[Security] Bump send and express
Bumps send to 1.1.0 and updates ancestor dependency express. These dependencies need to be updated together.
Updates send
from 0.18.0 to 1.1.0 This update includes a security fix.
Vulnerabilities fixed
send vulnerable to template injection that can lead to XSS
Impact
passing untrusted user input - even after sanitizing it - to
SendStream.redirect()
may execute untrusted codePatches
this issue is patched in send 0.19.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
Patched versions: 0.19.0 Affected versions: < 0.19.0
Release notes
Sourced from send's releases.
1.1.0
What's Changed
- Remove link renderization in html while redirecting (pillarjs/send#235)
- fix: engines node@>=18 by
@wesleytodd
in pillarjs/send#233- Do not serve files when path ends with / by
@rmhaiderali
in pillarjs/send#224- Release: 1.1.0 by
@UlisesGascon
in pillarjs/send#236New Contributors
@rmhaiderali
made their first contribution in pillarjs/send#224Full Changelog: https://github.com/pillarjs/send/compare/v1.0.0...1.1.0
0.19.0
What's Changed
- Remove link renderization in html while redirecting (pillarjs/send#235)
New Contributors
@UlisesGascon
made their first contribution in pillarjs/send#235Full Changelog: https://github.com/pillarjs/send/compare/0.18.0...0.19.0
Changelog
Sourced from send's changelog.
1.1.0 / 2024-09-10
- Changes from 0.19.0
1.0.0 / 2024-07-25
- Drop support for Node.js <18.0
statuses@^2.0.1
range-parser@^1.2.1
on-finished@^2.4.1
ms@^2.1.3
mime-types@^2.1.35
http-errors@^2.0.0
fresh@^0.5.2
etag@^1.8.1
escape-html@^1.0.3
encodeurl@^2.0.0
destroy@^1.2.0
debug@^4.3.5
1.0.0-beta.2 / 2024-03-04
- Changes from 0.18.0
1.0.0-beta.1 / 2022-02-04
- Drop support for Node.js 0.8
- Remove
hidden
option -- usedotfiles
option- Remove
from
alias toroot
-- useroot
directly- Remove
send.etag()
-- useetag
inoptions
- Remove
send.index()
-- useindex
inoptions
- Remove
send.maxage()
-- usemaxAge
inoptions
- Remove
send.root()
-- useroot
inoptions
- Use
mime-types
for file to content type mapping -- removedsend.mime
- deps: debug@3.1.0
- Add
DEBUG_HIDE_DATE
environment variable- Change timer to per-namespace instead of global
- Change non-TTY date format
- Remove
DEBUG_FD
environment variable support- Support 256 namespace colors
0.19.0 / 2024-09-10
- Remove link renderization in html while redirecting
Commits
-
dc6b5d4
1.1.0 -
8eaab61
Merge commit from fork -
9774100
Do not serve files when path ends with / in windows (#224) -
672e5c3
fix: engines node@>=18 -
91c184e
1.0.0 -
ddfb7d7
fix: update history.md -
56b1817
Merge branch '1.0' -
0c0d374
fix(deps): statuses@^2.0.1 -
b0e3e2d
fix(deps): range-parser@^1.2.1 -
2d5841a
fix(deps): on-finished@^2.4.1 - Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.
Updates express
from 4.20.0 to 5.0.0
Release notes
Sourced from express's releases.
5.0.0
What's Changed
- 4.19.2 Staging by
@wesleytodd
in expressjs/express#5561- remove duplicate location test for data uri by
@wesleytodd
in expressjs/express#5562- feat: document beta releases expectations by
@marco-ippolito
in expressjs/express#5565- Cut down on duplicated CI runs by
@jonchurch
in expressjs/express#5564- Add a Threat Model by
@UlisesGascon
in expressjs/express#5526- Assign captain of encodeurl by
@blakeembrey
in expressjs/express#5579- Nominate jonchurch as repo captain for
http-errors
,expressjs.com
,morgan
,cors
,body-parser
by@jonchurch
in expressjs/express#5587- docs: update Security.md by
@inigomarquinez
in expressjs/express#5590- docs: update triage nomination policy by
@UlisesGascon
in expressjs/express#5600- Add CodeQL (SAST) by
@UlisesGascon
in expressjs/express#5433- docs: add UlisesGascon as triage initiative captain by
@UlisesGascon
in expressjs/express#5605- Use object with null prototype for various app properties by
@EvanHahn
in expressjs/express#4861- deps: encodeurl@~2.0.0 by
@blakeembrey
in expressjs/express#5569- skip QUERY method test by
@jonchurch
in expressjs/express#5628- ignore ETAG query test on 21 and 22, reuse skip util by
@jonchurch
in expressjs/express#5639- add support Node.js@22 in the CI by
@mertcanaltin
in expressjs/express#5627- doc: add table of contents, tc/triager lists to readme by
@mertcanaltin
in expressjs/express#5619- List and sort all projects, add captains by
@blakeembrey
in expressjs/express#5653- Call callback once on listen error by
@wesleytodd
in expressjs/express#3216- docs: add
@UlisesGascon
as captain for cookie-parser by@UlisesGascon
in expressjs/express#5666✨ bring back query tests for node 21 by@ctcpip
in expressjs/express#5690- [v4] Deprecate
res.clearCookie
acceptingoptions.maxAge
andoptions.expires
by@jonchurch
in expressjs/express#5672- skip QUERY tests for Node 21 only, still not supported by
@jonchurch
in expressjs/express#5695📝 update people, add ctcpip to TC by@ctcpip
in expressjs/express#5683- remove minor version pinning from ci by
@jonchurch
in expressjs/express#5722- Fix link variable use in attribution section of CODE OF CONDUCT by
@IamLizu
in expressjs/express#5762- Replace Appveyor windows testing with GHA by
@jonchurch
in expressjs/express#5599- Add OSSF Scorecard badge by
@UlisesGascon
in expressjs/express#5436- Throw on invalid status codes by
@jonchurch
in expressjs/express#4212- Use Array.flat instead of array-flatten by
@almic
in expressjs/express#5677- Adopt Node@18 as the minimum supported version by
@UlisesGascon
in expressjs/express#5803- Ignore
expires
andmaxAge
inres.clearCookie()
by@jonchurch
in expressjs/express#5792- send@1.0.0 by
@wesleytodd
in expressjs/express#5786- chore: upgrade
debug
dep from 3.10 to 4.3.6 by@carpasse
in expressjs/express#5829- refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by
@carpasse
in expressjs/express#5830- update scorecard link by
@bjohansebas
in expressjs/express#5814- Nominate
@IamLizu
to the triage team by@UlisesGascon
in expressjs/express#5836- deps: path-to-regexp@0.1.8 by
@blakeembrey
in expressjs/express#5603- docs: specify new instructions for
question
anddiscuss
by@IamLizu
in expressjs/express#5835- 5.x: Upgrading
merge-descriptors
with allowing minors by@RobinTail
in expressjs/express#5782- 4.x: Upgrade
merge-descriptors
dependency by@RobinTail
in expressjs/express#5781- WIP: serve-static@2 by
@wesleytodd
in expressjs/express#5790- chore: upgrade qs dp from 6.11.0 to 6.13.0 by
@carpasse
in expressjs/express#5847- Upgrade cookie signature by
@IamLizu
in expressjs/express#5833- accepts@2 by
@wesleytodd
in expressjs/express#5881- mime-types@3 by
@wesleytodd
in expressjs/express#5882- type-is@^2.0.0 by
@wesleytodd
in expressjs/express#5883- content-disposition@^1.0.0 by
@wesleytodd
in expressjs/express#5884
... (truncated)
Changelog
Sourced from express's changelog.
5.0.0 / 2024-09-10
- remove:
path-is-absolute
dependency - usepath.isAbsolute
instead- breaking:
res.status()
accepts only integers, and input must be greater than 99 and less than 1000
- will throw a
RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.
for inputs outside this range- will throw a
TypeError: Invalid status code: ${code}. Status code must be an integer.
for non integer inputs- deps: send@1.0.0
res.redirect('back')
andres.location('back')
is no longer a supported magic string, explicitly usereq.get('Referrer') || '/'
.- change:
res.clearCookie
will ignore user providedmaxAge
andexpires
options- deps: cookie-signature@^1.2.1
- deps: debug@4.3.6
- deps: merge-descriptors@^2.0.0
- deps: serve-static@^2.1.0
- deps: qs@6.13.0
- deps: accepts@^2.0.0
- deps: mime-types@^3.0.0
application/javascript
=>text/javascript
- deps: type-is@^2.0.0
- deps: content-disposition@^1.0.0
- deps: finalhandler@^2.0.0
- deps: fresh@^2.0.0
- deps: body-parser@^2.0.1
- deps: send@^1.1.0
5.0.0-beta.3 / 2024-03-25
This incorporates all changes after 4.19.1 up to 4.19.2.
5.0.0-beta.2 / 2024-03-20
This incorporates all changes after 4.17.2 up to 4.19.1.
5.0.0-beta.1 / 2022-02-14
This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.
- change:
- Default "query parser" setting to
'simple'
- Requires Node.js 4+
- Use
mime-types
for file to content type mapping- deps: array-flatten@3.0.0
- deps: body-parser@2.0.0-beta.1
req.body
is no longer always initialized to{}
... (truncated)
Commits
-
344b022
5.0.0 -
0c49926
fix(deps): send@^1.1.0 -
b3906cb
fix(deps): serve-static@^2.1.0 -
fed8c2a
fix(deps): body-parser@^2.0.1 -
bdd81f8
Deleteback
as a magic string (#5933) -
6c98f80
🔧 update CI, remove unsupported versions, clean up -
f9256ef
Merge branch '5.0' into 5-merge -
e5feb9f
Merge tag '4.20.0' into 5.0 -
0264908
feat(deps)!: router@^2.0.0 (#5885) -
4d713d2
update to fresh@2.0.0 (#5916) - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts