[Security] Bump send and express
Bumps send to 0.19.0 and updates ancestor dependency express. These dependencies need to be updated together.
Updates send
from 0.18.0 to 0.19.0 This update includes a security fix.
Vulnerabilities fixed
send vulnerable to template injection that can lead to XSS
Impact
passing untrusted user input - even after sanitizing it - to
SendStream.redirect()
may execute untrusted codePatches
this issue is patched in send 0.19.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
Patched versions: 0.19.0 Affected versions: < 0.19.0
Release notes
Sourced from send's releases.
0.19.0
What's Changed
- Remove link renderization in html while redirecting (pillarjs/send#235)
New Contributors
@UlisesGascon
made their first contribution in pillarjs/send#235Full Changelog: https://github.com/pillarjs/send/compare/0.18.0...0.19.0
Changelog
Sourced from send's changelog.
0.19.0 / 2024-09-10
- Remove link renderization in html while redirecting
Commits
-
9d2db99
0.19.0 -
ae4f298
Merge commit from fork - See full diff in compare view
Maintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.
Updates express
from 4.20.0 to 4.21.0
Release notes
Sourced from express's releases.
4.21.0
What's Changed
- Deprecate
"back"
magic string in redirects by@blakeembrey
in expressjs/express#5935- finalhandler@1.3.1 by
@wesleytodd
in expressjs/express#5954- fix(deps): serve-static@1.16.2 by
@wesleytodd
in expressjs/express#5951- Upgraded dependency qs to 6.13.0 to match qs in body-parser by
@agadzinski93
in expressjs/express#5946New Contributors
@agadzinski93
made their first contribution in expressjs/express#5946Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0
Changelog
Sourced from express's changelog.
4.21.0 / 2024-09-11
- Deprecate
res.location("back")
andres.redirect("back")
magic string- deps: serve-static@1.16.2
- includes send@0.19.0
- deps: finalhandler@1.3.1
- deps: qs@6.13.0
Commits
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts