Release 4.15

[dougwilson]

This is a tracking issue for release 4.15.

Please keep feature requests in their own issues

If you want to make a comment on a particular change, please make the comment in the "Files changed" tab so comments are not lost during a rebase.

List of changes for release:

• Add debug message when loading view engine debug require engine #3158
• Backport changes in router@1.3.0
  • Add next("router") to exit from router Method for bailing out of a router and returning to the previous middleware level #2241 Allow immediate bail in Router #2371
  • Fix case where router.use skipped requests routes did not TypeError: res.set is not a function #3037
  • Skip routing when req.url is not set
  • Use %o in path debug to tell types apart
  • lint: consolidate layer match failure path
  • lint: remove unreachable code
  • perf: add fast match path for * route
• Improve req.ips performance req.ips: use pop instead of slice(1). #2723
• Remove usage of res._headers private field Fix response headers usage with upcoming node changes #3174
• Support Node.js 7.x
• Upgrade debug module to 2.6.1
• Upgrade etag module to 1.8.0 to bring in OOB FIPS compliance
• Upgrade finalhandler module to 1.0.0 to bring in full HTML documents and security headers
• Upgrade fresh module to 0.5.0 to bring in bug fixes and perf improvements
• Upgrade qs module to 6.3.1 to bring in minor bug fixes
• Upgrade send module to 0.15.0 to bring in precondition checks
• Upgrade serve-static module to 1.12.0
• Use Object.create to setup request & response prototypes
• Use setprototypeof module to replace __proto__ setting Why is __proto__ used instead of setPrototypeOf in router/index.js #3164 Issues regarding the use of __proto__ #3103 QUESTION: Why is obj.__proto__=... being used instead of calling Object.create #2613 Heavy use of deprecated __proto__ #1967
• Use statuses instead of http module for status messages Replace http.STATUS_CODES with the statuses module #3215

Testing this release

If you want to try out this release, you can install it with the following commands:

$ npm cache clean express
$ npm install expressjs/express#4.15

Owners/collaborators: please do not merge this PR :)

[LinusU]

Just raising the question, is it considered non-breaking that the current ETags will be invalidated? This could potentially cause files to be unnecessarily re-downloaded, but maybe that isn't an issue?

[dougwilson]

I have the exact same thought, of course. I saw it as a minor, based on (1) we have changed it multiple times throughout 4.x without backlash already (2) we don't actually promise what they look like and (3) semver only really accounts for the API used.

I'm open to more discussion on it :) but as for the reason behind the change is that it is actually a bit faster and will work OOB on FIPS Node.js builds now.

[dougwilson]

4.9.0, 4.10.0 and 4.13.0 were all releases where the format of the default ETags were altered in some way, FWIW

[LinusU]

Sounds good 👍

Tried google OOB on FIPS but didn't get anything good 😄 mind pointing me in the right direction?

[dougwilson]

Sorry, OOB meant "out of the box" and there is a special build of Node.js called FIPS mode that disables things like MD5.

[dougwilson]

So just from what's left to do, I'm thinking maybe a good target release frame would be this weekend. After the changes settle down, we can propose a more concrete date, just figured I'd toss out an idea general date.

[dougwilson]

I believe that the Release 4.15 is code complete at this point. Please take a look for anything either (a) missing or (b) shouldn't belong. If there are no surfaced issues, I propose a release sometime Feb 28.

[dougwilson]

So doing some testing, I noticed that res.redirect was never updated to add the CSP header and the full HTML document like the dependencies have done for redirects and errors. Ideally it would be great if these were all consistent (so a res.redirect() produces the same output as a redirect from express.static or res.sendFile(), for example). I also see that it is misusing res.format() by assuming that it will execute the callbacks sync while we don't document such a promise (and it doesn't even use res.send()!).

i.m.o the lack of consistency with the responses seems easy enough to just push the release out a day or two to get it fixed up. I'm not going to change anything right now, so if anyone wants to PR a change to any one of the items or say "nope" to this, feel free :)

[dougwilson]

So thinking more about it, I'm going to move to just not make any changes and shoot for releasing the existing work as 4.15 Feb 28 in order to get it out and we can always follow up later if necessary :)

[dougwilson]

So I'll be publishing this within a couple hours, since I've been made aware that Snyk has published a notice for an issue in one of our dependencies, qs. It is important to note that the issue does not affect Express, since we do not use the feature in which the issue lies, but regardless, automated checkers will not understand this, so getting a published update out will satisfy the checking tools.

I am also debating if it would be useful to even bother publishing a 4.14.2 with the patched version and then delaying this release a bit more, but 🤷‍♂️

[notrab]

Ship it and ship a patch if necessary. Life is shorter than software development if we had to plan it perfectly. 🚢

[dougwilson]

Yea, looking at the change, I'm inclined to only ship in 4.15.0, which I am preparing as I type to publish. Just need to add some additional wording after publish to the website regarding the security fix, and that users are not affected, but an updated module is available as part of 4.15.0. /cc @expressjs/express-tc

[techsin]

THANKS

for adding next('router') although undocumented it's very useful

[dougwilson]

Hi @techsin it is documented in http://expressjs.com/en/guide/using-middleware.html with the rest of the flow. If you think it should be documented else where or improvements, don't hesitate to make a pull request 👍