[Snyk] Upgrade express from 4.17.1 to 4.18.2 #3

karthik-js · 2023-08-25T04:05:33Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade express from 4.17.1 to 4.18.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 5 versions ahead of your current version.
The recommended version was released a year ago, on 2022-10-08.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Command Injection SNYK-JS-LODASH-1040724	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Prototype Pollution SNYK-JS-OBJECTPATH-1017036	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Prototype Pollution SNYK-JS-OBJECTPATH-1585658	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Prototype Pollution SNYK-JS-LOADERUTILS-3043105	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Prototype Pollution SNYK-JS-LOADERUTILS-3043105	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Prototype Pollution SNYK-JS-LOADERUTILS-3043105	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Prototype Poisoning SNYK-JS-QS-3153490	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Arbitrary File Overwrite SNYK-JS-TAR-1536528	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Arbitrary File Overwrite SNYK-JS-TAR-1536531	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579147	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579152	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Arbitrary File Write SNYK-JS-TAR-1579155	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Prototype Pollution SNYK-JS-UNSETVALUE-2400660	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Prototype Pollution SNYK-JS-JSON5-3182856	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Prototype Pollution SNYK-JS-JSON5-3182856	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Prototype Pollution SNYK-JS-OBJECTPATH-1569453	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1090595	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Open Redirect SNYK-JS-NEXT-1540422	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Denial of Service SNYK-JS-NODEFETCH-674311	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit
Prototype Pollution SNYK-JS-MINIMIST-2429795	467/1000 Why? Proof of Concept exploit, CVSS 7.2	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	467/1000 Why? Proof of Concept exploit, CVSS 7.2	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: express

4.18.2 - 2022-10-08
- Fix regression routing a large stack in a single route
- deps: body-parser@1.20.1
  - deps: qs@6.11.0
  - perf: remove unnecessary object clone
- deps: qs@6.11.0
4.18.1 - 2022-04-29
- Fix hanging on large stack of sync routes
4.18.0 - 2022-04-25
- Add "root" option to res.download
- Allow options without filename in res.download
- Deprecate string and non-integer arguments to res.status
- Fix behavior of null/undefined as maxAge in res.cookie
- Fix handling very large stacks of sync middleware
- Ignore Object.prototype values in settings through app.set/app.get
- Invoke default with same arguments as types in res.format
- Support proper 205 responses using res.send
- Use http-errors for res.format error
- deps: body-parser@1.20.0
  - Fix error message for json parse whitespace in strict
  - Fix internal error when inflated body exceeds limit
  - Prevent loss of async hooks context
  - Prevent hanging when request already read
  - deps: depd@2.0.0
  - deps: http-errors@2.0.0
  - deps: on-finished@2.4.1
  - deps: qs@6.10.3
  - deps: raw-body@2.5.1
- deps: cookie@0.5.0
  - Add priority option
  - Fix expires option to reject invalid dates
- deps: depd@2.0.0
  - Replace internal eval usage with Function constructor
  - Use instance methods on process to check for listeners
- deps: finalhandler@1.2.0
  - Remove set content headers that break response
  - deps: on-finished@2.4.1
  - deps: statuses@2.0.1
- deps: on-finished@2.4.1
  - Prevent loss of async hooks context
- deps: qs@6.10.3
- deps: send@0.18.0
  - Fix emitted 416 error missing headers property
  - Limit the headers removed for 304 response
  - deps: depd@2.0.0
  - deps: destroy@1.2.0
  - deps: http-errors@2.0.0
  - deps: on-finished@2.4.1
  - deps: statuses@2.0.1
- deps: serve-static@1.15.0
  - deps: send@0.18.0
- deps: statuses@2.0.1
  - Remove code 306
  - Rename 425 Unordered Collection to standard 425 Too Early
4.17.3 - 2022-02-17
- deps: accepts@~1.3.8
  - deps: mime-types@~2.1.34
  - deps: negotiator@0.6.3
- deps: body-parser@1.19.2
  - deps: bytes@3.1.2
  - deps: qs@6.9.7
  - deps: raw-body@2.4.3
- deps: cookie@0.4.2
- deps: qs@6.9.7
  - Fix handling of __proto__ keys
- pref: remove unnecessary regexp for trust proxy
4.17.2 - 2021-12-17
- Fix handling of undefined in res.jsonp
- Fix handling of undefined when "json escape" is enabled
- Fix incorrect middleware execution with unanchored RegExps
- Fix res.jsonp(obj, status) deprecation message
- Fix typo in res.is JSDoc
- deps: body-parser@1.19.1
  - deps: bytes@3.1.1
  - deps: http-errors@1.8.1
  - deps: qs@6.9.6
  - deps: raw-body@2.4.2
  - deps: safe-buffer@5.2.1
  - deps: type-is@~1.6.18
- deps: content-disposition@0.5.4
  - deps: safe-buffer@5.2.1
- deps: cookie@0.4.1
  - Fix maxAge option to reject invalid values
- deps: proxy-addr@~2.0.7
  - Use req.socket over deprecated req.connection
  - deps: forwarded@0.2.0
  - deps: ipaddr.js@1.9.1
- deps: qs@6.9.6
- deps: safe-buffer@5.2.1
- deps: send@0.17.2
  - deps: http-errors@1.8.1
  - deps: ms@2.1.3
  - pref: ignore empty http tokens
- deps: serve-static@1.14.2
  - deps: send@0.17.2
- deps: setprototypeof@1.2.0
4.17.1 - 2019-05-26
- Revert "Improve error message for null/undefined to res.status"

from express GitHub release notes

Commit messages

Package name: express

8368dc1 4.18.2
61f4049 docs: replace Freenode with Libera Chat
bb7907b build: Node.js@18.10
f56ce73 build: supertest@6.3.0
24b3dc5 deps: qs@6.11.0
689d175 deps: body-parser@1.20.1
340be0f build: eslint@8.24.0
33e8dc3 docs: use Node.js name style
644f646 build: supertest@6.2.4
ecd7572 build: Node.js@14.20
97131bc build: Node.js@18.7
8d98e86 build: Node.js@16.17
2c47827 examples: remove unused function arguments in params
97f0a51 tests: verify all handlers called in stack tests
7ec5dd2 Fix regression routing a large stack in a single route
ab2c70b build: Node.js@18.1
745a63f build: ejs@3.1.8
a2dfc56 build: mocha@10.0.0
d854c43 4.18.1
b02a95c build: Node.js@16.15
631ada0 Fix hanging on large stack of sync routes
75e0c7a bench: remove unused parameter
e2482b7 build: ejs@3.1.7
2df96e3 build: supertest@6.2.3

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade express from 4.17.1 to 4.18.2. See this package in npm: https://www.npmjs.com/package/express See this project in Snyk: https://app.snyk.io/org/karthik-js/project/23423621-3a08-4506-845f-b6ca93304a47?utm_source=github&utm_medium=referral&page=upgrade-pr

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Upgrade express from 4.17.1 to 4.18.2 #3

[Snyk] Upgrade express from 4.17.1 to 4.18.2 #3

Uh oh!

karthik-js commented Aug 25, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

[Snyk] Upgrade express from 4.17.1 to 4.18.2 #3

Are you sure you want to change the base?

[Snyk] Upgrade express from 4.17.1 to 4.18.2 #3

Uh oh!

Conversation

karthik-js commented Aug 25, 2023

Snyk has created this PR to upgrade express from 4.17.1 to 4.18.2.

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants