ampproject
Update dependency express to v4.19.2 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| express (source) | 4.15.4 -> 4.19.2 |
||||
| express (source) | 4.16.3 -> 4.19.2 |
GitHub Vulnerability Alerts
CVE-2024-29041
Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is res.location() but this is also called from within res.redirect().
Patches
https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94
An initial fix went out with [email protected], we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.
Workarounds
The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.
References
https://github.com/expressjs/express/pull/5539 https://github.com/koajs/koa/issues/1800 https://expressjs.com/en/4x/api.html#res.location
Release Notes
expressjs/express (express)
v4.19.2
==========
- Improved fix for open redirect allow list bypass
v4.19.1
==========
- Allow passing non-strings to res.location with new encoding handling checks
v4.19.0
v4.18.3
==========
- Fix routing requests without method
- deps: [email protected]
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: [email protected]
v4.18.2
===================
- Fix regression routing a large stack in a single route
- deps: [email protected]
- deps: [email protected]
- perf: remove unnecessary object clone
- deps: [email protected]
v4.18.1
===================
- Fix hanging on large stack of sync routes
v4.18.0
===================
- Add "root" option to
res.download - Allow
optionswithoutfilenameinres.download - Deprecate string and non-integer arguments to
res.status - Fix behavior of
null/undefinedasmaxAgeinres.cookie - Fix handling very large stacks of sync middleware
- Ignore
Object.prototypevalues in settings throughapp.set/app.get - Invoke
defaultwith same arguments as types inres.format - Support proper 205 responses using
res.send - Use
http-errorsforres.formaterror - deps: [email protected]
- Fix error message for json parse whitespace in
strict - Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Fix error message for json parse whitespace in
- deps: [email protected]
- Add
priorityoption - Fix
expiresoption to reject invalid dates
- Add
- deps: [email protected]
- Replace internal
evalusage withFunctionconstructor - Use instance methods on
processto check for listeners
- Replace internal
- deps: [email protected]
- Remove set content headers that break response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Prevent loss of async hooks context
- deps: [email protected]
- deps: [email protected]
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Remove code 306
- Rename
425 Unordered Collectionto standard425 Too Early
v4.17.3
===================
- deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Fix handling of
__proto__keys
- Fix handling of
- pref: remove unnecessary regexp for trust proxy
v4.17.2
===================
- Fix handling of
undefinedinres.jsonp - Fix handling of
undefinedwhen"json escape"is enabled - Fix incorrect middleware execution with unanchored
RegExps - Fix
res.jsonp(obj, status)deprecation message - Fix typo in
res.isJSDoc - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.18
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Fix
maxAgeoption to reject invalid values
- Fix
- deps: proxy-addr@~2.0.7
- Use
req.socketover deprecatedreq.connection - deps: [email protected]
- deps: [email protected]
- Use
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- pref: ignore empty http tokens
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
v4.17.1
===================
- Revert "Improve error message for
null/undefinedtores.status"
v4.17.0
===================
- Add
express.rawto parse bodies intoBuffer - Add
express.textto parse bodies into string - Improve error message for non-strings to
res.sendFile - Improve error message for
null/undefinedtores.status - Support multiple hosts in
X-Forwarded-Host - deps: accepts@~1.3.7
- deps: [email protected]
- Add encoding MIK
- Add petabyte (
pb) support - Fix parsing array brackets after index
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.17
- deps: [email protected]
- deps: [email protected]
- Add
SameSite=Nonesupport
- Add
- deps: finalhandler@~1.1.2
- Set stricter
Content-Security-Policyheader - deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
- Set stricter
- deps: parseurl@~1.3.3
- deps: proxy-addr@~2.0.5
- deps: [email protected]
- deps: [email protected]
- Fix parsing array brackets after index
- deps: range-parser@~1.2.1
- deps: [email protected]
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: [email protected]
- deps: [email protected]
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant
path.normalizecall
- deps: [email protected]
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: [email protected]
- deps: [email protected]
- deps: statuses@~1.5.0
- Add
103 Early Hints
- Add
- deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal
throwon invalid type
v4.16.4
===================
- Fix issue where
"Request aborted"may be logged inres.sendfile - Fix JSDoc for
Routerconstructor - deps: [email protected]
- Fix deprecation warnings on Node.js 10+
- Fix stack trace for strict json parse error
- deps: depd@~1.1.2
- deps: http-errors@~1.6.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.16
- deps: proxy-addr@~2.0.4
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
v4.16.3
===================
- deps: accepts@~1.3.5
- deps: mime-types@~2.1.18
- deps: depd@~1.1.2
- perf: remove argument reassignment
- deps: encodeurl@~1.0.2
- Fix encoding
%as last character
- Fix encoding
- deps: [email protected]
- Fix 404 output for bad / missing pathnames
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
- deps: proxy-addr@~2.0.3
- deps: [email protected]
- deps: [email protected]
- Fix incorrect end tag in default error & redirects
- deps: depd@~1.1.2
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
- deps: [email protected]
- Fix incorrect end tag in redirects
- deps: encodeurl@~1.0.2
- deps: [email protected]
- deps: statuses@~1.4.0
- deps: type-is@~1.6.16
- deps: mime-types@~2.1.18
v4.16.2
===================
- Fix
TypeErrorinres.sendwhen givenBufferandETagheader set - perf: skip parsing of entire
X-Forwarded-Protoheader
v4.16.1
===================
- deps: [email protected]
- deps: [email protected]
- Fix regression when
rootis incorrectly set to a file - deps: [email protected]
- Fix regression when
v4.16.0
===================
- Add
"json escape"setting forres.jsonandres.jsonp - Add
express.jsonandexpress.urlencodedto parse bodies - Add
optionsargument tores.download - Improve error message when autoloading invalid view engine
- Improve error messages when non-function provided as middleware
- Skip
Bufferencoding when not generating ETag for small response - Use
safe-bufferfor improved Buffer API - deps: accepts@~1.3.4
- deps: mime-types@~2.1.16
- deps: content-type@~1.0.4
- perf: remove argument reassignment
- perf: skip parameter parsing when no parameters
- deps: etag@~1.8.1
- perf: replace regular expression with substring
- deps: [email protected]
- Use
res.headersSentwhen available
- Use
- deps: parseurl@~1.3.2
- perf: reduce overhead for full URLs
- perf: unroll the "fast-path"
RegExp
- deps: proxy-addr@~2.0.2
- Fix trimming leading / trailing OWS in
X-Forwarded-For - deps: forwarded@~0.1.2
- deps: [email protected]
- perf: reduce overhead when no
X-Forwarded-Forheader
- Fix trimming leading / trailing OWS in
- deps: [email protected]
- Fix parsing & compacting very deep objects
- deps: [email protected]
- Add 70 new types for file extensions
- Add
immutableoption - Fix missing
</html>in default error & redirects - Set charset as "UTF-8" for .js and .json
- Use instance methods on steam to check for listeners
- deps: [email protected]
- perf: improve path validation speed
- deps: [email protected]
- Add 70 new types for file extensions
- Add
immutableoption - Set charset as "UTF-8" for .js and .json
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: vary@~1.1.2
- perf: improve header token parsing speed
- perf: re-use options object when generating ETags
- perf: remove dead
.charsetset inres.jsonp
v4.15.5
===================
- deps: [email protected]
- deps: finalhandler@~1.0.6
- deps: [email protected]
- deps: parseurl@~1.3.2
- deps: [email protected]
- Fix handling of modified headers with invalid dates
- perf: improve ETag match loop
- perf: improve
If-None-Matchtoken parsing
- deps: [email protected]
- Fix handling of modified headers with invalid dates
- deps: [email protected]
- deps: etag@~1.8.1
- deps: [email protected]
- perf: improve
If-Matchtoken parsing
- deps: [email protected]
- deps: parseurl@~1.3.2
- deps: [email protected]
- perf: improve slash collapsing
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠ Artifact update problem
Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: amp-update-cache/package-lock.json
File name: amp-pwa-reader/package-lock.json