Update dependency express to v4.22.0 by mend-for-github-com[bot] · Pull Request #2 · amaybaum-prod/DamnVulnerableCryptoApp

mend-for-github-com · 2024-08-12T11:02:15Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`4.18.1` → `4.22.0`

By merging this PR, the issue #8 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	Reachability
Medium	5.0	CVE-2024-43799

By merging this PR, the issue #8 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	Reachability
High	7.5	CVE-2024-45296	Unreachable
High	7.5	CVE-2024-52798	Unreachable
Medium	5.3	CVE-2024-47764	Unreachable
Medium	5.0	CVE-2024-43800	Unreachable
Low	3.7	CVE-2025-15284	Unreachable
Low	3.7	CVE-2026-2391	Unreachable

Release Notes

expressjs/express (express)

`v4.22.0`

Compare Source

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in #6190
ci: add support for Node.js@23.0 by @UlisesGascon in #6080
Method functions with no path should error by @wesleytodd in #5957
ci: updated github actions ci workflow by @Phillip9587 in #6323
ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in #6336
Backport: ci: add node.js 24 to test matrix by @Phillip9587 in #6506
chore(4.x): wider range for query test skip by @jonchurch in #6513
use tilde notation for certain dependencies by @UlisesGascon in #6905
deps: qs@6.14.0 by @UlisesGascon in #6909
deps: use tilde notation for qs by @Phillip9587 in #6919
Release: 4.22.0 by @UlisesGascon in #6921

Full Changelog: expressjs/express@4.21.2...4.22.0

`v4.21.2`

Compare Source

What's Changed

Add funding field (v4) by @bjohansebas in #6065
deps: path-to-regexp@0.1.11 by @blakeembrey in #5956
deps: bump path-to-regexp@0.1.12 by @jonchurch in #6209
Release: 4.21.2 by @UlisesGascon in #6094

Full Changelog: expressjs/express@4.21.1...4.21.2

`v4.21.1`

Compare Source

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in #6029
Release: 4.21.1 by @UlisesGascon in #6031

Full Changelog: expressjs/express@4.21.0...4.21.1

`v4.21.0`

Compare Source

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in #5935
finalhandler@1.3.1 by @wesleytodd in #5954
fix(deps): serve-static@1.16.2 by @wesleytodd in #5951
Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in #5946

New Contributors

@agadzinski93 made their first contribution in #5946

Full Changelog: expressjs/express@4.20.0...4.21.0

`v4.20.0`

Compare Source

==========

deps: serve-static@0.16.0
- Remove link renderization in html while redirecting
deps: send@0.19.0
- Remove link renderization in html while redirecting
deps: body-parser@0.6.0
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: path-to-regexp@0.1.10
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

Compare Source

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

Compare Source

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: cookie@0.6.0

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: body-parser@1.20.2
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: raw-body@2.5.2
deps: cookie@0.6.0
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
deps: qs@6.11.0

If you want to rebase/retry this PR, check this box

mend-for-github-com Bot added the security fix Security fix generated by Mend label Aug 12, 2024

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 0dc2ce1 to 67119e8 Compare August 12, 2024 17:33

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 5 times, most recently from 1cb5768 to 6d1bac8 Compare August 28, 2024 06:19

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 69056df to 5beb21b Compare September 3, 2024 06:20

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from 5e69e10 to ef73728 Compare September 12, 2024 21:18

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 1ff8fd6 to c4b0169 Compare September 17, 2024 07:37

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from c4b0169 to 7d22c9d Compare September 25, 2024 05:24

mend-for-github-com Bot changed the title ~~Update dependency express to v4.19.0~~ Update dependency express to v4.20.0 Sep 30, 2024

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from 955efe5 to 551a6c2 Compare October 6, 2024 00:53

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from c67fce9 to 598490b Compare October 10, 2024 06:05

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from 20d140c to 7c7b8fe Compare October 23, 2024 05:47

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from af96be7 to b20e940 Compare October 31, 2024 11:21

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from b20e940 to b928aa8 Compare November 9, 2024 08:37

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from b928aa8 to 65d3177 Compare November 19, 2024 13:31

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 65d3177 to 67e5d02 Compare November 30, 2024 06:10

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from b7bb1cf to 32aee10 Compare February 13, 2025 09:36

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from e99c71e to 7d648fa Compare February 18, 2025 19:05

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from 4eebff5 to 095eb39 Compare February 26, 2025 09:44

mend-for-github-com Bot changed the title ~~Update dependency express to v4.21.2~~ Update dependency express to v4.21.1 Mar 3, 2025

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 542a5b0 to 6970dad Compare March 6, 2025 12:51

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 4 times, most recently from 961b936 to 428693f Compare March 16, 2025 08:08

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 428693f to 8761c03 Compare March 20, 2025 17:59

mend-for-github-com Bot changed the title ~~Update dependency express to v4.21.1~~ Update dependency express to v4.21.1 - autoclosed Mar 21, 2025

mend-for-github-com Bot closed this Mar 21, 2025

mend-for-github-com Bot deleted the whitesource-remediate/express-4.x-lockfile branch March 21, 2025 05:42

mend-for-github-com Bot changed the title ~~Update dependency express to v4.21.1 - autoclosed~~ Update dependency express to v4.21.1 Mar 24, 2025

mend-for-github-com Bot reopened this Mar 24, 2025

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 8761c03 to e71eba5 Compare March 31, 2025 12:53

mend-for-github-com Bot changed the title ~~Update dependency express to v4.21.1~~ Update dependency express to v4.20.0 Mar 31, 2025

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from e71eba5 to 4f7192e Compare April 1, 2025 13:53

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 675b290 to 51fded3 Compare April 12, 2025 12:09

mend-for-github-com Bot changed the title ~~Update dependency express to v4.20.0~~ Update dependency express to v4.21.1 Apr 12, 2025

mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 0451bbe to 1603bed Compare April 13, 2025 08:25

Update dependency express to v4.22.0

0cfbd29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express to v4.22.0#2

Update dependency express to v4.22.0#2
mend-for-github-com[bot] wants to merge 1 commit into
masterfrom
whitesource-remediate/express-4.x-lockfile

mend-for-github-com Bot commented Aug 12, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

mend-for-github-com Bot commented Aug 12, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Important: Security

What's Changed

What's Changed

What's Changed

What's Changed

New Contributors

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

mend-for-github-com Bot commented Aug 12, 2024 •

edited

Loading