chore(deps): update dependency express to v4.20.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
express (source)	4.19.2 -> 4.20.0

GitHub Vulnerability Alerts

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
2. express MUST NOT redirect before the template appears
3. the browser MUST NOT complete redirection before:
4. the user MUST click on the link in the template

---

Release Notes

expressjs/express (express)

v4.20.0

Compare Source

==========

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[nx-cloud]

☁️ Nx Cloud Report

CI is running/has finished running commands for commit bd78c40. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

---

✅ Successfully ran 4 targets

• nx run-many --target=test --all --configuration=ci --base=remotes/origin/master --head=HEAD
• nx run-many --target=lint --all --configuration=ci --base=remotes/origin/master --head=HEAD
• nx lint-types store
• nx run-many --target=build --all

---

Sent with 💌 from NxCloud.

[pkg-pr-new]

Open in Stackblitz

@ngxs/devtools-plugin

yarn add https://pkg.pr.new/@ngxs/devtools-plugin@2220.tgz

@ngxs/form-plugin

yarn add https://pkg.pr.new/@ngxs/form-plugin@2220.tgz

@ngxs/hmr-plugin

yarn add https://pkg.pr.new/@ngxs/hmr-plugin@2220.tgz

@ngxs/router-plugin

yarn add https://pkg.pr.new/@ngxs/router-plugin@2220.tgz

@ngxs/storage-plugin

yarn add https://pkg.pr.new/@ngxs/storage-plugin@2220.tgz

@ngxs/store

yarn add https://pkg.pr.new/@ngxs/store@2220.tgz

@ngxs/websocket-plugin

yarn add https://pkg.pr.new/@ngxs/websocket-plugin@2220.tgz

commit: bd78c40

[bundlemon]

BundleMon

Unchanged files (6)

Status	Path	Size	Limits
✅	fesm2022/ngxs-store.mjs	100.32KB	101KB / +0.5%
✅	fesm2022/ngxs-store-internals.mjs	11.64KB	13KB / +0.5%
✅	fesm2022/ngxs-store-internals-testing.mjs	6.83KB	7KB / +0.5%
✅	fesm2022/ngxs-store-operators.mjs	6.22KB	7KB / +0.5%
✅	fesm2022/ngxs-store-plugins.mjs	2.04KB	3KB / +0.5%
✅	fesm2022/ngxs-store-experimental.mjs	1.4KB	2KB / +0.5%

No change in files bundle size

Unchanged groups (2)

Status	Path	Size	Limits
✅	@ngxs/store(esm2022)[gzip] ./esm2022/**/*.mjs	222.49KB	+1%
✅	@ngxs/store(fesm2022)[gzip] ./fesm2022/*.mjs	30.74KB	+1%

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[bundlemon]

BundleMon (NGXS Plugins)

Unchanged files (9)

Status	Path	Size	Limits
✅	Plugins(fesm2022)[gzip] storage-plugin/fesm2022/ngxs-storage-plugin.m js	4.15KB	+0.5%
✅	Plugins(fesm2022)[gzip] router-plugin/fesm2022/ngxs-router-plugin.mjs	3.2KB	+0.5%
✅	Plugins(fesm2022)[gzip] websocket-plugin/fesm2022/ngxs-websocket-plug in.mjs	2.64KB	+0.5%
✅	Plugins(fesm2022)[gzip] hmr-plugin/fesm2022/ngxs-hmr-plugin.mjs	2.61KB	+0.5%
✅	Plugins(fesm2022)[gzip] form-plugin/fesm2022/ngxs-form-plugin.mjs	2.59KB	+0.5%
✅	Plugins(fesm2022)[gzip] devtools-plugin/fesm2022/ngxs-devtools-plugin .mjs	2.23KB	+0.5%
✅	Plugins(fesm2022)[gzip] logger-plugin/fesm2022/ngxs-logger-plugin.mjs	2.09KB	+0.5%
✅	Plugins(fesm2022)[gzip] storage-plugin/fesm2022/ngxs-storage-plugin-i nternals.mjs	875B	+0.5%
✅	Plugins(fesm2022)[gzip] router-plugin/fesm2022/ngxs-router-plugin-int ernals.mjs	411B	+0.5%

No change in files bundle size

Unchanged groups (1)

Status	Path	Size	Limits
✅	All Plugins(fesm2022)[gzip] ./-plugin/fesm2022/.mjs	20.76KB	+0.5%

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[bundlemon]

BundleMon (Integration Projects)

Unchanged files (3)

Status	Path	Size	Limits
✅	Main bundles(Gzip) hello-world-ng18/dist-integration/browser/mai n-(hash).js	71.84KB	+1%
✅	Main bundles(Gzip) hello-world-ng17/dist-integration/main.(hash) .js	68.73KB	+1%
✅	Main bundles(Gzip) hello-world-ng16/dist-integration/main.(hash) .js	67.76KB	+1%

No change in files bundle size

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[codeclimate]

Code Climate has analyzed commit 59f1b33 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 95.3% (0.0% change).

View more on Code Climate.