Update dependency express to v3 [SECURITY]#14

Closed

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/npm-express-vulnerability

Contributor

renovate bot commented May 5, 2019

This PR contains the following updates:

Package	Type	Update	Change	References
express	dependencies	major	`~2.5.9` -> `~3.21.0`	homepage, source

GitHub Vulnerability Alerts

CVE-2014-6393

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

Release Notes

expressjs/express

`v3.21.2`

===================

deps: connect@2.30.2
- deps: body-parser@~1.13.3
- deps: compression@~1.5.2
- deps: errorhandler@~1.4.2
- deps: method-override@~2.3.5
- deps: serve-index@~1.7.2
- deps: type-is@~1.6.6
- deps: vhost@~3.0.1
deps: vary@~1.0.1
- Fix setting empty header from empty field
- perf: enable strict mode
- perf: remove argument reassignments

`v3.21.1`

===================

deps: basic-auth@~1.0.3
deps: connect@2.30.1
- deps: body-parser@~1.13.2
- deps: compression@~1.5.1
- deps: errorhandler@~1.4.1
- deps: morgan@~1.6.1
- deps: pause@0.1.0
- deps: qs@4.0.0
- deps: serve-index@~1.7.1
- deps: type-is@~1.6.4

`v3.21.0`

===================

deps: basic-auth@1.0.2
- perf: enable strict mode
- perf: hoist regular expression
- perf: parse with regular expressions
- perf: remove argument reassignment
deps: connect@2.30.0
- deps: body-parser@~1.13.1
- deps: bytes@2.1.0
- deps: compression@~1.5.0
- deps: cookie@0.1.3
- deps: cookie-parser@~1.3.5
- deps: csurf@~1.8.3
- deps: errorhandler@~1.4.0
- deps: express-session@~1.11.3
- deps: finalhandler@0.4.0
- deps: fresh@0.3.0
- deps: morgan@~1.6.0
- deps: serve-favicon@~2.3.0
- deps: serve-index@~1.7.0
- deps: serve-static@~1.10.0
- deps: type-is@~1.6.3
deps: cookie@0.1.3
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
deps: escape-html@1.0.2
deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
deps: fresh@0.3.0
- Add weak ETag matching support
deps: mkdirp@0.5.1
- Work in global strict mode
deps: send@0.13.0
- Allow Node.js HTTP server to set Date response header
- Fix incorrectly removing Content-Location on 304 response
- Improve the default redirect response headers
- Send appropriate headers on default error response
- Use http-errors for standard emitted errors
- Use statuses instead of http module for status messages
- deps: escape-html@1.0.2
- deps: etag@~1.7.0
- deps: fresh@0.3.0
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations

`v3.20.3`

===================

deps: connect@2.29.2
- deps: body-parser@~1.12.4
- deps: compression@~1.4.4
- deps: connect-timeout@~1.6.2
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: errorhandler@~1.3.6
- deps: finalhandler@0.3.6
- deps: method-override@~2.3.3
- deps: morgan@~1.5.3
- deps: qs@2.4.2
- deps: response-time@~2.3.1
- deps: serve-favicon@~2.2.1
- deps: serve-index@~1.6.4
- deps: serve-static@~1.9.3
- deps: type-is@~1.6.2
deps: debug@~2.2.0
- deps: ms@0.7.1
deps: depd@~1.0.1
deps: proxy-addr@~1.0.8
- deps: ipaddr.js@1.0.1
deps: send@0.12.3
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: ms@0.7.1
- deps: on-finished@~2.2.1

`v3.20.2`

===================

deps: connect@2.29.1
- deps: body-parser@~1.12.2
- deps: compression@~1.4.3
- deps: connect-timeout@~1.6.1
- deps: debug@~2.1.3
- deps: errorhandler@~1.3.5
- deps: express-session@~1.10.4
- deps: finalhandler@0.3.4
- deps: method-override@~2.3.2
- deps: morgan@~1.5.2
- deps: qs@2.4.1
- deps: serve-index@~1.6.3
- deps: serve-static@~1.9.2
- deps: type-is@~1.6.1
deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: ms@0.7.0
deps: merge-descriptors@1.0.0
deps: proxy-addr@~1.0.7
- deps: ipaddr.js@0.1.9
deps: send@0.12.2
- Throw errors early for invalid extensions or index options
- deps: debug@~2.1.3

`v3.20.1`

===================

Fix req.host when using "trust proxy" hops count
Fix req.protocol/req.secure when using "trust proxy" hops count

`v3.20.0`

===================

Fix "trust proxy" setting to inherit when app is mounted
Generate ETags for all request responses
- No longer restricted to only responses for GET and HEAD requests
Use content-type to parse Content-Type headers
deps: connect@2.29.0
- Use content-type to parse Content-Type headers
- deps: body-parser@~1.12.0
- deps: compression@~1.4.1
- deps: connect-timeout@~1.6.0
- deps: cookie-parser@~1.3.4
- deps: cookie-signature@1.0.6
- deps: csurf@~1.7.0
- deps: errorhandler@~1.3.4
- deps: express-session@~1.10.3
- deps: http-errors@~1.3.1
- deps: response-time@~2.3.0
- deps: serve-index@~1.6.2
- deps: serve-static@~1.9.1
- deps: type-is@~1.6.0
deps: cookie-signature@1.0.6
deps: send@0.12.1
- Always read the stat size from the file
- Fix mutating passed-in options
- deps: mime@1.3.4

`v3.19.2`

===================

deps: connect@2.28.3
- deps: compression@~1.3.1
- deps: csurf@~1.6.6
- deps: errorhandler@~1.3.3
- deps: express-session@~1.10.2
- deps: serve-index@~1.6.1
- deps: type-is@~1.5.6
deps: proxy-addr@~1.0.6
- deps: ipaddr.js@0.1.8

`v3.19.1`

===================

deps: connect@2.28.2
- deps: body-parser@~1.10.2
- deps: serve-static@~1.8.1
deps: send@0.11.1
- Fix root path disclosure

`v3.19.0`

===================

Fix OPTIONS responses to include the HEAD method property
Use readline for prompt in express(1)
deps: commander@2.6.0
deps: connect@2.28.1
- deps: body-parser@~1.10.1
- deps: compression@~1.3.0
- deps: connect-timeout@~1.5.0
- deps: csurf@~1.6.4
- deps: debug@~2.1.1
- deps: errorhandler@~1.3.2
- deps: express-session@~1.10.1
- deps: finalhandler@0.3.3
- deps: method-override@~2.3.1
- deps: morgan@~1.5.1
- deps: serve-favicon@~2.2.0
- deps: serve-index@~1.6.0
- deps: serve-static@~1.8.0
- deps: type-is@~1.5.5
deps: debug@~2.1.1
deps: methods@~1.1.1
deps: proxy-addr@~1.0.5
- deps: ipaddr.js@0.1.6
deps: send@0.11.0
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: ms@0.7.0
- deps: on-finished@~2.2.0

`v3.18.6`

===================

Fix exception in req.fresh/req.stale without response headers

`v3.18.5`

===================

deps: connect@2.27.6
- deps: compression@~1.2.2
- deps: express-session@~1.9.3
- deps: http-errors@~1.2.8
- deps: serve-index@~1.5.3
- deps: type-is@~1.5.4

`v3.18.4`

===================

deps: connect@2.27.4
- deps: body-parser@~1.9.3
- deps: compression@~1.2.1
- deps: errorhandler@~1.2.3
- deps: express-session@~1.9.2
- deps: qs@2.3.3
- deps: serve-favicon@~2.1.7
- deps: serve-static@~1.5.1
- deps: type-is@~1.5.3
deps: etag@~1.5.1
deps: proxy-addr@~1.0.4
- deps: ipaddr.js@0.1.5

`v3.18.3`

===================

deps: connect@2.27.3
- Correctly invoke async callback asynchronously
- deps: csurf@~1.6.3

`v3.18.2`

===================

deps: connect@2.27.2
- Fix handling of URLs containing :// in the path
- deps: body-parser@~1.9.2
- deps: qs@2.3.2

