Bump path-to-regexp, express and @vaadin/router
Bumps path-to-regexp to 6.3.0 and updates ancestor dependencies path-to-regexp, express and @vaadin/router. These dependencies need to be updated together.
Updates path-to-regexp
from 0.1.10 to 6.3.0
Release notes
Sourced from path-to-regexp's releases.
Fix backtracking in 6.x
Fixed
- Add backtrack protection to 6.x (#324) f1253b4
https://github.com/pillarjs/path-to-regexp/compare/v6.2.2...v6.3.0
Updated README
No API changes. Documentation only release.
Changed
- Fix readme example c7ec332
- Update shield URL e828000
https://github.com/pillarjs/path-to-regexp/compare/v6.2.1...v6.2.2
Fix matching
:name*
parameterFixed
- Fix invalid matching of
:name*
parameter (#261) 762bc6b- Compare delimiter string over regexp 86baef8
Added
- New example in documentation (#256) ae9e576
- Update demo link (#250) 77df638
- Update README encode example b39edd4
https://github.com/pillarjs/path-to-regexp/compare/v6.2.0...v6.2.1
Named Capturing Groups
Added
- Support named capturing groups for RegExps (#225)
Fixed
Use
/#?
as Default DelimiterFixed
- Use
/#?
as default delimiter to avoid matching on query or fragment parameters
- If you are matching non-paths (e.g. hostnames), you can adjust
delimiter: '.'
Custom Prefix and Suffix Groups
This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements:
... (truncated)
Changelog
Sourced from path-to-regexp's changelog.
Moved to GitHub Releases
3.0.0 / 2019-01-13
- Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g.
/:att1-:att2-:att3-:att4-:att5
)- Remove
partial
support, prefer escaping the prefix delimiter explicitly (e.g.\\/(apple-)?icon-:res(\\d+).png
)2.4.0 / 2018-08-26
- Support
start
option to disable anchoring from beginning of the string2.3.0 / 2018-08-20
- Use
delimiter
when processing repeated matching groups (e.g.foo/bar
has no prefix, but has a delimiter)2.2.1 / 2018-04-24
- Allow empty string with
end: false
to match both relative and absolute paths2.2.0 / 2018-03-06
- Pass
token
as second argument toencode
option (e.g.encode(value, token)
)2.1.0 / 2017-10-20
- Handle non-ending paths where the final character is a delimiter
- E.g.
/foo/
before required either/foo/
or/foo//
to match in non-ending mode2.0.0 / 2017-08-23
- New option! Ability to set
endsWith
to match paths like/test?query=string
up to the query string- New option! Set
delimiters
for specific characters to be treated as parameter prefixes (e.g./:test
)- Remove
isarray
dependency- Explicitly handle trailing delimiters instead of trimming them (e.g.
/test/
is now treated as/test/
instead of/test
when matching)- Remove overloaded
keys
argument that acceptedoptions
- Remove
keys
list attached to theRegExp
output- Remove asterisk functionality (it's a real pain to properly encode)
- Change
tokensToFunction
(e.g.compile
) to accept anencode
function for pretty encoding (e.g. pass your own implementation)1.7.0 / 2016-11-08
- Allow a
delimiter
option to be passed in withtokensToRegExp
which will be used for "non-ending" token match situations1.6.0 / 2016-10-03
- Populate
RegExp.keys
when using thetokensToRegExp
method (making it consistent with the main export)- Allow a
delimiter
option to be passed in withparse
- Updated TypeScript definition with
Keys
andOptions
updated1.5.3 / 2016-06-15
... (truncated)
Commits
-
75a92c3
6.3.0 -
f1253b4
Add backtrack protection to 6.x (#324) -
28a5b27
6.2.2 -
270876d
Test on min node 16 -
d5a42b6
Run tests on ubuntu -
1c265a1
Upgrade dev deps, prettier format -
c7ec332
Fix readme example -
25da491
Bump node v14 for tests -
980d1db
Add v8 coverage -
e828000
Update shield URL - Additional commits viewable in compare view
Updates express
from 4.21.1 to 5.0.1
Release notes
Sourced from express's releases.
5.0.1
What's Changed
- remove --bail from test script by
@jonchurch
in expressjs/express#5962- Nominate
@bjohansebas
to the triage team by@UlisesGascon
in expressjs/express#6009- Link and update captains by
@blakeembrey
in expressjs/express#6013- Update
cookie
semver lock to address CVE-2024-47764 by@joshbuker
in expressjs/express#6017- Release: 5.0.1 by
@UlisesGascon
in expressjs/express#6032Full Changelog: https://github.com/expressjs/express/compare/v5.0.0...5.0.1
5.0.0
Express v5.0.0
🎉 Express v5 is finally here!🎉 After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.
For detailed information, please check out the official Express v5 release blog post.
Most relevant details
Major Changes in v5
- Node.js version support: Dropped support for Node.js versions before v18.
- Routing changes: Updated to
path-to-regexp@8.x
, removing sub-expression regex patterns for security reasons (ReDoS mitigation).- Promise support: Middleware can now return rejected promises, caught by the router as errors.
body-parser
changes: Several improvements including the ability to customizeurlencoded
body depth and defaultingextended
tofalse
.- Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.
For a complete list of breaking changes and API deprecations, see the migration guide.
Security Updates
This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.
Migration
Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.
Security Guidance
For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.
What's Changed
- 4.19.2 Staging by
@wesleytodd
in expressjs/express#5561- remove duplicate location test for data uri by
@wesleytodd
in expressjs/express#5562- feat: document beta releases expectations by
@marco-ippolito
in expressjs/express#5565- Cut down on duplicated CI runs by
@jonchurch
in expressjs/express#5564
... (truncated)
Changelog
Sourced from express's changelog.
5.0.1 / 2024-10-08
- Update
cookie
semver lock to address CVE-2024-477645.0.0 / 2024-09-10
- remove:
path-is-absolute
dependency - usepath.isAbsolute
instead- breaking:
res.status()
accepts only integers, and input must be greater than 99 and less than 1000
- will throw a
RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.
for inputs outside this range- will throw a
TypeError: Invalid status code: ${code}. Status code must be an integer.
for non integer inputs- deps: send@1.0.0
res.redirect('back')
andres.location('back')
is no longer a supported magic string, explicitly usereq.get('Referrer') || '/'
.- change:
res.clearCookie
will ignore user providedmaxAge
andexpires
options- deps: cookie-signature@^1.2.1
- deps: debug@4.3.6
- deps: merge-descriptors@^2.0.0
- deps: serve-static@^2.1.0
- deps: qs@6.13.0
- deps: accepts@^2.0.0
- deps: mime-types@^3.0.0
application/javascript
=>text/javascript
- deps: type-is@^2.0.0
- deps: content-disposition@^1.0.0
- deps: finalhandler@^2.0.0
- deps: fresh@^2.0.0
- deps: body-parser@^2.0.1
- deps: send@^1.1.0
5.0.0-beta.3 / 2024-03-25
This incorporates all changes after 4.19.1 up to 4.19.2.
5.0.0-beta.2 / 2024-03-20
This incorporates all changes after 4.17.2 up to 4.19.1.
5.0.0-beta.1 / 2022-02-14
This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.
- change:
- Default "query parser" setting to
'simple'
... (truncated)
Commits
-
d14b2de
5.0.1 -
2027b87
fix(deps): cookie@0.7.0 -
2cbf227
Link and update captains (#6013) -
3e1a1ce
Add@bjohansebas
to the triage team (#6009) -
6340d15
remove --bail from test script (#5962) -
344b022
5.0.0 -
0c49926
fix(deps): send@^1.1.0 -
b3906cb
fix(deps): serve-static@^2.1.0 -
fed8c2a
fix(deps): body-parser@^2.0.1 -
bdd81f8
Deleteback
as a magic string (#5933) - Additional commits viewable in compare view
Updates @vaadin/router
from 1.7.5 to 2.0.0
Release notes
Sourced from @vaadin/router
's releases.
v2.0.0-rc4
What's Changed
- fix: Router#resolve typings by
@Lodin
in vaadin/router#891Full Changelog: https://github.com/vaadin/router/compare/v2.0.0-rc3...v2.0.0-rc4
v2.0.0-rc3
What's Changed
- fix: support WCs with result property by
@platosha
in vaadin/router#889Full Changelog: https://github.com/vaadin/router/compare/v2.0.0-rc2...v2.0.0-rc3
v2.0.0-rc2
Live Demo → API Documentation →
What's Changed
- fix: copy dts files by
@Lodin
in vaadin/router#888Full Changelog: https://github.com/vaadin/router/compare/v2.0.0-rc1...v2.0.0-rc2
Commits
- See full diff in compare view
Maintainer changes
This version was pushed to npm by sunzhewyq, a new releaser for @vaadin/router
since your current version.
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts