Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Upgrade express from 4.13.4 to 4.17.2 #2

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade express from 4.13.4 to 4.17.2 #2

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented Mar 3, 2022

Snyk has created this PR to upgrade express from 4.13.4 to 4.17.2.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 16 versions ahead of your current version.
  • The recommended version was released 2 months ago, on 2021-12-17.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Prototype Override Protection Bypass
npm:qs:20170213		 589/1000
Why? Has a fix available, CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
npm:negotiator:20160616		 589/1000
Why? Has a fix available, CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
npm:fresh:20170908		 589/1000
Why? Has a fix available, CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
npm:ms:20170412		 589/1000
Why? Has a fix available, CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
npm:mime:20170907		 589/1000
Why? Has a fix available, CVSS 7.5		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: express
  • 4.17.2 - 2021-12-17
    • Fix handling of undefined in res.jsonp
    • Fix handling of undefined when "json escape" is enabled
    • Fix incorrect middleware execution with unanchored RegExps
    • Fix res.jsonp(obj, status) deprecation message
    • Fix typo in res.is JSDoc
    • deps: body-parser@1.19.1
      • deps: bytes@3.1.1
      • deps: http-errors@1.8.1
      • deps: qs@6.9.6
      • deps: raw-body@2.4.2
      • deps: safe-buffer@5.2.1
      • deps: type-is@~1.6.18
    • deps: content-disposition@0.5.4
      • deps: safe-buffer@5.2.1
    • deps: cookie@0.4.1
      • Fix maxAge option to reject invalid values
    • deps: proxy-addr@~2.0.7
      • Use req.socket over deprecated req.connection
      • deps: forwarded@0.2.0
      • deps: ipaddr.js@1.9.1
    • deps: qs@6.9.6
    • deps: safe-buffer@5.2.1
    • deps: send@0.17.2
      • deps: http-errors@1.8.1
      • deps: ms@2.1.3
      • pref: ignore empty http tokens
    • deps: serve-static@1.14.2
      • deps: send@0.17.2
    • deps: setprototypeof@1.2.0
  • 4.17.1 - 2019-05-26
    • Revert "Improve error message for null/undefined to res.status"
  • 4.17.0 - 2019-05-17
    • Add express.raw to parse bodies into Buffer
    • Add express.text to parse bodies into string
    • Improve error message for non-strings to res.sendFile
    • Improve error message for null/undefined to res.status
    • Support multiple hosts in X-Forwarded-Host
    • deps: accepts@~1.3.7
    • deps: body-parser@1.19.0
      • Add encoding MIK
      • Add petabyte (pb) support
      • Fix parsing array brackets after index
      • deps: bytes@3.1.0
      • deps: http-errors@1.7.2
      • deps: iconv-lite@0.4.24
      • deps: qs@6.7.0
      • deps: raw-body@2.4.0
      • deps: type-is@~1.6.17
    • deps: content-disposition@0.5.3
    • deps: cookie@0.4.0
      • Add SameSite=None support
    • deps: finalhandler@~1.1.2
      • Set stricter Content-Security-Policy header
      • deps: parseurl@~1.3.3
      • deps: statuses@~1.5.0
    • deps: parseurl@~1.3.3
    • deps: proxy-addr@~2.0.5
      • deps: ipaddr.js@1.9.0
    • deps: qs@6.7.0
      • Fix parsing array brackets after index
    • deps: range-parser@~1.2.1
    • deps: send@0.17.1
      • Set stricter CSP header in redirect & error responses
      • deps: http-errors@~1.7.2
      • deps: mime@1.6.0
      • deps: ms@2.1.1
      • deps: range-parser@~1.2.1
      • deps: statuses@~1.5.0
      • perf: remove redundant path.normalize call
    • deps: serve-static@1.14.1
      • Set stricter CSP header in redirect response
      • deps: parseurl@~1.3.3
      • deps: send@0.17.1
    • deps: setprototypeof@1.1.1
    • deps: statuses@~1.5.0
      • Add 103 Early Hints
    • deps: type-is@~1.6.18
      • deps: mime-types@~2.1.24
      • perf: prevent internal throw on invalid type
  • 4.16.4 - 2018-10-11
    • Fix issue where "Request aborted" may be logged in res.sendfile
    • Fix JSDoc for Router constructor
    • deps: body-parser@1.18.3
      • Fix deprecation warnings on Node.js 10+
      • Fix stack trace for strict json parse error
      • deps: depd@~1.1.2
      • deps: http-errors@~1.6.3
      • deps: iconv-lite@0.4.23
      • deps: qs@6.5.2
      • deps: raw-body@2.3.3
      • deps: type-is@~1.6.16
    • deps: proxy-addr@~2.0.4
      • deps: ipaddr.js@1.8.0
    • deps: qs@6.5.2
    • deps: safe-buffer@5.1.2
  • 4.16.3 - 2018-03-12
    • deps: accepts@~1.3.5
      • deps: mime-types@~2.1.18
    • deps: depd@~1.1.2
      • perf: remove argument reassignment
    • deps: encodeurl@~1.0.2
      • Fix encoding % as last character
    • deps: finalhandler@1.1.1
      • Fix 404 output for bad / missing pathnames
      • deps: encodeurl@~1.0.2
      • deps: statuses@~1.4.0
    • deps: proxy-addr@~2.0.3
      • deps: ipaddr.js@1.6.0
    • deps: send@0.16.2
      • Fix incorrect end tag in default error & redirects
      • deps: depd@~1.1.2
      • deps: encodeurl@~1.0.2
      • deps: statuses@~1.4.0
    • deps: serve-static@1.13.2
      • Fix incorrect end tag in redirects
      • deps: encodeurl@~1.0.2
      • deps: send@0.16.2
    • deps: statuses@~1.4.0
    • deps: type-is@~1.6.16
      • deps: mime-types@~2.1.18
  • 4.16.2 - 2017-10-10
    • Fix TypeError in res.send when given Buffer and ETag header set
    • perf: skip parsing of entire X-Forwarded-Proto header
  • 4.16.1 - 2017-09-29
    • deps: send@0.16.1
    • deps: serve-static@1.13.1
      • Fix regression when root is incorrectly set to a file
      • deps: send@0.16.1
  • 4.16.0 - 2017-09-28
    • Add "json escape" setting for res.json and res.jsonp
    • Add express.json and express.urlencoded to parse bodies
    • Add options argument to res.download
    • Improve error message when autoloading invalid view engine
    • Improve error messages when non-function provided as middleware
    • Skip Buffer encoding when not generating ETag for small response
    • Use safe-buffer for improved Buffer API
    • deps: accepts@~1.3.4
      • deps: mime-types@~2.1.16
    • deps: content-type@~1.0.4
      • perf: remove argument reassignment
      • perf: skip parameter parsing when no parameters
    • deps: etag@~1.8.1
      • perf: replace regular expression with substring
    • deps: finalhandler@1.1.0
      • Use res.headersSent when available
    • deps: parseurl@~1.3.2
      • perf: reduce overhead for full URLs
      • perf: unroll the "fast-path" RegExp
    • deps: proxy-addr@~2.0.2
      • Fix trimming leading / trailing OWS in X-Forwarded-For
      • deps: forwarded@~0.1.2
      • deps: ipaddr.js@1.5.2
      • perf: reduce overhead when no X-Forwarded-For header
    • deps: qs@6.5.1
      • Fix parsing & compacting very deep objects
    • deps: send@0.16.0
      • Add 70 new types for file extensions
      • Add immutable option
      • Fix missing </html> in default error & redirects
      • Set charset as "UTF-8" for .js and .json
      • Use instance methods on steam to check for listeners
      • deps: mime@1.4.1
      • perf: improve path validation speed
    • deps: serve-static@1.13.0
      • Add 70 new types for file extensions
      • Add immutable option
      • Set charset as "UTF-8" for .js and .json
      • deps: send@0.16.0
    • deps: setprototypeof@1.1.0
    • deps: utils-merge@1.0.1
    • deps: vary@~1.1.2
      • perf: improve header token parsing speed
    • perf: re-use options object when generating ETags
    • perf: remove dead .charset set in res.jsonp
  • 4.15.5 - 2017-09-25
  • 4.15.4 - 2017-08-07
  • 4.15.3 - 2017-05-17
  • 4.15.2 - 2017-03-06
  • 4.15.1 - 2017-03-06
  • 4.15.0 - 2017-03-01
  • 4.14.1 - 2017-01-28
  • 4.14.0 - 2016-06-16
  • 4.13.4 - 2016-01-22
from express GitHub release notes
Commit messages
Package name: express
  • ea537d9 4.17.2
  • eee93a2 build: update example dependencies
  • b35773c build: eslint@7.32.0
  • c8a4200 build: mocha@9.1.3
  • 21cf522 examples: improve 404 message wording
  • a24f27a deps: serve-static@1.14.2
  • a33266a build: support Node.js 14.x
  • 6fe271e build: support Node.js 13.x
  • cbe25d6 deps: setprototypeof@1.2.0
  • 3bb6d96 examples: demonstrate sub directory download
  • 6660649 deps: qs@6.9.6
  • a75e470 docs: add note about security report location
  • db05a74 deps: send@0.17.2
  • c2e23ec deps: body-parser@1.19.1
  • 96850e8 deps: content-disposition@0.5.4
  • b8d59d5 deps: safe-buffer@5.2.1
  • 59d695c build: update example dependencies
  • e242796 tests: fix test in app.head
  • aaa9690 deps: proxy-addr@~2.0.7
  • f275e87 Fix handling of undefined when "json escape" is enabled
  • 9dd0e7a Fix handling of undefined in res.jsonp
  • 1b2f3a0 tests: fix up primitive tests for res.jsonp
  • 519126d deps: cookie@0.4.1
  • 99a369f Fix incorrect middleware execution with unanchored RegExps

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot