[Security] Bump send and express

Bumps send to 1.1.0 and updates ancestor dependency express. These dependencies need to be updated together.

Updates send from 0.18.0 to 1.1.0 This update includes a security fix.

Vulnerabilities fixed

send vulnerable to template injection that can lead to XSS

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
2. express MUST NOT redirect before the template appears
3. the browser MUST NOT complete redirection before:
4. the user MUST click on the link in the template

Patched versions: 0.19.0 Affected versions: < 0.19.0

Release notes

Sourced from send's releases.

1.1.0

What's Changed

• Remove link renderization in html while redirecting (pillarjs/send#235)
• fix: engines node@>=18 by @​wesleytodd in pillarjs/send#233
• Do not serve files when path ends with / by @​rmhaiderali in pillarjs/send#224
• Release: 1.1.0 by @​UlisesGascon in pillarjs/send#236

New Contributors

• @​rmhaiderali made their first contribution in pillarjs/send#224

Full Changelog: https://github.com/pillarjs/send/compare/v1.0.0...1.1.0

0.19.0

What's Changed

• Remove link renderization in html while redirecting (pillarjs/send#235)

New Contributors

• @​UlisesGascon made their first contribution in pillarjs/send#235

Full Changelog: https://github.com/pillarjs/send/compare/0.18.0...0.19.0

Changelog

Sourced from send's changelog.

1.1.0 / 2024-09-10

• Changes from 0.19.0

1.0.0 / 2024-07-25

• Drop support for Node.js <18.0
• statuses@^2.0.1
• range-parser@^1.2.1
• on-finished@^2.4.1
• ms@^2.1.3
• mime-types@^2.1.35
• http-errors@^2.0.0
• fresh@^0.5.2
• etag@^1.8.1
• escape-html@^1.0.3
• encodeurl@^2.0.0
• destroy@^1.2.0
• debug@^4.3.5

1.0.0-beta.2 / 2024-03-04

• Changes from 0.18.0

1.0.0-beta.1 / 2022-02-04

• Drop support for Node.js 0.8
• Remove hidden option -- use dotfiles option
• Remove from alias to root -- use root directly
• Remove send.etag() -- use etag in options
• Remove send.index() -- use index in options
• Remove send.maxage() -- use maxAge in options
• Remove send.root() -- use root in options
• Use mime-types for file to content type mapping -- removed send.mime
• deps: debug@3.1.0
  • Add DEBUG_HIDE_DATE environment variable
  • Change timer to per-namespace instead of global
  • Change non-TTY date format
  • Remove DEBUG_FD environment variable support
  • Support 256 namespace colors

0.19.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• dc6b5d4 1.1.0
• 8eaab61 Merge commit from fork
• 9774100 Do not serve files when path ends with / in windows (#224)
• 672e5c3 fix: engines node@>=18
• 91c184e 1.0.0
• ddfb7d7 fix: update history.md
• 56b1817 Merge branch '1.0'
• 0c0d374 fix(deps): statuses@^2.0.1
• b0e3e2d fix(deps): range-parser@^1.2.1
• 2d5841a fix(deps): on-finished@^2.4.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.

Updates express from 4.20.0 to 5.0.0

Release notes

Sourced from express's releases.

5.0.0

What's Changed

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• Use object with null prototype for various app properties by @​EvanHahn in expressjs/express#4861
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• Call callback once on listen error by @​wesleytodd in expressjs/express#3216
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• Throw on invalid status codes by @​jonchurch in expressjs/express#4212
• Use Array.flat instead of array-flatten by @​almic in expressjs/express#5677
• Adopt Node@18 as the minimum supported version by @​UlisesGascon in expressjs/express#5803
• Ignore expires and maxAge in res.clearCookie() by @​jonchurch in expressjs/express#5792
• send@1.0.0 by @​wesleytodd in expressjs/express#5786
• chore: upgrade debug dep from 3.10 to 4.3.6 by @​carpasse in expressjs/express#5829
• refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by @​carpasse in expressjs/express#5830
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: path-to-regexp@0.1.8 by @​blakeembrey in expressjs/express#5603
• docs: specify new instructions for question and discuss by @​IamLizu in expressjs/express#5835
• 5.x: Upgrading merge-descriptors with allowing minors by @​RobinTail in expressjs/express#5782
• 4.x: Upgrade merge-descriptors dependency by @​RobinTail in expressjs/express#5781
• WIP: serve-static@2 by @​wesleytodd in expressjs/express#5790
• chore: upgrade qs dp from 6.11.0 to 6.13.0 by @​carpasse in expressjs/express#5847
• Upgrade cookie signature by @​IamLizu in expressjs/express#5833
• accepts@2 by @​wesleytodd in expressjs/express#5881
• mime-types@3 by @​wesleytodd in expressjs/express#5882
• type-is@^2.0.0 by @​wesleytodd in expressjs/express#5883
• content-disposition@^1.0.0 by @​wesleytodd in expressjs/express#5884

... (truncated)

Changelog

Sourced from express's changelog.

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

5.0.0-beta.3 / 2024-03-25

This incorporates all changes after 4.19.1 up to 4.19.2.

5.0.0-beta.2 / 2024-03-20

This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14

This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.

• change:
  • Default "query parser" setting to 'simple'
  • Requires Node.js 4+
  • Use mime-types for file to content type mapping
• deps: array-flatten@3.0.0
• deps: body-parser@2.0.0-beta.1
  • req.body is no longer always initialized to {}

... (truncated)

Commits

• 344b022 5.0.0
• 0c49926 fix(deps): send@^1.1.0
• b3906cb fix(deps): serve-static@^2.1.0
• fed8c2a fix(deps): body-parser@^2.0.1
• bdd81f8 Delete back as a magic string (#5933)
• 6c98f80 🔧 update CI, remove unsupported versions, clean up
• f9256ef Merge branch '5.0' into 5-merge
• e5feb9f Merge tag '4.20.0' into 5.0
• 0264908 feat(deps)!: router@^2.0.0 (#5885)
• 4d713d2 update to fresh@2.0.0 (#5916)
• Additional commits viewable in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts