Update dependency express to v4.20.0 #40

mend-for-github-com · 2024-03-28T18:10:18Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`4.16.4` -> `4.20.0`

By merging this PR, the issue #39 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability
Medium	6.1	CVE-2024-29041
Medium	5.0	CVE-2024-43796

Release Notes

expressjs/express (express)

`v4.20.0`

Compare Source

==========

deps: serve-static@0.16.0
- Remove link renderization in html while redirecting
deps: send@0.19.0
- Remove link renderization in html while redirecting
deps: body-parser@0.6.0
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: path-to-regexp@0.1.10
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

Compare Source

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

Compare Source

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: cookie@0.6.0

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: body-parser@1.20.2
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: raw-body@2.5.2
deps: cookie@0.6.0
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
deps: qs@6.11.0

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: body-parser@1.20.0
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: depd@2.0.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: qs@6.10.3
- deps: raw-body@2.5.1
deps: cookie@0.5.0
- Add priority option
- Fix expires option to reject invalid dates
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: finalhandler@1.2.0
- Remove set content headers that break response
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: on-finished@2.4.1
- Prevent loss of async hooks context
deps: qs@6.10.3
deps: send@0.18.0
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: depd@2.0.0
- deps: destroy@1.2.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: serve-static@1.15.0
- deps: send@0.18.0
deps: statuses@2.0.1
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: negotiator@0.6.3
deps: body-parser@1.19.2
- deps: bytes@3.1.2
- deps: qs@6.9.7
- deps: raw-body@2.4.3
deps: cookie@0.4.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: body-parser@1.19.1
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: qs@6.9.6
- deps: raw-body@2.4.2
- deps: safe-buffer@5.2.1
- deps: type-is@~1.6.18
deps: content-disposition@0.5.4
- deps: safe-buffer@5.2.1
deps: cookie@0.4.1
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: forwarded@0.2.0
- deps: ipaddr.js@1.9.1
deps: qs@6.9.6
deps: safe-buffer@5.2.1
deps: send@0.17.2
- deps: http-errors@1.8.1
- deps: ms@2.1.3
- pref: ignore empty http tokens
deps: serve-static@1.14.2
- deps: send@0.17.2
deps: setprototypeof@1.2.0

`v4.17.1`

Compare Source

===================

Revert "Improve error message for null/undefined to res.status"

`v4.17.0`

Compare Source

===================

Add express.raw to parse bodies into Buffer
Add express.text to parse bodies into string
Improve error message for non-strings to res.sendFile
Improve error message for null/undefined to res.status
Support multiple hosts in X-Forwarded-Host
deps: accepts@~1.3.7
deps: body-parser@1.19.0
- Add encoding MIK
- Add petabyte (pb) support
- Fix parsing array brackets after index
- deps: bytes@3.1.0
- deps: http-errors@1.7.2
- deps: iconv-lite@0.4.24
- deps: qs@6.7.0
- deps: raw-body@2.4.0
- deps: type-is@~1.6.17
deps: content-disposition@0.5.3
deps: cookie@0.4.0
- Add SameSite=None support
deps: finalhandler@~1.1.2
- Set stricter Content-Security-Policy header
- deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
deps: parseurl@~1.3.3
deps: proxy-addr@~2.0.5
- deps: ipaddr.js@1.9.0
deps: qs@6.7.0
- Fix parsing array brackets after index
deps: range-parser@~1.2.1
deps: send@0.17.1
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: mime@1.6.0
- deps: ms@2.1.1
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant path.normalize call
deps: serve-static@1.14.1
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: send@0.17.1
deps: setprototypeof@1.1.1
deps: statuses@~1.5.0
- Add 103 Early Hints
deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

If you want to rebase/retry this PR, check this box

sonarqubecloud · 2024-03-28T18:10:43Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud · 2024-06-22T06:56:05Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud · 2024-09-10T18:11:58Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud · 2025-04-29T19:00:12Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2025-06-29T11:46:39Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2025-11-25T18:31:08Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2025-12-29T00:02:45Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

mend-for-github-com bot added the security fix Security fix generated by Mend label Mar 28, 2024

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 8cf50ba to 8f9c2e0 Compare May 16, 2024 06:37

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 8f9c2e0 to 5a025f4 Compare June 22, 2024 06:53