`v3.18.1`

===================

Fix internal utils.merge deprecation warnings
deps: connect@2.27.1
- deps: body-parser@~1.9.1
- deps: express-session@~1.9.1
- deps: finalhandler@0.3.2
- deps: morgan@~1.4.1
- deps: qs@2.3.0
- deps: serve-static@~1.7.1
deps: send@0.10.1
- deps: on-finished@~2.1.1

`v3.18.0`

===================

Use content-disposition module for res.attachment/res.download
- Sends standards-compliant Content-Disposition header
- Full Unicode support
Use etag module to generate ETag headers
deps: connect@2.27.0
- Use http-errors module for creating errors
- Use utils-merge module for merging objects
- deps: body-parser@~1.9.0
- deps: compression@~1.2.0
- deps: connect-timeout@~1.4.0
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: express-session@~1.9.0
- deps: finalhandler@0.3.1
- deps: method-override@~2.3.0
- deps: morgan@~1.4.0
- deps: response-time@~2.2.0
- deps: serve-favicon@~2.1.6
- deps: serve-index@~1.5.0
- deps: serve-static@~1.7.0
deps: debug@~2.1.0
- Implement DEBUG_FD env variable support
deps: depd@~1.0.0
deps: send@0.10.0
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: etag@~1.5.0

`v3.17.8`

===================

deps: connect@2.26.6
- deps: compression@~1.1.2
- deps: csurf@~1.6.2
- deps: errorhandler@~1.2.2

`v3.17.7`

===================

deps: connect@2.26.5
- Fix accepting non-object arguments to logger
- deps: serve-static@~1.6.4

`v3.17.6`

===================

deps: connect@2.26.4
- deps: morgan@~1.3.2
- deps: type-is@~1.5.2

`v3.17.5`

===================

deps: connect@2.26.3
- deps: body-parser@~1.8.4
- deps: serve-favicon@~2.1.5
- deps: serve-static@~1.6.3
deps: proxy-addr@~1.0.3
- Use forwarded npm module
deps: send@0.9.3
- deps: etag@~1.4.0

`v3.17.4`

===================

deps: connect@2.26.2
- deps: body-parser@~1.8.3
- deps: qs@2.2.4

`v3.17.3`

===================

deps: proxy-addr@~1.0.2
- Fix a global leak when multiple subnets are trusted
- deps: ipaddr.js@0.1.3

`v3.17.2`

===================

Use crc instead of buffer-crc32 for speed
deps: connect@2.26.1
- deps: body-parser@~1.8.2
- deps: depd@0.4.5
- deps: express-session@~1.8.2
- deps: morgan@~1.3.1
- deps: serve-favicon@~2.1.3
- deps: serve-static@~1.6.2
deps: depd@0.4.5
deps: send@0.9.2
- deps: depd@0.4.5
- deps: etag@~1.3.1
- deps: range-parser@~1.0.2

`v3.17.1`

===================

Fix error in req.subdomains on empty host

`v3.17.0`

===================

Support X-Forwarded-Host in req.subdomains
Support IP address host in req.subdomains
deps: connect@2.26.0
- deps: body-parser@~1.8.1
- deps: compression@~1.1.0
- deps: connect-timeout@~1.3.0
- deps: cookie-parser@~1.3.3
- deps: cookie-signature@1.0.5
- deps: csurf@~1.6.1
- deps: debug@~2.0.0
- deps: errorhandler@~1.2.0
- deps: express-session@~1.8.1
- deps: finalhandler@0.2.0
- deps: fresh@0.2.4
- deps: media-typer@0.3.0
- deps: method-override@~2.2.0
- deps: morgan@~1.3.0
- deps: qs@2.2.3
- deps: serve-favicon@~2.1.3
- deps: serve-index@~1.2.1
- deps: serve-static@~1.6.1
- deps: type-is@~1.5.1
- deps: vhost@~3.0.0
deps: cookie-signature@1.0.5
deps: debug@~2.0.0
deps: fresh@0.2.4
deps: media-typer@0.3.0
- Throw error when parameter format invalid on parse
deps: range-parser@~1.0.2
deps: send@0.9.1
- Add lastModified option
- Use etag to generate ETag header
- deps: debug@~2.0.0
- deps: fresh@0.2.4
deps: vary@~1.0.0
- Accept valid Vary header string as field

