Skip to content

Update dependency express to v4.22.0#2

Open
mend-for-github-com[bot] wants to merge 1 commit into
androidx-mainfrom
whitesource-remediate/express-4.x-lockfile
Open

Update dependency express to v4.22.0#2
mend-for-github-com[bot] wants to merge 1 commit into
androidx-mainfrom
whitesource-remediate/express-4.x-lockfile

Conversation

@mend-for-github-com

@mend-for-github-com mend-for-github-com Bot commented Mar 26, 2024

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
express (source) dependencies minor 4.18.24.22.0

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score Vulnerability
High High 7.5 CVE-2025-15284
Medium Medium 6.1 CVE-2024-29041
Medium Medium 5.0 CVE-2024-43796

Release Notes

expressjs/express (express)

v4.22.0

Compare Source

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

v4.21.2

Compare Source

What's Changed

Full Changelog: expressjs/express@4.21.1...4.21.2

v4.21.1

Compare Source

What's Changed

Full Changelog: expressjs/express@4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

New Contributors

Full Changelog: expressjs/express@4.20.0...4.21.0

v4.20.0

Compare Source

==========

  • deps: serve-static@​0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@​0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@​0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@​0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

  • Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

  • Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@​0.6.0

v4.18.3

Compare Source

==========

  • Fix routing requests without method
  • deps: body-parser@​1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@​2.5.2
  • deps: cookie@​0.6.0
    • Add partitioned option

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com Bot added the security fix Security fix generated by Mend label Mar 26, 2024
@rafikmojr

rafikmojr commented Mar 27, 2024

Copy link
Copy Markdown

Logo
Checkmarx One – Scan Summary & Details0fcd05d8-74c9-4a67-8a4b-5991e2faa415

Fixed Issues (9)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
HIGH CVE-2024-45296 Npm-path-to-regexp-0.1.7
HIGH CVE-2024-45590 Npm-body-parser-1.20.1
HIGH CVE-2024-52798 Npm-path-to-regexp-0.1.7
MEDIUM CVE-2024-29041 Npm-express-4.18.2
MEDIUM CVE-2024-43796 Npm-express-4.18.2
MEDIUM CVE-2024-43799 Npm-send-0.18.0
MEDIUM CVE-2024-43800 Npm-serve-static-1.15.0
MEDIUM CVE-2024-47764 Npm-cookie-0.5.0
MEDIUM CVE-2025-13466 Npm-body-parser-1.20.1

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 6f7ad74 to 882ba91 Compare May 16, 2024 06:17
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 882ba91 to 657cab8 Compare September 10, 2024 18:06
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.19.0 Update dependency express to v4.20.0 Sep 10, 2024
@socket-security

socket-security Bot commented Sep 10, 2024

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedexpress@​4.18.2 ⏵ 4.22.097 +1100 +310095 +2100

View full report

@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 657cab8 to 04fca95 Compare November 9, 2024 10:38
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 6 times, most recently from e7a43e7 to 8bb0100 Compare December 6, 2024 18:08
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.20.0 Update dependency express to v4.21.2 Dec 6, 2024
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from 684ce93 to 0a70457 Compare December 12, 2024 08:11
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 3 times, most recently from a21d5f6 to 650a54a Compare December 19, 2024 06:33
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 650a54a to 704466b Compare January 3, 2025 04:50
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 704466b to 3780480 Compare January 15, 2025 09:26
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 3780480 to ad1e2e5 Compare February 5, 2025 03:22
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from ad1e2e5 to 55f5790 Compare February 13, 2025 11:39
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 55f5790 to 28e674f Compare February 23, 2025 11:47
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 81c9889 to 7997676 Compare March 11, 2025 07:19
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.21.2 Update dependency express to v4.21.1 Mar 11, 2025
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.21.1 Update dependency express to v4.21.1 - autoclosed Mar 20, 2025
@mend-for-github-com
mend-for-github-com Bot deleted the whitesource-remediate/express-4.x-lockfile branch March 20, 2025 06:14
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.21.1 - autoclosed Update dependency express to v4.21.1 Mar 24, 2025
@mend-for-github-com mend-for-github-com Bot reopened this Mar 24, 2025
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from 7997676 to 3d5780c Compare March 30, 2025 13:49
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.21.1 Update dependency express to v4.20.0 Mar 30, 2025
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 3d5780c to 67ef3e5 Compare March 30, 2025 16:35
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.20.0 Update dependency express to v4.21.0 Mar 30, 2025
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 67ef3e5 to e8b7b70 Compare April 29, 2025 18:18
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.21.0 Update dependency express to v4.21.1 Apr 29, 2025
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch 2 times, most recently from b2a65d2 to 968d56a Compare October 1, 2025 13:33
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 968d56a to 6a2b21b Compare November 25, 2025 18:15
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.21.1 Update dependency express to v4.20.0 Nov 25, 2025
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from 6a2b21b to cd494ae Compare December 29, 2025 10:04
@mend-for-github-com
mend-for-github-com Bot force-pushed the whitesource-remediate/express-4.x-lockfile branch from cd494ae to 7df13a6 Compare December 30, 2025 12:11
@mend-for-github-com mend-for-github-com Bot changed the title Update dependency express to v4.20.0 Update dependency express to v4.22.0 Dec 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

security fix Security fix generated by Mend

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant