Update dependency express to ~4.15.5 #3

mend-for-github-com · 2022-12-04T13:30:13Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`~4.10.1` -> `~4.15.5`

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
High	7.5	CVE-2017-16119

Release Notes

expressjs/express

`v4.15.5`

Compare Source

===================

deps: debug@2.6.9
deps: finalhandler@~1.0.6
- deps: debug@2.6.9
- deps: parseurl@~1.3.2
deps: fresh@0.5.2
- Fix handling of modified headers with invalid dates
- perf: improve ETag match loop
- perf: improve If-None-Match token parsing
deps: send@0.15.6
- Fix handling of modified headers with invalid dates
- deps: debug@2.6.9
- deps: etag@~1.8.1
- deps: fresh@0.5.2
- perf: improve If-Match token parsing
deps: serve-static@1.12.6
- deps: parseurl@~1.3.2
- deps: send@0.15.6
- perf: improve slash collapsing

`v4.15.4`

Compare Source

===================

deps: debug@2.6.8
deps: depd@~1.1.1
- Remove unnecessary Buffer loading
deps: finalhandler@~1.0.4
- deps: debug@2.6.8
deps: proxy-addr@~1.1.5
- Fix array argument being altered
- deps: ipaddr.js@1.4.0
deps: qs@6.5.0
deps: send@0.15.4
- deps: debug@2.6.8
- deps: depd@~1.1.1
- deps: http-errors@~1.6.2
deps: serve-static@1.12.4
- deps: send@0.15.4

`v4.15.3`

Compare Source

===================

Fix error when res.set cannot add charset to Content-Type
deps: debug@2.6.7
- Fix DEBUG_MAX_ARRAY_LENGTH
- deps: ms@2.0.0
deps: finalhandler@~1.0.3
- Fix missing </html> in HTML document
- deps: debug@2.6.7
deps: proxy-addr@~1.1.4
- deps: ipaddr.js@1.3.0
deps: send@0.15.3
- deps: debug@2.6.7
- deps: ms@2.0.0
deps: serve-static@1.12.3
- deps: send@0.15.3
deps: type-is@~1.6.15
- deps: mime-types@~2.1.15
deps: vary@~1.1.1
- perf: hoist regular expression

`v4.15.2`

Compare Source

===================

deps: qs@6.4.0
- Fix regression parsing keys starting with [

`v4.15.1`

Compare Source

===================

deps: send@0.15.1
- Fix issue when Date.parse does not return NaN on invalid date
- Fix strict violation in broken environments
deps: serve-static@1.12.1
- Fix issue when Date.parse does not return NaN on invalid date
- deps: send@0.15.1

`v4.15.0`

Compare Source

===================

Add debug message when loading view engine
Add next("router") to exit from router
Fix case where router.use skipped requests routes did not
Remove usage of res._headers private field
- Improves compatibility with Node.js 8 nightly
Skip routing when req.url is not set
Use %o in path debug to tell types apart
Use Object.create to setup request & response prototypes
Use setprototypeof module to replace __proto__ setting
Use statuses instead of http module for status messages
deps: debug@2.6.1
- Allow colors in workers
- Deprecated DEBUG_FD environment variable set to 3 or higher
- Fix error when running under React Native
- Use same color for same namespace
- deps: ms@0.7.2
deps: etag@~1.8.0
- Use SHA1 instead of MD5 for ETag hashing
- Works with FIPS 140-2 OpenSSL configuration
deps: finalhandler@~1.0.0
- Fix exception when err cannot be converted to a string
- Fully URL-encode the pathname in the 404
- Only include the pathname in the 404 message
- Send complete HTML document
- Set Content-Security-Policy: default-src 'self' header
- deps: debug@2.6.1
deps: fresh@0.5.0
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- perf: delay reading header values until needed
- perf: enable strict mode
- perf: hoist regular expressions
- perf: remove duplicate conditional
- perf: remove unnecessary boolean coercions
- perf: skip checking modified time if ETag check failed
- perf: skip parsing If-None-Match when no ETag header
- perf: use Date.parse instead of new Date
deps: qs@6.3.1
- Fix array parsing from skipping empty values
- Fix compacting nested arrays
deps: send@0.15.0
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: debug@2.6.1
- deps: etag@~1.8.0
- deps: fresh@0.5.0
- deps: http-errors@~1.6.1
deps: serve-static@1.12.0
- Fix false detection of no-cache request directive
- Fix incorrect result when If-None-Match has both * and ETags
- Fix weak ETag matching to match spec
- Remove usage of res._headers private field
- Send complete HTML document in redirect response
- Set default CSP header in redirect response
- Support If-Match and If-Unmodified-Since headers
- Use res.getHeaderNames() when available
- Use res.headersSent when available
- deps: send@0.15.0
perf: add fast match path for * route
perf: improve req.ips performance

`v4.14.1`

Compare Source

===================

deps: content-disposition@0.5.2
deps: finalhandler@0.5.1
- Fix exception when err.headers is not an object
- deps: statuses@~1.3.1
- perf: hoist regular expressions
- perf: remove duplicate validation path
deps: proxy-addr@~1.1.3
- deps: ipaddr.js@1.2.0
deps: send@0.14.2
- deps: http-errors@~1.5.1
- deps: ms@0.7.2
- deps: statuses@~1.3.1
deps: serve-static@~1.11.2
- deps: send@0.14.2
deps: type-is@~1.6.14
- deps: mime-types@~2.1.13

`v4.14.0`

Compare Source

===================

Add acceptRanges option to res.sendFile/res.sendfile
Add cacheControl option to res.sendFile/res.sendfile
Add options argument to req.range
- Includes the combine option
Encode URL in res.location/res.redirect if not already encoded
Fix some redirect handling in res.sendFile/res.sendfile
Fix Windows absolute path check using forward slashes
Improve error with invalid arguments to req.get()
Improve performance for res.json/res.jsonp in most cases
Improve Range header handling in res.sendFile/res.sendfile
deps: accepts@~1.3.3
- Fix including type extensions in parameters in Accept parsing
- Fix parsing Accept parameters with quoted equals
- Fix parsing Accept parameters with quoted semicolons
- Many performance improvements
- deps: mime-types@~2.1.11
- deps: negotiator@0.6.1
deps: content-type@~1.0.2
- perf: enable strict mode
deps: cookie@0.3.1
- Add sameSite option
- Fix cookie Max-Age to never be a floating point number
- Improve error message when encode is not a function
- Improve error message when expires is not a Date
- Throw better error for invalid argument to parse
- Throw on invalid values provided to serialize
- perf: enable strict mode
- perf: hoist regular expression
- perf: use for loop in parse
- perf: use string concatenation for serialization
deps: finalhandler@0.5.0
- Change invalid or non-numeric status code to 500
- Overwrite status message to match set status code
- Prefer err.statusCode if err.status is invalid
- Set response headers from err.headers object
- Use statuses instead of http module for status messages
deps: proxy-addr@~1.1.2
- Fix accepting various invalid netmasks
- Fix IPv6-mapped IPv4 validation edge cases
- IPv4 netmasks must be contiguous
- IPv6 addresses cannot be used as a netmask
- deps: ipaddr.js@1.1.1
deps: qs@6.2.0
- Add decoder option in parse function
deps: range-parser@~1.2.0
- Add combine option to combine overlapping ranges
- Fix incorrectly returning -1 when there is at least one valid range
- perf: remove internal function
deps: send@0.14.1
- Add acceptRanges option
- Add cacheControl option
- Attempt to combine multiple ranges into single range
- Correctly inherit from Stream class
- Fix Content-Range header in 416 responses when using start/end options
- Fix Content-Range header missing from default 416 responses
- Fix redirect error when path contains raw non-URL characters
- Fix redirect when path starts with multiple forward slashes
- Ignore non-byte Range headers
- deps: http-errors@~1.5.0
- deps: range-parser@~1.2.0
- deps: statuses@~1.3.0
- perf: remove argument reassignment
deps: serve-static@~1.11.1
- Add acceptRanges option
- Add cacheControl option
- Attempt to combine multiple ranges into single range
- Fix redirect error when req.url contains raw non-URL characters
- Ignore non-byte Range headers
- Use status code 301 for redirects
- deps: send@0.14.1
deps: type-is@~1.6.13
- Fix type error when given invalid type to match against
- deps: mime-types@~2.1.11
deps: vary@~1.1.0
- Only accept valid field names in the field argument
perf: use strict equality when possible

`v4.13.4`

Compare Source

===================

deps: content-disposition@0.5.1
- perf: enable strict mode
deps: cookie@0.1.5
- Throw on invalid values provided to serialize
deps: depd@~1.1.0
- Support web browser loading
- perf: enable strict mode
deps: escape-html@~1.0.3
- perf: enable strict mode
- perf: optimize string replacement
- perf: use faster string coercion
deps: finalhandler@0.4.1
- deps: escape-html@~1.0.3
deps: merge-descriptors@1.0.1
- perf: enable strict mode
deps: methods@~1.1.2
- perf: enable strict mode
deps: parseurl@~1.3.1
- perf: enable strict mode
deps: proxy-addr@~1.0.10
- deps: ipaddr.js@1.0.5
- perf: enable strict mode
deps: range-parser@~1.0.3
- perf: enable strict mode
deps: send@0.13.1
- deps: depd@~1.1.0
- deps: destroy@~1.0.4
- deps: escape-html@~1.0.3
- deps: range-parser@~1.0.3
deps: serve-static@~1.10.2
- deps: escape-html@~1.0.3
- deps: parseurl@~1.3.0
- deps: send@0.13.1

`v4.13.3`

Compare Source

===================

Fix infinite loop condition using mergeParams: true
Fix inner numeric indices incorrectly altering parent req.params

`v4.13.2`

Compare Source

===================

deps: accepts@~1.2.12
- deps: mime-types@~2.1.4
deps: array-flatten@1.1.1
- perf: enable strict mode
deps: path-to-regexp@0.1.7
- Fix regression with escaped round brackets and matching groups
deps: type-is@~1.6.6
- deps: mime-types@~2.1.4

`v4.13.1`

Compare Source

===================

deps: accepts@~1.2.10
- deps: mime-types@~2.1.2
deps: qs@4.0.0
- Fix dropping parameters like hasOwnProperty
- Fix various parsing edge cases
deps: type-is@~1.6.4
- deps: mime-types@~2.1.2
- perf: enable strict mode
- perf: remove argument reassignment

`v4.13.0`

Compare Source

===================

Add settings to debug output
Fix res.format error when only default provided
Fix issue where next('route') in app.param would incorrectly skip values
Fix hiding platform issues with decodeURIComponent
- Only URIErrors are a 400
Fix using * before params in routes
Fix using capture groups before params in routes
Simplify res.cookie to call res.append
Use array-flatten module for flattening arrays
deps: accepts@~1.2.9
- deps: mime-types@~2.1.1
- perf: avoid argument reassignment & argument slice
- perf: avoid negotiator recursive construction
- perf: enable strict mode
- perf: remove unnecessary bitwise operator
deps: cookie@0.1.3
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
deps: escape-html@1.0.2
deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
deps: finalhandler@0.4.0
- Fix a false-positive when unpiping in Node.js 0.8
- Support statusCode property on Error objects
- Use unpipe module for unpiping requests
- deps: escape-html@1.0.2
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove argument reassignment
deps: fresh@0.3.0
- Add weak ETag matching support
deps: on-finished@~2.3.0
- Add defined behavior for HTTP CONNECT requests
- Add defined behavior for HTTP Upgrade requests
- deps: ee-first@1.1.1
deps: path-to-regexp@0.1.6
deps: send@0.13.0
- Allow Node.js HTTP server to set Date response header
- Fix incorrectly removing Content-Location on 304 response
- Improve the default redirect response headers
- Send appropriate headers on default error response
- Use http-errors for standard emitted errors
- Use statuses instead of http module for status messages
- deps: escape-html@1.0.2
- deps: etag@~1.7.0
- deps: fresh@0.3.0
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations
deps: serve-static@~1.10.0
- Add fallthrough option
- Fix reading options from options prototype
- Improve the default redirect response headers
- Malformed URLs now next() instead of 400
- deps: escape-html@1.0.2
- deps: send@0.13.0
- perf: enable strict mode
- perf: remove argument reassignment
deps: type-is@~1.6.3
- deps: mime-types@~2.1.1
- perf: reduce try block size
- perf: remove bitwise operations
perf: enable strict mode
perf: isolate app.render try block
perf: remove argument reassignments in application
perf: remove argument reassignments in request prototype
perf: remove argument reassignments in response prototype
perf: remove argument reassignments in routing
perf: remove argument reassignments in View
perf: skip attempting to decode zero length string
perf: use saved reference to http.STATUS_CODES

