3.1
- deps: serve-favicon@~2.1.3
- deps: serve-static@~1.6.2
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: etag@~1.3.1
- deps: range-parser@~1.0.2

`v3.17.1`

Compare Source

===================

Fix error in req.subdomains on empty host

`v3.17.0`

Compare Source

===================

Support X-Forwarded-Host in req.subdomains
Support IP address host in req.subdomains
deps: [email protected]
- deps: body-parser@~1.8.1
- deps: compression@~1.1.0
- deps: connect-timeout@~1.3.0
- deps: cookie-parser@~1.3.3
- deps: [email protected]
- deps: csurf@~1.6.1
- deps: debug@~2.0.0
- deps: errorhandler@~1.2.0
- deps: express-session@~1.8.1
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: method-override@~2.2.0
- deps: morgan@~1.3.0
- deps: [email protected]
- deps: serve-favicon@~2.1.3
- deps: serve-index@~1.2.1
- deps: serve-static@~1.6.1
- deps: type-is@~1.5.1
- deps: vhost@~3.0.0
deps: [email protected]
deps: debug@~2.0.0
deps: [email protected]
deps: [email protected]
- Throw error when parameter format invalid on parse
deps: range-parser@~1.0.2
deps: [email protected]
- Add lastModified option
- Use etag to generate ETag header
- deps: debug@~2.0.0
- deps: [email protected]
deps: vary@~1.0.0
- Accept valid Vary header string as field

`v3.16.10`

Compare Source

====================

deps: [email protected]
- deps: serve-static@~1.5.4
deps: [email protected]
- Fix a path traversal issue when using root
- Fix malicious path detection for empty string path

`v3.16.9`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.6.7
- deps: [email protected]

`v3.16.8`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.6.6
- deps: csurf@~1.4.1
- deps: [email protected]

`v3.16.7`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.6.5
- deps: express-session@~1.7.6
- deps: morgan@~1.2.3
- deps: serve-static@~1.5.3
deps: [email protected]
- deps: [email protected]
- deps: [email protected]

`v3.16.6`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.6.4
- deps: [email protected]
- deps: serve-static@~1.5.2
deps: [email protected]
- Work around fd leak in Node.js 0.10 for fs.ReadStream

`v3.16.5`

Compare Source

===================

deps: [email protected]
- Fix backwards compatibility in logger

`v3.16.4`

Compare Source

===================

Fix original URL parsing in res.location
deps: [email protected]
- Fix query middleware breaking with argument
- deps: body-parser@~1.6.3
- deps: compression@~1.0.11
- deps: connect-timeout@~1.2.2
- deps: express-session@~1.7.5
- deps: method-override@~2.1.3
- deps: on-headers@~1.0.0
- deps: parseurl@~1.3.0
- deps: [email protected]
- deps: response-time@~2.0.1
- deps: serve-index@~1.1.6
- deps: serve-static@~1.5.1
deps: parseurl@~1.3.0

`v3.16.3`

Compare Source

===================

deps: [email protected]
- deps: [email protected]

`v3.16.2`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.6.2
- deps: [email protected]

`v3.16.1`

Compare Source

====================

deps: [email protected]
- deps: serve-static@~1.5.4
deps: [email protected]
- Fix a path traversal issue when using root
- Fix malicious path detection for empty string path

`v3.16.0`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.6.0
- deps: compression@~1.0.10
- deps: csurf@~1.4.0
- deps: express-session@~1.7.4
- deps: [email protected]
- deps: serve-static@~1.5.0
deps: [email protected]
- Add extensions option

`v3.15.3`

Compare Source

===================

fix res.sendfile regression for serving directory index files
deps: [email protected]
- deps: serve-index@~1.1.5
- deps: serve-static@~1.4.4
deps: [email protected]
- Fix incorrect 403 on Windows and Node.js 0.11
- Fix serving index files without root dir

`v3.15.2`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.5.2
- deps: [email protected]
- deps: express-session@~1.7.2
- deps: morgan@~1.2.2
- deps: serve-static@~1.4.2
deps: [email protected]
- Work-around v8 generating empty stack traces
deps: [email protected]
- deps: [email protected]

`v3.15.1`

Compare Source

===================

deps: [email protected]
- deps: body-parser@~1.5.1
- deps: [email protected]
- deps: express-session@~1.7.1
- deps: morgan@~1.2.1
- deps: serve-index@~1.1.4
- deps: serve-static@~1.4.1
deps: [email protected]
- Fix exception when global Error.stackTraceLimit is too low
deps: [email protected]
- deps: [email protected]

`v3.15.0`

Compare Source

===================

Fix req.protocol for proxy-direct connections
Pass options from res.sendfile to send
deps: [email protected]
- deps: body-parser@~1.5.0
- deps: compression@~1.0.9
- deps: connect-timeout@~1.2.1
- deps: [email protected]
- deps: [email protected]
- deps: express-session@~1.7.0
- deps: [email protected]
- deps: method-override@~2.1.2
- deps: morgan@~1.2.0
- deps: [email protected]
- deps: parseurl@~1.2.0
- deps: serve-static@~1.4.0
deps: [email protected]
deps: [email protected]
- Add TRACE_DEPRECATION environment variable
- Remove non-standard grey color from color output
- Support --no-deprecation argument
- Support --trace-deprecation argument
deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path" RegExp
deps: [email protected]
- Add dotfiles option
- Cap maxAge value to 1 year
- deps: [email protected]
- deps: [email protected]

`v3.14.0`

Compare Source

===================

add explicit "Rosetta Flash JSONP abuse" protection
- previous versions are not vulnerable; this is just explicit protection
deprecate res.redirect(url, status) -- use res.redirect(status, url) instead
fix res.send(status, num) to send num as json (not error)
remove unnecessary escaping when res.jsonp returns JSON response
deps: [email protected]
- support empty password
- support empty username
deps: [email protected]
- deps: [email protected]
- deps: express-session@~1.6.4
- deps: method-override@~2.1.0
- deps: parseurl@~1.1.3
- deps: serve-static@~1.3.1
deps: [email protected]
- Add support for multiple wildcards in namespaces
deps: [email protected]
- add CONNECT
deps: parseurl@~1.1.3
- faster parsing of href-only URLs

`v3.13.0`

Compare Source

===================

add deprecation message to app.configure
add deprecation message to req.auth
use basic-auth to parse Authorization header
deps: [email protected]
- deps: csurf@~1.3.0
- deps: express-session@~1.6.1
- deps: [email protected]
- deps: serve-static@~1.3.0
deps: [email protected]
- Accept string for maxage (converted by ms)
- Include link in default redirect response

==================

add OPTIONS to cors example. Closes #1398
fix route chaining regression. Closes #1397

`v3.0.1`

==================

update connect

If you want to rebase/retry this PR, click this checkbox.

uriel-mend-app bot added the security fix Security fix generated by Mend label Feb 26, 2023

uriel-mend-app bot force-pushed the whitesource-remediate/express-3.x branch from eea044e to 7e7b4fb Compare February 26, 2023 08:50

uriel-mend-app bot changed the title ~~Update dependency express to v3.12.1~~ Update dependency express to v3.21.0 Feb 26, 2023

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0~~ Update dependency express to v3.21.0 - autoclosed Feb 26, 2023

uriel-mend-app bot closed this Feb 26, 2023

uriel-mend-app bot deleted the whitesource-remediate/express-3.x branch February 26, 2023 16:08

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0 - autoclosed~~ Update dependency express to v3.21.0 Feb 28, 2023

uriel-mend-app bot restored the whitesource-remediate/express-3.x branch February 28, 2023 11:08

uriel-mend-app bot reopened this Feb 28, 2023

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0~~ Update dependency express to v3.21.0 - autoclosed Feb 28, 2023

uriel-mend-app bot closed this Feb 28, 2023

uriel-mend-app bot deleted the whitesource-remediate/express-3.x branch February 28, 2023 12:05

uriel-mend-app bot restored the whitesource-remediate/express-3.x branch February 28, 2023 12:44

uriel-mend-app bot deleted the whitesource-remediate/express-3.x branch February 28, 2023 12:51

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0 - autoclosed~~ Update dependency express to v3.21.0 Feb 28, 2023

uriel-mend-app bot restored the whitesource-remediate/express-3.x branch February 28, 2023 13:10

uriel-mend-app bot reopened this Feb 28, 2023

uriel-mend-app bot force-pushed the whitesource-remediate/express-3.x branch from 7e7b4fb to b702be0 Compare February 28, 2023 13:20

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0~~ Update dependency express to v3.21.0 - autoclosed Feb 28, 2023

uriel-mend-app bot closed this Feb 28, 2023

uriel-mend-app bot deleted the whitesource-remediate/express-3.x branch February 28, 2023 14:10

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0 - autoclosed~~ Update dependency express to v3.21.0 Feb 28, 2023

uriel-mend-app bot restored the whitesource-remediate/express-3.x branch February 28, 2023 14:28

uriel-mend-app bot reopened this Feb 28, 2023

uriel-mend-app bot force-pushed the whitesource-remediate/express-3.x branch from b702be0 to 37103c8 Compare February 28, 2023 14:31

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0~~ Update dependency express to v3.19.1 Feb 28, 2023

Update dependency express to v3.21.0

53e8297

uriel-mend-app bot force-pushed the whitesource-remediate/express-3.x branch from 37103c8 to 53e8297 Compare February 28, 2023 14:48

uriel-mend-app bot changed the title ~~Update dependency express to v3.19.1~~ Update dependency express to v3.21.0 Feb 28, 2023

uriel-mend-app bot changed the title ~~Update dependency express to v3.21.0~~ Update dependency express to v3.21.0 - autoclosed Mar 2, 2023

uriel-mend-app bot closed this Mar 2, 2023

uriel-mend-app bot deleted the whitesource-remediate/express-3.x branch March 2, 2023 07:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express to v3.21.0 - autoclosed #4

Update dependency express to v3.21.0 - autoclosed #4

uriel-mend-app bot commented Feb 26, 2023 •

edited

Loading

Update dependency express to v3.21.0 - autoclosed #4

Update dependency express to v3.21.0 - autoclosed #4

Conversation

uriel-mend-app bot commented Feb 26, 2023 • edited Loading

Release Notes

uriel-mend-app bot commented Feb 26, 2023 •

edited

Loading