`v3.16.10`

====================

deps: connect@2.25.10
- deps: serve-static@~1.5.4
deps: send@0.8.5
- Fix a path traversal issue when using root
- Fix malicious path detection for empty string path

`v3.16.9`

===================

deps: connect@2.25.9
- deps: body-parser@~1.6.7
- deps: qs@2.2.2

`v3.16.8`

===================

deps: connect@2.25.8
- deps: body-parser@~1.6.6
- deps: csurf@~1.4.1
- deps: qs@2.2.0

`v3.16.7`

===================

deps: connect@2.25.7
- deps: body-parser@~1.6.5
- deps: express-session@~1.7.6
- deps: morgan@~1.2.3
- deps: serve-static@~1.5.3
deps: send@0.8.3
- deps: destroy@1.0.3
- deps: on-finished@2.1.0

`v3.16.6`

===================

deps: connect@2.25.6
- deps: body-parser@~1.6.4
- deps: qs@1.2.2
- deps: serve-static@~1.5.2
deps: send@0.8.2
- Work around fd leak in Node.js 0.10 for fs.ReadStream

`v3.16.5`

===================

deps: connect@2.25.5
- Fix backwards compatibility in logger

`v3.16.4`

===================

Fix original URL parsing in res.location
deps: connect@2.25.4
- Fix query middleware breaking with argument
- deps: body-parser@~1.6.3
- deps: compression@~1.0.11
- deps: connect-timeout@~1.2.2
- deps: express-session@~1.7.5
- deps: method-override@~2.1.3
- deps: on-headers@~1.0.0
- deps: parseurl@~1.3.0
- deps: qs@1.2.1
- deps: response-time@~2.0.1
- deps: serve-index@~1.1.6
- deps: serve-static@~1.5.1
deps: parseurl@~1.3.0

`v3.16.3`

===================

deps: connect@2.25.3
- deps: multiparty@3.3.2

`v3.16.2`

===================

deps: connect@2.25.2
- deps: body-parser@~1.6.2
- deps: qs@1.2.0

`v3.16.1`

====================

deps: connect@2.25.10
- deps: serve-static@~1.5.4
deps: send@0.8.5
- Fix a path traversal issue when using root
- Fix malicious path detection for empty string path

`v3.16.0`

===================

deps: connect@2.25.0
- deps: body-parser@~1.6.0
- deps: compression@~1.0.10
- deps: csurf@~1.4.0
- deps: express-session@~1.7.4
- deps: qs@1.0.2
- deps: serve-static@~1.5.0
deps: send@0.8.1
- Add extensions option

`v3.15.3`

===================

fix res.sendfile regression for serving directory index files
deps: connect@2.24.3
- deps: serve-index@~1.1.5
- deps: serve-static@~1.4.4
deps: send@0.7.4
- Fix incorrect 403 on Windows and Node.js 0.11
- Fix serving index files without root dir

`v3.15.2`

===================

deps: connect@2.24.2
- deps: body-parser@~1.5.2
- deps: depd@0.4.4
- deps: express-session@~1.7.2
- deps: morgan@~1.2.2
- deps: serve-static@~1.4.2
deps: depd@0.4.4
- Work-around v8 generating empty stack traces
deps: send@0.7.2
- deps: depd@0.4.4

`v3.15.1`

===================

deps: connect@2.24.1
- deps: body-parser@~1.5.1
- deps: depd@0.4.3
- deps: express-session@~1.7.1
- deps: morgan@~1.2.1
- deps: serve-index@~1.1.4
- deps: serve-static@~1.4.1
deps: depd@0.4.3
- Fix exception when global Error.stackTraceLimit is too low
deps: send@0.7.1
- deps: depd@0.4.3

`v3.15.0`

===================

Fix req.protocol for proxy-direct connections
Pass options from res.sendfile to send
deps: connect@2.24.0
- deps: body-parser@~1.5.0
- deps: compression@~1.0.9
- deps: connect-timeout@~1.2.1
- deps: debug@1.0.4
- deps: depd@0.4.2
- deps: express-session@~1.7.0
- deps: finalhandler@0.1.0
- deps: method-override@~2.1.2
- deps: morgan@~1.2.0
- deps: multiparty@3.3.1
- deps: parseurl@~1.2.0
- deps: serve-static@~1.4.0
deps: debug@1.0.4
deps: depd@0.4.2
- Add TRACE_DEPRECATION environment variable
- Remove non-standard grey color from color output
- Support --no-deprecation argument
- Support --trace-deprecation argument
deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path" RegExp
deps: send@0.7.0
- Add dotfiles option
- Cap maxAge value to 1 year
- deps: debug@1.0.4
- deps: depd@0.4.2

`v3.14.0`

===================

add explicit "Rosetta Flash JSONP abuse" protection
- previous versions are not vulnerable; this is just explicit protection
deprecate res.redirect(url, status) -- use res.redirect(status, url) instead
fix res.send(status, num) to send num as json (not error)
remove unnecessary escaping when res.jsonp returns JSON response
deps: basic-auth@1.0.0
- support empty password
- support empty username
deps: connect@2.23.0
- deps: debug@1.0.3
- deps: express-session@~1.6.4
- deps: method-override@~2.1.0
- deps: parseurl@~1.1.3
- deps: serve-static@~1.3.1
deps: debug@1.0.3
- Add support for multiple wildcards in namespaces
deps: methods@1.1.0
- add CONNECT
deps: parseurl@~1.1.3
- faster parsing of href-only URLs

`v3.13.0`

===================

add deprecation message to app.configure
add deprecation message to req.auth
use basic-auth to parse Authorization header
deps: connect@2.22.0
- deps: csurf@~1.3.0
- deps: express-session@~1.6.1
- deps: multiparty@3.3.0
- deps: serve-static@~1.3.0
deps: send@0.5.0
- Accept string for maxage (converted by ms)
- Include link in default redirect response

`v3.12.1`

===================

deps: connect@2.21.1
- deps: cookie-parser@1.3.2
- deps: cookie-signature@1.0.4
- deps: express-session@~1.5.2
- deps: type-is@~1.3.2
deps: cookie-signature@1.0.4
- fix for timing attacks

`v3.12.0`

===================

use media-typer to alter content-type charset
deps: connect@2.21.0
- deprecate connect(middleware) -- use app.use(middleware) instead
- deprecate connect.createServer() -- use connect() instead
- fix res.setHeader() patch to work with with get -> append -> set pattern
- deps: compression@~1.0.8
- deps: errorhandler@~1.1.1
- deps: express-session@~1.5.0
- deps: serve-index@~1.1.3

`v3.11.0`

===================

deprecate things with depd module
deps: buffer-crc32@0.2.3
deps: connect@2.20.2
- deprecate verify option to json -- use body-parser npm module instead
- deprecate verify option to urlencoded -- use body-parser npm module instead
- deprecate things with depd module
- use finalhandler for final response handling
- use media-typer to parse content-type for charset
- deps: body-parser@1.4.3
- deps: connect-timeout@1.1.1
- deps: cookie-parser@1.3.1
- deps: csurf@1.2.2
- deps: errorhandler@1.1.0
- deps: express-session@1.4.0
- deps: multiparty@3.2.9
- deps: serve-index@1.1.2
- deps: type-is@1.3.1
- deps: vhost@2.0.0

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot. View repository job log here.

renovate bot force-pushed the renovate/npm-express-vulnerability branch from 28cdfdb to af6def7 Compare

May 6, 2019 06:35


          Update dependency express to v3 [SECURITY]

166ae76

renovate bot force-pushed the renovate/npm-express-vulnerability branch from af6def7 to 166ae76 Compare

May 6, 2019 06:49

zce closed this

Contributor Author

renovate bot commented May 8, 2019 •

edited

Loading

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 3.x releases. But if you manually upgrade to 3.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

renovate bot deleted the renovate/npm-express-vulnerability branch

May 8, 2019 07:16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet