Bump express from 4.18.2 to 4.21.2 in /02-Calling-an-API

[dependabot]

Bumps express from 4.18.2 to 4.21.2.

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
• 59fc270 deps: path-to-regexp@0.1.11 (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[maximusprime426]

✅ Deploy Preview for peaceful-nasturtium-96dfba canceled.

Name	Link
🔨 Latest commit	fbc47f8
🔍 Latest deploy log	https://app.netlify.com/projects/peaceful-nasturtium-96dfba/deploys/692191f821fced0008140b0d

[llamapreview]

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Request Changes
This PR upgrades Express to include critical security fixes but introduces potential breaking changes that require verification to ensure existing functionality remains intact.

🌟 Strengths

• Includes essential security patches, notably CVE-2024-47764, enhancing application security.

Priority	File	Category	Impact Summary	Anchors
P1	02-Calling-an-API/package.json	Security	Critical security vulnerability fixes essential for auth app
P2	02-Calling-an-API/package.json	Architecture	Default URL parsing depth change may break nested payloads
P2	02-Calling-an-API/package.json	Architecture	Deprecated "back" redirect could cause warnings if used
P2	02-Calling-an-API/package-lock.json	Maintainability	Significant dependency changes risk subtle integration issues

🔍 Notable Themes

• Security enhancements are prioritized, but compatibility risks necessitate thorough testing.
• Dependency updates introduce behavioral changes that could impact API functionality.

📈 Risk Diagram

This diagram illustrates the security risk mitigated by the Express upgrade.

sequenceDiagram
    participant U as User
    participant E as Express App
    U->>E: Send HTTP Request
    note over E: R1(P1): Critical security vulnerability CVE-2024-47764 fixed
    E->>U: Return Response

Loading

⚠️ **Unanchored Suggestions (Manual Review Recommended)**

The following suggestions could not be precisely anchored to a specific line in the diff. This can happen if the code is outside the changed lines, has been significantly refactored, or if the suggestion is a general observation. Please review them carefully in the context of the full file.

---

📁 File: 02-Calling-an-API/package-lock.json

The package-lock.json shows significant changes (980 lines modified) indicating substantial dependency tree updates. While this is expected for a major dependency upgrade, it introduces integration risk. The extensive changes in transitive dependencies could introduce subtle behavioral changes or new compatibility issues that aren't immediately apparent from the direct Express upgrade alone.

Related Code:

[SKIPPED] File type not suitable for diff analysis

---

---

💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.

[llamapreview]

P1 | Confidence: High

This upgrade from Express 4.18.2 to 4.21.2 includes critical security fixes, most notably CVE-2024-47764 which was backported in version 4.21.1. The changelog explicitly mentions this security vulnerability was addressed. Given that this is a web application handling authentication (as evidenced by the express-oauth2-jwt-bearer dependency), maintaining current security patches is essential. The upgrade also includes other security-related improvements like open redirect protection enhancements and updated dependency versions with their own security fixes.

---

P2 | Confidence: Medium

Speculative: The Express 4.20.0 update changed the default parsing depth for URL-encoded data from Infinity to 32. While this improves security by limiting potential DoS attacks, it could potentially break existing functionality if the application processes deeply nested URL-encoded payloads. The related context doesn't show specific usage of URL-encoded parsing, but given this is an API application, it's important to verify that any deeply nested payloads still parse correctly.

---

P2 | Confidence: Medium

Speculative: Express 4.21.0 deprecated the "back" magic string in redirects (res.redirect("back") and res.location("back")). While the related context search didn't find usage of these methods, if the application uses redirect functionality with the "back" parameter, it will now generate deprecation warnings and will need migration before Express 5.0.

[dependabot]

Superseded by #4.