Update dependency express to v4.19.0 - autoclosed #831

mend-for-github-com · 2022-11-30T06:17:05Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`4.17.1` -> `4.19.0`

By merging this PR, the issue #828 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
High	7.5	CVE-2022-24999
Medium	6.1	CVE-2024-29041

Release Notes

expressjs/express (express)

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: cookie@0.6.0

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: body-parser@1.20.2
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: raw-body@2.5.2
deps: cookie@0.6.0
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
deps: qs@6.11.0

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: body-parser@1.20.0
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: depd@2.0.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: qs@6.10.3
- deps: raw-body@2.5.1
deps: cookie@0.5.0
- Add priority option
- Fix expires option to reject invalid dates
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: finalhandler@1.2.0
- Remove set content headers that break response
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: on-finished@2.4.1
- Prevent loss of async hooks context
deps: qs@6.10.3
deps: send@0.18.0
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: depd@2.0.0
- deps: destroy@1.2.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: serve-static@1.15.0
- deps: send@0.18.0
deps: statuses@2.0.1
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: negotiator@0.6.3
deps: body-parser@1.19.2
- deps: bytes@3.1.2
- deps: qs@6.9.7
- deps: raw-body@2.4.3
deps: cookie@0.4.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: body-parser@1.19.1
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: qs@6.9.6
- deps: raw-body@2.4.2
- deps: safe-buffer@5.2.1
- deps: type-is@~1.6.18
deps: content-disposition@0.5.4
- deps: safe-buffer@5.2.1
deps: cookie@0.4.1
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: forwarded@0.2.0
- deps: ipaddr.js@1.9.1
deps: qs@6.9.6
deps: safe-buffer@5.2.1
deps: send@0.17.2
- deps: http-errors@1.8.1
- deps: ms@2.1.3
- pref: ignore empty http tokens
deps: serve-static@1.14.2
- deps: send@0.17.2
deps: setprototypeof@1.2.0

If you want to rebase/retry this PR, check this box

mend-for-github-com bot added the security fix Security fix generated by Mend label Nov 30, 2022

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.17.2 - autoclosed Nov 30, 2022

mend-for-github-com bot closed this Nov 30, 2022

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch November 30, 2022 13:47

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2 - autoclosed~~ Update dependency express to v4.17.2 Dec 2, 2022

mend-for-github-com bot reopened this Dec 2, 2022

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch December 2, 2022 06:07

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.17.2 - autoclosed Dec 23, 2022

mend-for-github-com bot closed this Dec 23, 2022

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch December 23, 2022 01:22

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2 - autoclosed~~ Update dependency express to v4.17.2 Dec 25, 2022

mend-for-github-com bot reopened this Dec 25, 2022

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch December 25, 2022 02:07

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.17.2 - autoclosed Dec 27, 2022

mend-for-github-com bot closed this Dec 27, 2022

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch December 27, 2022 01:17

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2 - autoclosed~~ Update dependency express to v4.17.2 Dec 28, 2022

mend-for-github-com bot reopened this Dec 28, 2022

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch December 28, 2022 06:24

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.17.2 - autoclosed Feb 21, 2023

mend-for-github-com bot closed this Feb 21, 2023

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch February 21, 2023 14:43

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2 - autoclosed~~ Update dependency express to v4.17.2 Feb 23, 2023

mend-for-github-com bot reopened this Feb 23, 2023

mend-for-github-com bot restored the whitesource-remediate/express-4.x-lockfile branch February 23, 2023 04:54

Update dependency express to v4.19.0

b555edb

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 14a1bb2 to b555edb Compare April 16, 2024 04:52

mend-for-github-com bot changed the title ~~Update dependency express to v4.17.2~~ Update dependency express to v4.19.0 Apr 16, 2024

mend-for-github-com bot changed the title ~~Update dependency express to v4.19.0~~ Update dependency express to v4.19.0 - autoclosed Apr 30, 2024

mend-for-github-com bot closed this Apr 30, 2024

mend-for-github-com bot deleted the whitesource-remediate/express-4.x-lockfile branch April 30, 2024 04:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express to v4.19.0 - autoclosed #831

Update dependency express to v4.19.0 - autoclosed #831

mend-for-github-com bot commented Nov 30, 2022 •

edited

Loading

Update dependency express to v4.19.0 - autoclosed #831

Update dependency express to v4.19.0 - autoclosed #831

Conversation

mend-for-github-com bot commented Nov 30, 2022 • edited Loading

Release Notes

v4.19.0

v4.18.3

v4.18.2

v4.18.1

v4.18.0

v4.17.3

v4.17.2

mend-for-github-com bot commented Nov 30, 2022 •

edited

Loading

`v4.19.0`

`v4.18.3`

`v4.18.2`

`v4.18.1`

`v4.18.0`

`v4.17.3`

`v4.17.2`