Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump express from 4.19.2 to 4.21.0 #166

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump express from 4.19.2 to 4.21.0 #166

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 21, 2024

Bumps express from 4.19.2 to 4.21.0.

Release notes

Sourced from express's releases.

4.21.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump express from 4.19.2 to 4.21.0
9f94327 
Bumps [express](https://github.com/expressjs/express) from 4.19.2 to 4.21.0.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.0/History.md)
- [Commits](expressjs/express@4.19.2...4.21.0)

---
updated-dependencies:
- dependency-name: express
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 21, 2024
@github-actions GitHub Actions
Copy link

[puLL-Merge] - expressjs/express@4.19.2..4.21.0

Description

This pull request introduces several changes to the CI workflows, core library functionality, documentation, and test cases for the Express framework. The main changes include updates to the GitHub Actions workflows, deprecations and new features in the res object methods, and several dependency version bumps. The motivation behind these changes is to modernize the CI process, improve code quality, address security concerns, and enhance functionality.

Possible Issues

  1. Backward Compatibility: The deprecation of res.location("back") and res.redirect("back") may break existing applications that rely on this behavior.
  2. Dependency Version Updates: Updating dependencies like serve-static, body-parser, and others can potentially introduce breaking changes or new bugs.
  3. Lint and Test Workflows Separation: While separating linting from testing can be a good practice, it may increase build times as the dependencies are installed multiple times.

Security Hotspots

  1. URL Handling in res.location and res.redirect:
    • Potentially unsafe string concatenations and transformations might introduce vulnerabilities if not properly sanitized.
    • Changes to remove and update Location and Redirecting via HTML should be reviewed carefully to ensure no new vulnerabilities such as XSS (Cross-Site Scripting) are introduced.
Changes

Changes

GitHub Workflows

  • .github/workflows/ci.yml:

    • Configured push to run only on specific branches and ignore markdown files.
    • Introduced concurrency control to cancel in-progress workflows.
    • Separated lint and test jobs.
    • Updated the matrix to include more OS and Node.js versions.
    • Simplified steps and improved readability.

  • .github/workflows/codeql.yml:

    • Introduced CodeQL analysis for security scanning of JavaScript code.

  • .github/workflows/iojs.yml:

    • Added a new workflow for testing specific io.js versions.

#

Changes

Changes in .gitignore

  • Added npm-shrinkwrap.json to the ignored files.

Added .npmrc

  • Disabled package-lock file creation.

Documentation

  • Code-Of-Conduct.md: Fixed a broken link.
  • Contributing.md: Updated the process for becoming a triager and clarified the role nomination process.
  • History.md: Added entries for versions 4.19.2, 4.20.0, and 4.21.0.
  • Readme.md: Added a Table of Contents and updated badges and sections for better readability.
  • Release-Process.md: Included guidelines for pre-release versions.
  • Security.md: Updated guidelines for handling pre-release versions and referenced the current threat model.
  • Triager-Guide.md: Emphasized moving discussions and questions to GitHub Discussions.

Core Library

  • lib/response.js:
    • Deprecated maxAge and expires options in res.clearCookie.
    • Updated res.location to deprecate and provide a safer alternative for "back".
    • Simplified URL handling to ensure consistent behavior and security.

Package Configuration

  • package.json: Updated version to 4.21.0. Bumped several dependencies such as body-parser, serve-static, finalhandler, and more. Updated test scripts for better exclusion handling in nyc.

Tests

  • test/app.router.js:

    • Added utility for skipping query method tests for unsupported Node.js versions.
    • Added new test cases for named capturing groups.

  • test/express.static.js:

    • Updated tests to reflect changes in the way redirection messages are generated.

  • test/express.urlencoded.js:

    • Limited parsing depth for deep objects in test cases to match new default behavior.

  • test/res.clearCookie.js:

    • Added new tests for checking expires and maxAge handling.

  • test/res.location.js:

    • Expanded test cases to cover non-string inputs and encoding behaviors.
    • Added scenarios ensuring safe encoding to prevent redirection vulnerabilities.

  • test/res.redirect.js:

    • Ensured no XSS vulnerabilities are introduced via redirection HTML responses.

  • test/res.send.js:

    • Added handling for query method skipping.

  • test/support/utils.js:

    • Utility functions for skipping unsupported query tests in Node.js version 21.x were added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants