Update High Confidence #49

mend-for-github-com · 2022-11-17T08:11:14Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
body-parser	`1.18.3` -> `1.20.3`
dont-sniff-mimetype (source)	`1.0.0` -> `1.1.0`
express (source)	`4.16.4` -> `4.21.0`
express-session	`1.15.6` -> `1.18.0`
helmet (source)	`5.0.2` -> `5.1.1`
needle	`3.1.0` -> `3.3.1`
underscore (source)	`1.9.1` -> `1.13.7`

Release Notes

expressjs/body-parser (body-parser)

`v1.20.3`

Compare Source

===================

deps: qs@6.13.0
add depth option to customize the depth level in the parser
IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

`v1.20.2`

Compare Source

===================

Fix strict json error message on Node.js 19+
deps: content-type@~1.0.5
- perf: skip value escaping when unnecessary
deps: raw-body@2.5.2

`v1.20.1`

Compare Source

===================

deps: qs@6.11.0
perf: remove unnecessary object clone

`v1.20.0`

Compare Source

===================

Fix error message for json parse whitespace in strict
Fix internal error when inflated body exceeds limit
Prevent loss of async hooks context
Prevent hanging when request already read
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: http-errors@2.0.0
- deps: depd@2.0.0
- deps: statuses@2.0.1
deps: on-finished@2.4.1
deps: qs@6.10.3
deps: raw-body@2.5.1
- deps: http-errors@2.0.0

`v1.19.2`

Compare Source

===================

deps: bytes@3.1.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
deps: raw-body@2.4.3
- deps: bytes@3.1.2

`v1.19.1`

Compare Source

===================

deps: bytes@3.1.1
deps: http-errors@1.8.1
- deps: inherits@2.0.4
- deps: toidentifier@1.0.1
- deps: setprototypeof@1.2.0
deps: qs@6.9.6
deps: raw-body@2.4.2
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
deps: safe-buffer@5.2.1
deps: type-is@~1.6.18

`v1.19.0`

Compare Source

===================

deps: bytes@3.1.0
- Add petabyte (pb) support
deps: http-errors@1.7.2
- Set constructor name when possible
- deps: setprototypeof@1.1.1
- deps: statuses@'>= 1.5.0 < 2'
deps: iconv-lite@0.4.24
- Added encoding MIK
deps: qs@6.7.0
- Fix parsing array brackets after index
deps: raw-body@2.4.0
- deps: bytes@3.1.0
- deps: http-errors@1.7.2
- deps: iconv-lite@0.4.24
deps: type-is@~1.6.17
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

helmetjs/dont-sniff-mimetype (dont-sniff-mimetype)

`v1.1.0`

Compare Source

expressjs/express (express)

==========

deps: serve-static@0.16.0
- Remove link renderization in html while redirecting
deps: send@0.19.0
- Remove link renderization in html while redirecting
deps: body-parser@0.6.0
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: path-to-regexp@0.1.10
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

Compare Source

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

Compare Source

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: cookie@0.6.0

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: body-parser@1.20.2
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: raw-body@2.5.2
deps: cookie@0.6.0
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
deps: qs@6.11.0

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: body-parser@1.20.0
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: depd@2.0.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: qs@6.10.3
- deps: raw-body@2.5.1
deps: cookie@0.5.0
- Add priority option
- Fix expires option to reject invalid dates
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: finalhandler@1.2.0
- Remove set content headers that break response
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: on-finished@2.4.1
- Prevent loss of async hooks context
deps: qs@6.10.3
deps: send@0.18.0
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: depd@2.0.0
- deps: destroy@1.2.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: serve-static@1.15.0
- deps: send@0.18.0
deps: statuses@2.0.1
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: negotiator@0.6.3
deps: body-parser@1.19.2
- deps: bytes@3.1.2
- deps: qs@6.9.7
- deps: raw-body@2.4.3
deps: cookie@0.4.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: body-parser@1.19.1
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: qs@6.9.6
- deps: raw-body@2.4.2
- deps: safe-buffer@5.2.1
- deps: type-is@~1.6.18
deps: content-disposition@0.5.4
- deps: safe-buffer@5.2.1
deps: cookie@0.4.1
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: forwarded@0.2.0
- deps: ipaddr.js@1.9.1
deps: qs@6.9.6
deps: safe-buffer@5.2.1
deps: send@0.17.2
- deps: http-errors@1.8.1
- deps: ms@2.1.3
- pref: ignore empty http tokens
deps: serve-static@1.14.2
- deps: send@0.17.2
deps: setprototypeof@1.2.0

`v4.17.1`

Compare Source

===================

Revert "Improve error message for null/undefined to res.status"

`v4.17.0`

Compare Source

===================

Add express.raw to parse bodies into Buffer
Add express.text to parse bodies into string
Improve error message for non-strings to res.sendFile
Improve error message for null/undefined to res.status
Support multiple hosts in X-Forwarded-Host
deps: accepts@~1.3.7
deps: body-parser@1.19.0
- Add encoding MIK
- Add petabyte (pb) support
- Fix parsing array brackets after index
- deps: bytes@3.1.0
- deps: http-errors@1.7.2
- deps: iconv-lite@0.4.24
- deps: qs@6.7.0
- deps: raw-body@2.4.0
- deps: type-is@~1.6.17
deps: content-disposition@0.5.3
deps: cookie@0.4.0
- Add SameSite=None support
deps: finalhandler@~1.1.2
- Set stricter Content-Security-Policy header
- deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
deps: parseurl@~1.3.3
deps: proxy-addr@~2.0.5
- deps: ipaddr.js@1.9.0
deps: qs@6.7.0
- Fix parsing array brackets after index
deps: range-parser@~1.2.1
deps: send@0.17.1
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: mime@1.6.0
- deps: ms@2.1.1
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant path.normalize call
deps: serve-static@1.14.1
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: send@0.17.1
deps: setprototypeof@1.1.1
deps: statuses@~1.5.0
- Add 103 Early Hints
deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

expressjs/session (express-session)

`v1.18.0`

Compare Source

===================

Add debug log for pathname mismatch
Add partitioned to cookie options
Add priority to cookie options
Fix handling errors from setting cookie
Support any type in secret that crypto.createHmac supports
deps: cookie@0.6.0
- Fix expires option to reject invalid dates
- perf: improve default decode speed
- perf: remove slow string split in parse
deps: cookie-signature@1.0.7

`v1.17.3`

Compare Source

===================

Fix resaving already-saved new session at end of request
deps: cookie@0.4.2

`v1.17.2`

Compare Source

===================

Fix res.end patch to always commit headers
deps: cookie@0.4.1
deps: safe-buffer@5.2.1

`v1.17.1`

Compare Source

===================

Fix internal method wrapping error on failed reloads

`v1.17.0`

Compare Source

===================

deps: cookie@0.4.0
- Add SameSite=None support
deps: safe-buffer@5.2.0

`v1.16.2`

Compare Source

===================

Fix restoring cookie.originalMaxAge when store returns Date
deps: parseurl@~1.3.3

`v1.16.1`

Compare Source

===================

Fix error passing data option to Cookie constructor
Fix uncaught error from bad session data

`v1.16.0`

Compare Source

===================

Catch invalid cookie.maxAge value earlier
Deprecate setting cookie.maxAge to a Date object
Fix issue where resave: false may not save altered sessions
Remove utils-merge dependency
Use safe-buffer for improved Buffer API
Use Set-Cookie as cookie header name for compatibility
deps: depd@~2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
- perf: remove argument reassignment
deps: on-headers@~1.0.2
- Fix res.writeHead patch missing return value

helmetjs/helmet (helmet)

`v5.1.1`

Compare Source

Changed

Fix TypeScript bug with some TypeScript configurations. See #375 and #359

`v5.1.0`

Compare Source

Added

Cross-Origin-Embedder-Policy: support credentialless policy. See #365
Documented how to set both Content-Security-Policy and Content-Security-Policy-Report-Only

Changed

Cleaned up some documentation around Origin-Agent-Cluster

tomas/needle (needle)

`v3.3.1`

Compare Source

`v3.3.0`

Compare Source

`v3.2.0`

Compare Source

What's Changed

Remove on_socket_end callback by @tomas in https://github.com/tomas/needle/pull/401
ci: add node18 test by @iChenLei in https://github.com/tomas/needle/pull/402
Add utils module and refactor should_proxy_to() based on PR #411. Fixes #383 by @tomas in https://github.com/tomas/needle/pull/416

New Contributors

@iChenLei made their first contribution in https://github.com/tomas/needle/pull/402

Full Changelog: tomas/needle@v3.1.0...v3.2.0

jashkenas/underscore (underscore)

`v1.13.7`

Compare Source

`v1.13.6`

Compare Source

`v1.13.5`

Compare Source

`v1.13.4`

Compare Source

`v1.13.3`

Compare Source

`v1.13.2`

Compare Source

`v1.13.1`

Compare Source

`v1.13.0`

Compare Source

`v1.12.1`

Compare Source

`v1.12.0`

Compare Source

`v1.11.0`

Compare Source

`v1.10.2`

Compare Source

`v1.10.1`

Compare Source

`v1.10.0`

Compare Source

`v1.9.2`

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

mend-for-github-com bot force-pushed the whitesource-remediate/high-conf branch from e6fb1fa to dd3e4db Compare March 26, 2023 17:07

mend-for-github-com bot changed the title ~~Update dependency needle to v3.2.0~~ Update High Confidence Mar 26, 2023

mend-for-github-com bot force-pushed the whitesource-remediate/high-conf branch 21 times, most recently from 76b8bcc to 7ab1edb Compare April 2, 2023 21:19

mend-for-github-com bot force-pushed the whitesource-remediate/high-conf branch 7 times, most recently from 3b72fe5 to b6747a4 Compare April 5, 2023 11:50

mend-for-github-com bot force-pushed the whitesource-remediate/high-conf branch 10 times, most recently from 2a64693 to bfa7b5d Compare September 2, 2024 03:44

mend-for-github-com bot force-pushed the whitesource-remediate/high-conf branch 11 times, most recently from a39e582 to 91aa418 Compare September 9, 2024 03:30

mend-for-github-com bot force-pushed the whitesource-remediate/high-conf branch 7 times, most recently from d998045 to 4fb6b9c Compare September 16, 2024 03:44

Update High Confidence

901c5a0

mend-for-github-com bot force-pushed the whitesource-remediate/high-conf branch from 4fb6b9c to 901c5a0 Compare September 17, 2024 05:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update High Confidence #49

Update High Confidence #49

mend-for-github-com bot commented Nov 17, 2022 •

edited

Loading

Update High Confidence #49

Are you sure you want to change the base?

Update High Confidence #49

Conversation

mend-for-github-com bot commented Nov 17, 2022 • edited Loading

Release Notes

What's Changed

New Contributors

Changed

Added

Changed

What's Changed

New Contributors

Configuration

mend-for-github-com bot commented Nov 17, 2022 •

edited

Loading