`v4.12.4`

Compare Source

===================

deps: accepts@~1.2.7
- deps: mime-types@~2.0.11
- deps: negotiator@0.5.3
deps: debug@~2.2.0
- deps: ms@0.7.1
deps: depd@~1.0.1
deps: etag@~1.6.0
- Improve support for JXcore
- Support "fake" stats objects in environments without fs
deps: finalhandler@0.3.6
- deps: debug@~2.2.0
- deps: on-finished@~2.2.1
deps: on-finished@~2.2.1
- Fix isFinished(req) when data buffered
deps: proxy-addr@~1.0.8
- deps: ipaddr.js@1.0.1
deps: qs@2.4.2

Fix allowing parameters like constructor

deps: send@0.12.3
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: ms@0.7.1
- deps: on-finished@~2.2.1
deps: serve-static@~1.9.3
- deps: send@0.12.3
deps: type-is@~1.6.2
- deps: mime-types@~2.0.11

`v4.12.3`

Compare Source

===================

deps: accepts@~1.2.5
- deps: mime-types@~2.0.10
deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: ms@0.7.0
deps: finalhandler@0.3.4
- deps: debug@~2.1.3
deps: proxy-addr@~1.0.7
- deps: ipaddr.js@0.1.9
deps: qs@2.4.1
- Fix error when parameter hasOwnProperty is present
deps: send@0.12.2
- Throw errors early for invalid extensions or index options
- deps: debug@~2.1.3
deps: serve-static@~1.9.2
- deps: send@0.12.2
deps: type-is@~1.6.1
- deps: mime-types@~2.0.10

`v4.12.2`

Compare Source

===================

Fix regression where "Request aborted" is logged using res.sendFile

`v4.12.1`

Compare Source

===================

Fix constructing application with non-configurable prototype properties
Fix ECONNRESET errors from res.sendFile usage
Fix req.host when using "trust proxy" hops count
Fix req.protocol/req.secure when using "trust proxy" hops count
Fix wrong code on aborted connections from res.sendFile
deps: merge-descriptors@1.0.0

`v4.12.0`

Compare Source

===================

Fix "trust proxy" setting to inherit when app is mounted
Generate ETags for all request responses
- No longer restricted to only responses for GET and HEAD requests
Use content-type to parse Content-Type headers
deps: accepts@~1.2.4
- Fix preference sorting to be stable for long acceptable lists
- deps: mime-types@~2.0.9
- deps: negotiator@0.5.1
deps: cookie-signature@1.0.6
deps: send@0.12.1
- Always read the stat size from the file
- Fix mutating passed-in options
- deps: mime@1.3.4
deps: serve-static@~1.9.1
- deps: send@0.12.1
deps: type-is@~1.6.0
- fix argument reassignment
- fix false-positives in hasBody Transfer-Encoding check
- support wildcard for both type and subtype (*/*)
- deps: mime-types@~2.0.9

`v4.11.2`

Compare Source

===================

Fix res.redirect double-calling res.end for HEAD requests
deps: accepts@~1.2.3
- deps: mime-types@~2.0.8
deps: proxy-addr@~1.0.6
- deps: ipaddr.js@0.1.8
deps: type-is@~1.5.6
- deps: mime-types@~2.0.8

`v4.11.1`

Compare Source

===================

deps: send@0.11.1
- Fix root path disclosure
deps: serve-static@~1.8.1
- Fix redirect loop in Node.js 0.11.14
- Fix root path disclosure
- deps: send@0.11.1

`v4.11.0`

Compare Source

===================

Add res.append(field, val) to append headers
Deprecate leading : in name for app.param(name, fn)
Deprecate req.param() -- use req.params, req.body, or req.query instead
Deprecate app.param(fn)
Fix OPTIONS responses to include the HEAD method properly
Fix res.sendFile not always detecting aborted connection
Match routes iteratively to prevent stack overflows
deps: accepts@~1.2.2
- deps: mime-types@~2.0.7
- deps: negotiator@0.5.0
deps: send@0.11.0
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: ms@0.7.0
- deps: on-finished@~2.2.0
deps: serve-static@~1.8.0
- deps: send@0.11.0