From 77ada906dba57fd6e308f0d750e01653dbeaddfc Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Wed, 11 Sep 2024 12:24:22 -0700 Subject: [PATCH 01/11] Deprecate `"back"` magic string in redirects (#5935) --- History.md | 5 +++++ lib/response.js | 1 + 2 files changed, 6 insertions(+) diff --git a/History.md b/History.md index 887a38f182d..4de61a4ba0c 100644 --- a/History.md +++ b/History.md @@ -1,3 +1,8 @@ +unreleased +========== + + * Deprecate `res.location("back")` and `res.redirect("back")` magic string + 4.20.0 / 2024-09-10 ========== * deps: serve-static@0.16.0 diff --git a/lib/response.js b/lib/response.js index 76b6b54a3b8..2b654f4c662 100644 --- a/lib/response.js +++ b/lib/response.js @@ -916,6 +916,7 @@ res.location = function location(url) { // "back" is an alias for the referrer if (url === 'back') { + deprecate('res.location("back"): use res.location(req.get("Referrer") || "/") and refer to https://dub.sh/security-redirect for best practices'); loc = this.req.get('Referrer') || '/'; } else { loc = String(url); From 40d2d8f2c882712a0f2e4603c38d166c79676b2b Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Wed, 11 Sep 2024 14:53:23 -0500 Subject: [PATCH 02/11] fix(deps): finalhandler@1.3.1 --- History.md | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index 4de61a4ba0c..77810b039d7 100644 --- a/History.md +++ b/History.md @@ -2,6 +2,7 @@ unreleased ========== * Deprecate `res.location("back")` and `res.redirect("back")` magic string + * deps: finalhandler@1.3.1 4.20.0 / 2024-09-10 ========== diff --git a/package.json b/package.json index bffa70a6f1c..b451f74ac77 100644 --- a/package.json +++ b/package.json @@ -40,7 +40,7 @@ "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", - "finalhandler": "1.2.0", + "finalhandler": "1.3.1", "fresh": "0.5.2", "http-errors": "2.0.0", "merge-descriptors": "1.0.3", From 7d364775688be98aaa973302e066d0da9f438997 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Wed, 11 Sep 2024 17:26:00 -0500 Subject: [PATCH 03/11] fix(deps): serve-static@1.16.2 (#5951) --- History.md | 2 ++ package.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index 77810b039d7..05371e16499 100644 --- a/History.md +++ b/History.md @@ -2,6 +2,8 @@ unreleased ========== * Deprecate `res.location("back")` and `res.redirect("back")` magic string + * deps: serve-static@1.16.2 + * includes send@0.19.0 * deps: finalhandler@1.3.1 4.20.0 / 2024-09-10 diff --git a/package.json b/package.json index b451f74ac77..eb93352cb48 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "range-parser": "~1.2.1", "safe-buffer": "5.2.1", "send": "0.19.0", - "serve-static": "1.16.0", + "serve-static": "1.16.2", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "~1.6.18", From 1bcde96bc87c4704df9a704271d1167064ab56bb Mon Sep 17 00:00:00 2001 From: agadzinski93 Date: Wed, 11 Sep 2024 15:27:37 -0700 Subject: [PATCH 04/11] fix(deps): qs@6.13.0 (#5946) Co-authored-by: Wes Todd --- History.md | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index 05371e16499..9b39345ed84 100644 --- a/History.md +++ b/History.md @@ -5,6 +5,7 @@ unreleased * deps: serve-static@1.16.2 * includes send@0.19.0 * deps: finalhandler@1.3.1 + * deps: qs@6.13.0 4.20.0 / 2024-09-10 ========== diff --git a/package.json b/package.json index eb93352cb48..4544201e145 100644 --- a/package.json +++ b/package.json @@ -49,7 +49,7 @@ "parseurl": "~1.3.3", "path-to-regexp": "0.1.10", "proxy-addr": "~2.0.7", - "qs": "6.11.0", + "qs": "6.13.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", "send": "0.19.0", From 7e562c6d8daddff4604f8efaaf9db2cf98c6dcff Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Wed, 11 Sep 2024 17:31:27 -0500 Subject: [PATCH 05/11] 4.21.0 --- History.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index 9b39345ed84..178e718fc36 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,4 @@ -unreleased +4.21.0 / 2024-09-11 ========== * Deprecate `res.location("back")` and `res.redirect("back")` magic string diff --git a/package.json b/package.json index 4544201e145..f9b43a69e5a 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "express", "description": "Fast, unopinionated, minimalist web framework", - "version": "4.20.0", + "version": "4.21.0", "author": "TJ Holowaychuk ", "contributors": [ "Aaron Heckmann ", From a024c8a7b658a178cbdb9bde33030b7500172815 Mon Sep 17 00:00:00 2001 From: Josh Buker Date: Tue, 8 Oct 2024 10:13:25 +0000 Subject: [PATCH 06/11] fix(deps): cookie@0.7.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- History.md | 5 +++++ package.