[Snyk(Unlimited)] Upgrade express from 4.12.4 to 4.17.1

[snyk-bot]

Snyk has created this PR to upgrade express from 4.12.4 to 4.17.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 20 versions ahead of your current version.
• The recommended version was released 7 months ago, on 2019-05-26.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No Known Exploit
	Arbitrary Code Injection SNYK-JS-MORGAN-72579	Proof of Concept

Release notes

Package name: express

• 4.17.1 - 2019-05-26
  
  • Revert "Improve error message for null/undefined to res.status"
• 4.17.0 - 2019-05-17
  
  • Add express.raw to parse bodies into Buffer
  • Add express.text to parse bodies into string
  • Improve error message for non-strings to res.sendFile
  • Improve error message for null/undefined to res.status
  • Support multiple hosts in X-Forwarded-Host
  • deps: accepts@~1.3.7
  • deps: body-parser@1.19.0
    • Add encoding MIK
    • Add petabyte (pb) support
    • Fix parsing array brackets after index
    • deps: bytes@3.1.0
    • deps: http-errors@1.7.2
    • deps: iconv-lite@0.4.24
    • deps: qs@6.7.0
    • deps: raw-body@2.4.0
    • deps: type-is@~1.6.17
  • deps: content-disposition@0.5.3
  • deps: cookie@0.4.0
    • Add SameSite=None support
  • deps: finalhandler@~1.1.2
    • Set stricter Content-Security-Policy header
    • deps: parseurl@~1.3.3
    • deps: statuses@~1.5.0
  • deps: parseurl@~1.3.3
  • deps: proxy-addr@~2.0.5
    • deps: ipaddr.js@1.9.0
  • deps: qs@6.7.0
    • Fix parsing array brackets after index
  • deps: range-parser@~1.2.1
  • deps: send@0.17.1
    • Set stricter CSP header in redirect & error responses
    • deps: http-errors@~1.7.2
    • deps: mime@1.6.0
    • deps: ms@2.1.1
    • deps: range-parser@~1.2.1
    • deps: statuses@~1.5.0
    • perf: remove redundant path.normalize call
  • deps: serve-static@1.14.1
    • Set stricter CSP header in redirect response
    • deps: parseurl@~1.3.3
    • deps: send@0.17.1
  • deps: setprototypeof@1.1.1
  • deps: statuses@~1.5.0
    • Add 103 Early Hints
  • deps: type-is@~1.6.18
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type
• 4.16.4 - 2018-10-11
  
  • Fix issue where "Request aborted" may be logged in res.sendfile
  • Fix JSDoc for Router constructor
  • deps: body-parser@1.18.3
    • Fix deprecation warnings on Node.js 10+
    • Fix stack trace for strict json parse error
    • deps: depd@~1.1.2
    • deps: http-errors@~1.6.3
    • deps: iconv-lite@0.4.23
    • deps: qs@6.5.2
    • deps: raw-body@2.3.3
    • deps: type-is@~1.6.16
  • deps: proxy-addr@~2.0.4
    • deps: ipaddr.js@1.8.0
  • deps: qs@6.5.2
  • deps: safe-buffer@5.1.2
• 4.16.3 - 2018-03-12
  
  • deps: accepts@~1.3.5
    • deps: mime-types@~2.1.18
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
  • deps: encodeurl@~1.0.2
    • Fix encoding % as last character
  • deps: finalhandler@1.1.1
    • Fix 404 output for bad / missing pathnames
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: proxy-addr@~2.0.3
    • deps: ipaddr.js@1.6.0
  • deps: send@0.16.2
    • Fix incorrect end tag in default error & redirects
    • deps: depd@~1.1.2
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: serve-static@1.13.2
    • Fix incorrect end tag in redirects
    • deps: encodeurl@~1.0.2
    • deps: send@0.16.2
  • deps: statuses@~1.4.0
  • deps: type-is@~1.6.16
    • deps: mime-types@~2.1.18
• 4.16.2 - 2017-10-10
  
  • Fix TypeError in res.send when given Buffer and ETag header set
  • perf: skip parsing of entire X-Forwarded-Proto header
• 4.16.1 - 2017-09-29
  
  • deps: send@0.16.1
  • deps: serve-static@1.13.1
    • Fix regression when root is incorrectly set to a file
    • deps: send@0.16.1
• 4.16.0 - 2017-09-28
  
  • Add "json escape" setting for res.json and res.jsonp
  • Add express.json and express.urlencoded to parse bodies
  • Add options argument to res.download
  • Improve error message when autoloading invalid view engine
  • Improve error messages when non-function provided as middleware
  • Skip Buffer encoding when not generating ETag for small response
  • Use safe-buffer for improved Buffer API
  • deps: accepts@~1.3.4
    • deps: mime-types@~2.1.16
  • deps: content-type@~1.0.4
    • perf: remove argument reassignment
    • perf: skip parameter parsing when no parameters
  • deps: etag@~1.8.1
    • perf: replace regular expression with substring
  • deps: finalhandler@1.1.0
    • Use res.headersSent when available
  • deps: parseurl@~1.3.2
    • perf: reduce overhead for full URLs
    • perf: unroll the "fast-path" RegExp
  • deps: proxy-addr@~2.0.2
    • Fix trimming leading / trailing OWS in X-Forwarded-For
    • deps: forwarded@~0.1.2
    • deps: ipaddr.js@1.5.2
    • perf: reduce overhead when no X-Forwarded-For header
  • deps: qs@6.5.1
    • Fix parsing & compacting very deep objects
  • deps: send@0.16.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Fix missing </html> in default error & redirects
    • Set charset as "UTF-8" for .js and .json
    • Use instance methods on steam to check for listeners
    • deps: mime@1.4.1
    • perf: improve path validation speed
  • deps: serve-static@1.13.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Set charset as "UTF-8" for .js and .json
    • deps: send@0.16.0
  • deps: setprototypeof@1.1.0
  • deps: utils-merge@1.0.1
  • deps: vary@~1.1.2
    • perf: improve header token parsing speed
  • perf: re-use options object when generating ETags
  • perf: remove dead .charset set in res.jsonp
• 4.15.5 - 2017-09-25
  
  • deps: debug@2.6.9
  • deps: finalhandler@~1.0.6
    • deps: debug@2.6.9
    • deps: parseurl@~1.3.2
  • deps: fresh@0.5.2
    • Fix handling of modified headers with invalid dates
    • perf: improve ETag match loop
    • perf: improve If-None-Match token parsing
  • deps: send@0.15.6
    • Fix handling of modified headers with invalid dates
    • deps: debug@2.6.9
    • deps: etag@~1.8.1
    • deps: fresh@0.5.2
    • perf: improve If-Match token parsing
  • deps: serve-static@1.12.6
    • deps: parseurl@~1.3.2
    • deps: send@0.15.6
    • perf: improve slash collapsing
• 4.15.4 - 2017-08-07
• 4.15.3 - 2017-05-17
• 4.15.2 - 2017-03-06
• 4.15.1 - 2017-03-06
• 4.15.0 - 2017-03-01
• 4.14.1 - 2017-01-28
• 4.14.0 - 2016-06-16
• 4.13.4 - 2016-01-22
• 4.13.3 - 2015-08-03
• 4.13.2 - 2015-07-31
• 4.13.1 - 2015-07-06
• 4.13.0 - 2015-06-21
• 4.12.4 - 2015-05-18

from express GitHub release notes

Commit messages

Package name: express

• e1b45eb 4.17.1
• 0a48e18 Revert "Improve error message for null/undefined to res.status"
• eed05a1 build: Node.js@12.3
• 10c7756 4.17.0
• 9dadca2 docs: remove Gratipay links
• b8e5056 tests: ignore unreachable line
• 94e48a1 build: update example dependencies
• efcb17d deps: cookie@0.4.0
• b9ecb9a build: support Node.js 12.x
• 5266f3a build: test against Node.js 13.x nightly
• e502dde build: Node.js@10.15
• da6f701 deps: range-parser@~1.2.1
• 88f9733 deps: serve-static@1.14.1
• 8267c4b deps: send@0.17.1
• bc07a41 deps: finalhandler@~1.1.2
• c754c8a build: support Node.js 11.x
• e917028 build: Node.js@8.16
• 7b076bd build: Node.js@6.17
• bb5211f tests: add express.text test suite
• 7f4e37f Add express.text to parse bodies into string
• 11192bd tests: add express.raw test suite
• 0bcdd88 Add express.raw to parse bodies into Buffer
• 60aacac deps: serve-static@1.14.0
• 70a1947 deps: send@0.17.0

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs