[Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.19.1

[snyk-matt]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade express from 4.12.4 to 4.19.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 28 versions ahead of your current version.
• The recommended version was released 25 days ago, on 2024-03-20.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-173692	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-174183	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DICER-2311764	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Mature
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-Y18N-1021887	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Information Exposure SNYK-JS-MONGODB-5871303	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-567742	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: express

• 4.19.1 - 2024-03-20
  

  What's Changed

  • Fix ci after location patch by @ wesleytodd in #5552
  • fixed un-edited version in history.md for 4.19.0 by @ wesleytodd in #5556

  Full Changelog: 4.19.0...4.19.1

• 4.19.0 - 2024-03-20
  

  What's Changed

  • fix typo in release date by @ UlisesGascon in #5527
  • docs: nominating @ wesleytodd to be project captian by @ wesleytodd in #5511
  • docs: loosen TC activity rules by @ wesleytodd in #5510
  • Add note on how to update docs for new release by @ crandmck in #5541
  • Prevent open redirect allow list bypass due to encodeurl
  • Release 4.19.0 by @ wesleytodd in #5551

  New Contributors

  • @ crandmck made their first contribution in #5541

  Full Changelog: 4.18.3...4.19.0

• 4.18.3 - 2024-02-29
  

  Main Changes

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2

  Other Changes

  • Use https: protocol instead of deprecated git: protocol by @ vcsjones in #5032
  • build: Node.js@16.18 and Node.js@18.12 by @ abenhamdine in #5034
  • ci: update actions/checkout to v3 by @ armujahid in #5027
  • test: remove unused function arguments in params by @ raksbisht in #5124
  • Remove unused originalIndex from acceptParams by @ raksbisht in #5119
  • Fixed typos by @ raksbisht in #5117
  • examples: remove unused params by @ raksbisht in #5113
  • fix: parameter str is not described in JSDoc by @ raksbisht in #5130
  • fix: typos in History.md by @ raksbisht in #5131
  • build : add Node.js@19.7 by @ abenhamdine in #5028
  • test: remove unused function arguments in params by @ raksbisht in #5137
  • use random port in test so it won't fail on already listening by @ rluvaton in #5162
  • tests: use cb() instead of done() by @ kristof-low in #5233
  • examples: remove multipart example by @ riddlew in #5195
  • Update support Node.js@18 in the CI by @ UlisesGascon in #5490
  • Fix favicon-related bug in cookie-sessions example by @ DmytroKondrashov in #5414
  • Release 4.18.3 by @ UlisesGascon in #5505

  New Contributors

  • @ vcsjones made their first contribution in #5032
  • @ abenhamdine made their first contribution in #5034
  • @ armujahid made their first contribution in #5027
  • @ raksbisht made their first contribution in #5124
  • @ rluvaton made their first contribution in #5162
  • @ kristof-low made their first contribution in #5233
  • @ riddlew made their first contribution in #5195
  • @ DmytroKondrashov made their first contribution in #5414

  Full Changelog: 4.18.2...4.18.3

• 4.18.2 - 2022-10-08
  
  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0
• 4.18.1 - 2022-04-29
  
  • Fix hanging on large stack of sync routes
• 4.18.0 - 2022-04-25
  Read more
• 4.17.3 - 2022-02-17
  
  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy
• 4.17.2 - 2021-12-17
• 4.17.1 - 2019-05-26
• 4.17.0 - 2019-05-17
• 4.16.4 - 2018-10-11
• 4.16.3 - 2018-03-12
• 4.16.2 - 2017-10-10
• 4.16.1 - 2017-09-29
• 4.16.0 - 2017-09-28
• 4.15.5 - 2017-09-25
• 4.15.4 - 2017-08-07
• 4.15.3 - 2017-05-17
• 4.15.2 - 2017-03-06
• 4.15.1 - 2017-03-06
• 4.15.0 - 2017-03-01
• 4.14.1 - 2017-01-28
• 4.14.0 - 2016-06-16
• 4.13.4 - 2016-01-22
• 4.13.3 - 2015-08-03
• 4.13.2 - 2015-07-31
• 4.13.1 - 2015-07-06
• 4.13.0 - 2015-06-21
• 4.12.4 - 2015-05-18

from express GitHub release notes

Commit messages

Package name: express

• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks fixes [Snyk(Unlimited)] Upgrade body-parser from 1.9.0 to 1.19.0 #5554 [Snyk(Unlimited)] Upgrade moment from 2.15.1 to 2.29.1 #5555
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release ([Snyk(Unlimited)] Upgrade consolidate from 0.14.5 to 0.16.0 #5541)
• 69a4cf2 deps: cookie@0.6.0
• 4ee853e docs: loosen TC activity rules
• 414854b docs: nominating @ wesleytodd to be project captian
• 06c6b88 docs: update release date
• 1b51eda 4.18.3
• b625132 build: pin Node 21.x to minor
• e3eca80 build: pin Node 21.x to minor
• 23b44b3 build: support Node.js 21.6.2
• b9fea12 build: support Node.js 21.x in appveyor
• c259c34 build: support Node.js 21.x
• fdeb1d3 build: support Node.js 20.x in appveyor
• 734b281 build: support Node.js 20.x
• 0e3ab6e examples: improve view count in cookie-sessions
• 59af63a build: Node.js@18.19
• e720c5a docs: add documentation for benchmarks
• 3abea7f examples: remove multipart example
• 2a89eb5 tests: fix handling multiple callbacks

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs