🚨 [security] Update express 4.17.1 → 4.21.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ express (4.17.1 → 4.21.2) · Repo · Changelog

Security Advisories 🚨

🚨 express vulnerable to XSS via response.redirect()

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
2. express MUST NOT redirect before the template appears
3. the browser MUST NOT complete redirection before:
4. the user MUST click on the link in the template

🚨 Express.js Open Redirect in malformed URLs

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

0867302
0b74695

An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

#5539
koajs/koa#1800
https://expressjs.com/en/4x/api.html#res.location

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ body-parser (indirect, 1.19.0 → 1.20.3) · Repo · Changelog

Security Advisories 🚨

🚨 body-parser vulnerable to denial of service when url encoding is enabled

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @inigomarquinez in #522
• ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in #523
• fix: pin to node@22.4.1 by @wesleytodd in #527
• deps: qs@6.12.3 by @melikhov-dev in #521
• Add OSSF Scorecard badge by @bjohansebas in #531
• Linter by @UlisesGascon in #534
• Release: 1.20.3 by @UlisesGascon in #535

New Contributors

• @inigomarquinez made their first contribution in #522
• @melikhov-dev made their first contribution in #521
• @bjohansebas made their first contribution in #531
• @UlisesGascon made their first contribution in #534

Full Changelog: 1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1 (from changelog)

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2

• deps: bytes@3.1.2
• deps: qs@6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@2.4.3
  • deps: bytes@3.1.2

1.19.1

• deps: bytes@3.1.1
• deps: http-errors@1.8.1
  • deps: inherits@2.0.4
  • deps: toidentifier@1.0.1
  • deps: setprototypeof@1.2.0
• deps: qs@6.9.6
• deps: raw-body@2.4.2
  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
• deps: safe-buffer@5.2.1
• deps: type-is@~1.6.18

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ content-disposition (indirect, 0.5.3 → 0.5.4) · Repo · Changelog

Release Notes

0.5.4

• deps: safe-buffer@5.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

• 0.5.4
• build: eslint-plugin-import@2.25.3
• build: eslint-plugin-promise@5.2.0
• tests: fix deep equal checking
• build: support Node.js 17.x
• deps: safe-buffer@5.2.1
• build: mocha@9.1.3
• build: eslint-plugin-standard@4.1.0
• build: eslint-plugin-markdown@2.2.1
• build: eslint-plugin-promise@5.1.1
• build: mocha@8.4.0
• build: support Node.js 16.x
• build: support Node.js 15.x
• build: eslint@7.32.0
• build: mocha@7.2.0
• build: support Node.js 14.x
• build: support Node.js 13.x
• build: Node.js@12.22
• build: Node.js@10.24
• lint: apply standard 13
• build: use GitHub Actions instead of Travis CI
• docs: fix typo in comment
• build: mocha@6.2.3
• build: eslint@5.16.0
• build: Node.js@10.21
• build: support Node.js 12.x
• build: support Node.js 11.x

↗️ encodeurl (indirect, 1.0.2 → 2.0.0) · Repo · Changelog

Release Notes

2.0.0

Changed

• Align encoding with WHATWG URL spec (#8) be0f77b
  • Stops encoding \, ^, and |.

Important: If you are using this to encode user entered and validated URLs, upgrade to v2 immediately. It is possible to exploit \ encoding in v1. A URL can be formed that looks like http://foo.com\@bar.com, which parses as foo.com for the host, but when encodeUrl(url) will parse as bar.com for the host.

v1.0.2...v2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

• 2.0.0
• Use GitHub releases
• Update README, add behavior expectations
• Align encoding with WHATWG URL spec (#8)
• fix: typos in README.md (#6)
• build: eslint@5.11.1
• build: Node.js@11.6
• build: Node.js@10.15
• build: Node.js@8.15
• build: Node.js@6.16
• build: use yaml eslint configuration
• lint: apply standard 12 style
• tests: use strict equality
• build: support Node.js 11.x
• build: eslint-plugin-import@2.14.0
• build: support Node.js 10.x
• build: support Node.js 9.x
• build: Node.js@8.11
• build: Node.js@6.14
• build: Node.js@4.9
• lint: apply standard 11 style

↗️ finalhandler (indirect, 1.1.2 → 1.3.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

• Gracefully handle when handling an error and socket is null

1.2.0

• Remove set content headers that break response
• deps: on-finished@2.4.1
• deps: statuses@2.0.1
  • Rename 425 Unordered Collection to standard 425 Too Early

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 72 commits:

• 1.3.1
• fix(deps): encodeurl@~2.0.0
• 1.3.0
• fix(ci): add 1.x branch to ci
• fix: ignore status message for HTTP/2 (#53)
• 1.2.1
• fix: gracefully handle when handling an error and socket is null (#57)
• fix(docs): fixed ci badge in readme.md (#52)
• ci: fix errors in ci github action for node 8 and 9 (#48)
• fix(tests): fixes for CI (#51)
• ci: add support for OSSF scorecard reporting (#47)
• build: Node.js@14.20
• build: Node.js@16.16
• build: supertest@6.2.4
• build: eslint-plugin-import@2.26.0
• build: Node.js@16.15
• build: Node.js@17.9
• build: mocha@10.0.0
• 1.2.0
• docs: update copyright
• Remove set content headers that break response
• tests: fix test case for 500 HEAD
• tests: fix typo in test description
• build: eslint-config-standard@14.1.1
• build: Node.js@17.7
• build: mocha@9.2.2
• build: Node.js@17.6
• docs: add security policy
• docs: add relevant change to history
• build: mocha@9.2.1
• deps: statuses@2.0.1
• deps: on-finished@2.4.1
• build: Node.js@16.14
• build: Node.js@17.5
• build: eslint-plugin-import@2.25.4
• build: mocha@9.2.0
• build: Node.js@17.4
• build: Node.js@14.19
• build: supertest@6.2.2
• build: mocha@9.1.4
• build: eslint-plugin-node@11.1.0
• build: support Node.js 17.x
• build: eslint-plugin-import@2.25.3
• build: eslint-plugin-promise@5.2.0
• build: use nyc for coverage testing
• build: Node.js@16.13
• build: mocha@9.1.3
• build: eslint-plugin-promise@5.1.0
• lint: apply standard 14 style
• build: eslint-plugin-import@2.25.2
• build: support Node.js 16.x
• build: mocha@9.1.2
• build: eslint-plugin-markdown@2.2.1
• build: eslint@7.32.0
• build: eslint-plugin-standard@4.1.0
• build: eslint-plugin-node@9.2.0
• build: safe-buffer@5.2.1
• lint: apply standard 13 style
• build: mocha@8.4.0
• build: support Node.js 15.x
• build: support Node.js 14.x
• build: support Node.js 13.x
• build: supertest@6.1.6
• build: eslint-plugin-promise@4.3.1
• build: mocha@7.2.0
• build: Node.js@10.24
• build: Node.js@12.22
• build: eslint-plugin-import@2.24.2
• build: mocha@6.2.3
• docs: clarify fn(err) after response start
• build: update CI for npm TLS upgrade
• build: use GitHub Actions instead of Travis CI

↗️ ipaddr.js (indirect, 1.9.0 → 1.9.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 3 commits:

• Update version to 1.9.1
• Include LICENSE file in published package
• Update TypeScript definitions.

↗️ proxy-addr (indirect, 2.0.5 → 2.0.7) · Repo · Changelog

Release Notes

2.0.7

• deps: forwarded@0.2.0
  • Use req.socket over deprecated req.connection

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ raw-body (indirect, 2.4.0 → 2.5.2) · Repo · Changelog

Release Notes

2.5.2 (from changelog)

• Fix error message for non-stream argument

2.5.1 (from changelog)

• Fix error on early async hooks implementations

2.5.0 (from changelog)

• Prevent loss of async hooks context
• Prevent hanging when stream is not readable
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1

2.4.3 (from changelog)

• deps: bytes@3.1.2

2.4.2 (from changelog)

• deps: bytes@3.1.1
• deps: http-errors@1.8.1
  • deps: setprototypeof@1.2.0
  • deps: toidentifier@1.0.1

2.4.1 (from changelog)

• deps: http-errors@1.7.3
  • deps: inherits@2.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ send (indirect, 0.17.1 → 0.19.0) · Repo · Changelog

Security Advisories 🚨

🚨 send vulnerable to template injection that can lead to XSS

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
2. express MUST NOT redirect before the template appears
3. the browser MUST NOT complete redirection before:
4. the user MUST click on the link in the template

Release Notes

0.19.0

What's Changed

• Remove link renderization in html while redirecting (#235)

New Contributors

• @UlisesGascon made their first contribution in #235

Full Changelog: 0.18.0...0.19.0

0.18.0 (from changelog)

• Fix emitted 416 error missing headers property
• Limit the headers removed for 304 response
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: destroy@1.2.0
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: statuses@2.0.1

0.17.2 (from changelog)

• pref: ignore empty http tokens
• deps: http-errors@1.8.1
  • deps: inherits@2.0.4
  • deps: toidentifier@1.0.1
  • deps: setprototypeof@1.2.0
• deps: ms@2.1.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 62 commits:

• 0.19.0
• Merge commit from fork
• 0.18.0
• Limit the headers removed for 304 response
• docs: add security policy
• docs: fix linux build badge link
• docs: update copyright
• deps: destroy@1.2.0
• deps: on-finished@2.4.1
• build: Node.js@17.7
• build: mocha@9.2.2
• deps: statuses@2.0.1
• deps: depd@2.0.0
• deps: http-errors@2.0.0
• Fix emitted 416 error missing headers property
• deps: destroy@1.1.1
• build: Node.js@17.6
• build: mocha@9.2.1
• build: Node.js@17.5
• build: Node.js@16.14
• deps: destroy@1.1.0
• build: Node.js@14.19
• build: supertest@6.2.2
• build: mocha@9.2.0
• build: eslint-plugin-import@2.25.4
• build: Node.js@17.4
• build: fix run names in Github Actions
• 0.17.2
• deps: http-errors@1.8.1
• pref: ignore empty http tokens
• docs: fix typo in readme
• build: use nyc for coverage testing
• build: eslint-plugin-promise@5.2.0
• build: eslint-plugin-standard@4.1.0
• build: support Node.js 17.x
• build: supertest@6.1.6
• deps: ms@2.1.3
• build: eslint-plugin-markdown@2.2.1
• build: eslint-plugin-promise@5.1.1
• build: eslint-plugin-import@2.25.3
• build: ignore package-lock
• deps: http-errors@~1.8.1
• build: mocha@8.1.3
• build: support Node.js 16.x
• build: eslint@7.32.0
• build: support Node.js 15.x
• build: mocha@8.4.0
• build: eslint-plugin-import@2.24.2
• build: support Node.js 14.x
• build: Node.js@12.22
• build: Node.js@10.24
• build: update CI for npm TLS upgrade
• build: fix Node.js 13.x entry
• build: supertest@6.0.1
• build: mocha@7.2.0
• build: eslint-plugin-markdown@1.0.2
• build: support Node.js 13.x
• lint: apply standard 14 style
• build: mocha@6.2.3
• build: Node.js@10.23
• build: Node.js@12.20
• build: use GitHub Actions instead of Travis CI

↗️ serve-static (indirect, 1.14.1 → 1.16.2) · Repo · Changelog

Security Advisories 🚨

🚨 serve-static vulnerable to template injection that can lead to XSS

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
2. express MUST NOT redirect before the template appears
3. the browser MUST NOT complete redirection before:
4. the user MUST click on the link in the template

Release Notes

1.16.0

What's Changed

• Remove link renderization in html while redirecting (#173)

New Contributors

• @UlisesGascon made their first contribution in #173

Full Changelog: v1.15.0...1.16.0

1.15.0

• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1

1.14.2

• deps: send@0.17.2
  • deps: http-errors@1.8.1
  • deps: ms@2.1.3
  • pref: ignore empty http tokens

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 48 commits:

• 1.16.2
• fix(deps): encodeurl@~2.0.0
• 1.16.1
• fix(deps): send@0.19.0
• 1.16.0
• Merge commit from fork
• 1.15.0
• docs: update CI link
• build: Node.js@17.8
• deps: send@0.18.0
• build: mocha@9.2.2
• build: Node.js@17.7
• build: supertest@6.2.2
• build: mocha@9.2.1
• build: Node.js@17.5
• build: Node.js@16.14
• build: Node.js@14.19
• build: mocha@9.2.0
• build: supertest@6.2.1
• build: Node.js@17.3
• build: eslint-plugin-import@2.25.4
• build: remove package-lock
• 1.14.2
• tests: add tests for non-existent root path
• docs: fix a typo in the readme
• deps: send@0.17.2
• build: eslint-plugin-promise@5.2.0
• build: use nyc for coverage testing
• build: support Node.js 17.x
• build: mocha@9.1.3
• build: safe-buffer@5.2.1
• build: mocha@8.4.0
• build: supertest@6.1.6
• build: eslint-plugin-standard@4.1.0
• lint: apply standard 14 style
• build: eslint-plugin-markdown@2.2.1
• build: mocha@7.2.0
• build: support Node.js 16.x
• build: support Node.js 15.x
• build: support Node.js 14.x
• build: support Node.js 13.x
• build: Node.js@12.22
• build: mocha@6.2.3
• lint: apply standard 13 style
• build: eslint-plugin-import@2.25.2
• build: Node.js@12.19
• build: Node.js@10.24
• build: use GitHub Actions instead of Travis CI

🆕 call-bind (added, 1.0.8)

🆕 call-bind-apply-helpers (added, 1.0.0)

🆕 define-data-property (added, 1.1.4)

🆕 dunder-proto (added, 1.0.0)

🆕 es-define-property (added, 1.0.1)

🆕 es-errors (added, 1.3.0)

🆕 get-intrinsic (added, 1.2.5)

🆕 gopd (added, 1.2.0)

🆕 has-property-descriptors (added, 1.0.2)

🆕 hasown (added, 2.0.2)

🆕 set-function-length (added, 1.2.2)

🆕 side-channel (added, 1.0.6)

🗑️ lodash.groupby (removed)

🗑️ lodash.mapvalues (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #270.