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index 178e718fc36..fb357771307 100644 --- a/History.md +++ b/History.md @@ -1,3 +1,8 @@ +unreleased +========== + +* Backported a fix for CVE-2024-47764 + 4.21.0 / 2024-09-11 ========== diff --git a/package.json b/package.json index f9b43a69e5a..9905aac85aa 100644 --- a/package.json +++ b/package.json @@ -33,7 +33,7 @@ "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", - "cookie": "0.6.0", + "cookie": "0.7.1", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", From 8e229f92752ad51462c868b99f6e6c2e559801b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 8 Oct 2024 20:36:08 +0200 Subject: [PATCH 07/11] 4.21.1 PR-URL: https://github.com/expressjs/express/pull/6031 --- History.md | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/History.md b/History.md index fb357771307..924f10537bb 100644 --- a/History.md +++ b/History.md @@ -1,7 +1,7 @@ -unreleased +4.21.1 / 2024-10-08 ========== -* Backported a fix for CVE-2024-47764 +* Backported a fix for [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764) 4.21.0 / 2024-09-11 ========== diff --git a/package.json b/package.json index 9905aac85aa..a36e593c316 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "express", "description": "Fast, unopinionated, minimalist web framework", - "version": "4.21.0", + "version": "4.21.1", "author": "TJ Holowaychuk ", "contributors": [ "Aaron Heckmann ", From 51fc39ccf834eec44547b0f4fed8027e7c05a009 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Sun, 20 Oct 2024 12:58:25 -0500 Subject: [PATCH 08/11] docs: add funding (#6065) --- package.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package.json b/package.json index a36e593c316..cc484c16170 100644 --- a/package.json +++ b/package.json @@ -15,6 +15,10 @@ "license": "MIT", "repository": "expressjs/express", "homepage": "http://expressjs.com/", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + }, "keywords": [ "express", "framework", From 59fc27028ec5d212be653d35d7e3f73a2c3ac3c0 Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Sun, 20 Oct 2024 11:09:32 -0700 Subject: [PATCH 09/11] deps: path-to-regexp@0.1.11 (#5956) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- History.md | 9 ++++++++- package.json | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index 924f10537bb..20ca76d6723 100644 --- a/History.md +++ b/History.md @@ -1,7 +1,14 @@ +unreleased +========== + + * deps: path-to-regexp@0.1.11 + - Throws an error on invalid path values + 4.21.1 / 2024-10-08 ========== -* Backported a fix for [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764) + * Backported a fix for [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764) + 4.21.0 / 2024-09-11 ========== diff --git a/package.json b/package.json index cc484c16170..7649e07b893 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.10", + "path-to-regexp": "0.1.11", "proxy-addr": "~2.0.7", "qs": "6.13.0", "range-parser": "~1.2.1", From 2e0fb646d03184dd9a5285813460210c0e7ae654 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Thu, 5 Dec 2024 17:16:48 -0500 Subject: [PATCH 10/11] deps: bump path-to-regexp@0.1.12 (#6209) fix backtracking protection --- History.md | 2 ++ package.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index 20ca76d6723..9eae84d69ba 100644 --- a/History.md +++ b/History.md @@ -1,6 +1,8 @@ unreleased ========== + * deps: path-to-regexp@0.1.12 + - Fix backtracking protection * deps: path-to-regexp@0.1.11 - Throws an error on invalid path values diff --git a/package.json b/package.json index 7649e07b893..c9ed0d7324b 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.11", + "path-to-regexp": "0.1.12", "proxy-addr": "~2.0.7", "qs": "6.13.0", "range-parser": "~1.2.1", From 1faf228935aa0a13111f92c28ee795be64ce3f0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 5 Dec 2024 23:27:56 +0100 Subject: [PATCH 11/11] 4.21.2 Signed-off-by: Ulises Gascon --- History.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index 9eae84d69ba..c234f529cea 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,4 @@ -unreleased +4.21.2 / 2024-11-06 ========== * deps: path-to-regexp@0.1.12 diff --git a/package.json b/package.json index c9ed0d7324b..60f65fe2d37 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "express", "description": "Fast, unopinionated, minimalist web framework", - "version": "4.21.1", + "version": "4.21.2", "author": "TJ Holowaychuk ", "contributors": [ "Aaron Heckmann ",