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 5a025f4 to 4711a91 Compare August 27, 2024 08:27

mend-for-github-com bot had a problem deploying to frogbot August 27, 2024 08:27 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 4711a91 to b120f4e Compare August 28, 2024 08:53

mend-for-github-com bot had a problem deploying to frogbot August 28, 2024 08:53 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from b120f4e to 4a19ed1 Compare September 10, 2024 18:11

mend-for-github-com bot changed the title ~~Update dependency express to v4.19.0~~ Update dependency express to v4.20.0 Sep 10, 2024

mend-for-github-com bot had a problem deploying to frogbot September 10, 2024 18:11 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 4a19ed1 to 0bf0ffd Compare November 9, 2024 12:07

mend-for-github-com bot had a problem deploying to frogbot November 9, 2024 12:07 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 0bf0ffd to 55d1601 Compare November 30, 2024 08:27

mend-for-github-com bot had a problem deploying to frogbot November 30, 2024 08:27 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 55d1601 to bb07034 Compare December 2, 2024 06:00

mend-for-github-com bot had a problem deploying to frogbot December 2, 2024 06:00 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from bb07034 to d199bb9 Compare December 3, 2024 07:38

mend-for-github-com bot had a problem deploying to frogbot December 3, 2024 07:38 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from d199bb9 to d930ad9 Compare December 5, 2024 08:04

mend-for-github-com bot had a problem deploying to frogbot December 5, 2024 08:04 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from d930ad9 to d1b10cc Compare December 6, 2024 06:43

mend-for-github-com bot had a problem deploying to frogbot December 6, 2024 06:43 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from d1b10cc to d3644f5 Compare December 6, 2024 18:06

mend-for-github-com bot changed the title ~~Update dependency express to v4.20.0~~ Update dependency express to v4.21.2 Dec 6, 2024

mend-for-github-com bot had a problem deploying to frogbot December 6, 2024 18:06 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from d3644f5 to 55c53ad Compare December 7, 2024 08:24

mend-for-github-com bot had a problem deploying to frogbot December 7, 2024 08:24 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 769f6c0 to a3cc1b3 Compare March 30, 2025 14:12

mend-for-github-com bot changed the title ~~Update dependency express to v4.21.0~~ Update dependency express to v4.20.0 Mar 30, 2025

mend-for-github-com bot had a problem deploying to frogbot March 30, 2025 14:12 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from a3cc1b3 to dac1785 Compare April 29, 2025 18:59

mend-for-github-com bot changed the title ~~Update dependency express to v4.20.0~~ Update dependency express to v4.21.1 Apr 29, 2025

mend-for-github-com bot had a problem deploying to frogbot April 29, 2025 18:59 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from dac1785 to a7ee480 Compare June 10, 2025 12:16

mend-for-github-com bot changed the title ~~Update dependency express to v4.21.1~~ Update dependency express to v4.21.0 Jun 10, 2025

mend-for-github-com bot had a problem deploying to frogbot June 10, 2025 12:16 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from a7ee480 to 776dc0a Compare June 29, 2025 11:46

mend-for-github-com bot had a problem deploying to frogbot June 29, 2025 11:46 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 776dc0a to be3a628 Compare September 26, 2025 13:45

mend-for-github-com bot had a problem deploying to frogbot September 26, 2025 13:45 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from be3a628 to 7ce926f Compare September 30, 2025 12:37

mend-for-github-com bot had a problem deploying to frogbot September 30, 2025 12:37 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 7ce926f to b427574 Compare October 1, 2025 14:01

mend-for-github-com bot had a problem deploying to frogbot October 1, 2025 14:01 Failure

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from b427574 to 7cddff3 Compare November 20, 2025 23:51

mend-for-github-com bot had a problem deploying to frogbot November 20, 2025 23:51 Failure

mend-for-github-com bot changed the title ~~Update dependency express to v4.21.0~~ Update dependency express to v4.20.0 Nov 25, 2025

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 7cddff3 to b635b1b Compare November 25, 2025 18:30

mend-for-github-com bot had a problem deploying to frogbot November 25, 2025 18:30 Failure

Update dependency express to v4.20.0

e1c6b9d

mend-for-github-com bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from b635b1b to e1c6b9d Compare December 29, 2025 00:02

mend-for-github-com bot had a problem deploying to frogbot December 29, 2025 00:02 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update dependency express to v4.20.0 #40

Update dependency express to v4.20.0 #40

Uh oh!

mend-for-github-com bot commented Mar 28, 2024 •

edited

Loading

Uh oh!

sonarqubecloud bot commented Mar 28, 2024

Uh oh!

sonarqubecloud bot commented Jun 22, 2024

Uh oh!

sonarqubecloud bot commented Sep 10, 2024

Uh oh!

sonarqubecloud bot commented Apr 29, 2025

Uh oh!

sonarqubecloud bot commented Jun 29, 2025

Uh oh!

sonarqubecloud bot commented Nov 25, 2025

Uh oh!

sonarqubecloud bot commented Dec 29, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Update dependency express to v4.20.0 #40

Are you sure you want to change the base?

Update dependency express to v4.20.0 #40

Uh oh!

Conversation

mend-for-github-com bot commented Mar 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Uh oh!

sonarqubecloud bot commented Mar 28, 2024

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Jun 22, 2024

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Sep 10, 2024

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Apr 29, 2025

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Jun 29, 2025

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Nov 25, 2025

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Dec 29, 2025

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

mend-for-github-com bot commented Mar 28, 2024 •

edited

Loading