Bump the npm_and_yarn group across 2 directories with 44 updates

[dependabot]

Bumps the npm_and_yarn group with 34 updates in the / directory:

Package	From	To
async	2.6.2	2.6.4
mongoose	4.13.18	8.7.0
body-parser	1.19.0	1.20.3
express	4.17.0	4.21.0
browserify-shim	3.8.14	3.8.16
ejs	2.6.1	3.1.10
i	0.3.6	0.3.7
lodash	4.17.11	4.17.21
marked	0.6.2	4.0.10
moment	2.24.0	2.30.1
qs	6.7.0	6.13.0
qs	6.5.2	6.13.0
tinymce	4.9.4	7.2.0
sanitize-html	1.20.1	2.12.1
semver	5.7.0	6.3.1
semver	6.0.0	6.3.1
@babel/traverse	7.4.4	7.25.7
ajv	6.10.0	6.12.6
braces	2.3.2	3.0.3
watchify	3.11.1	4.0.0
browserify-sign	4.0.4	4.2.3
browserslist	4.6.0	4.24.0
bson	1.0.9	6.8.0
connect-mongo	2.0.3	5.1.0
cached-path-relative	1.0.2	1.1.0
cookiejar	2.1.2	2.1.4
elliptic	6.4.1	6.5.7
es5-ext	0.10.50	0.10.64
handlebars	4.1.2	4.7.8
json-schema	0.2.3	0.4.0
jsprim	1.4.1	1.4.2
json5	2.1.0	2.2.3
lodash-es	4.17.11	4.17.21
path-parse	1.0.6	1.0.7
shell-quote	1.6.1	1.8.1
ua-parser-js	0.7.19	0.7.39

Bumps the npm_and_yarn group with 2 updates in the /website directory: gatsby and gatsby-transformer-remark.

Updates async from 2.6.2 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

v2.6.3

• Updated lodash to squelch a security warning (#1675)

Commits

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• f1d8383 Version 2.6.3
• 2b674c1 update changelog
• eab740f fix: udpate lodash. closes #1675
• See full diff in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Updates mongoose from 4.13.18 to 8.7.0

Release notes

Sourced from mongoose's releases.

8.7.0 / 2024-09-27

• feat(model): add Model.applyVirtuals() to apply virtuals to a POJO #14905 #14818
• feat: upgrade mongodb -> 6.9.0 #14914
• feat(query): cast $rename to string #14887 #3027
• feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes #14880 #8389
• fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed #14884 #14763
• fix(connection): avoid returning readyState = connected if connection state is stale #14812 #14727
• fix: depopulate if push() or addToSet() with an ObjectId on a populated array #14883 #1635
• types: make __v a number, only set __v on top-level documents #14892

8.6.4 / 2024-09-26

• fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs #14910 #14897
• fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware #14904 dragontaek-lee
• fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware #14908 dragontaek-lee

8.6.3 / 2024-09-17

• fix: make getters convert uuid to string when calling toObject() and toJSON() #14890 #14869
• fix: fix missing Aggregate re-exports for ESM #14886 wongsean
• types(document): add generic param to depopulate() to allow updating properties #14891 #14876

8.6.2 / 2024-09-11

• fix: make set merge deeply nested objects #14870 #14861 ianHeydoc
• types: allow arbitrary keys in query filters again (revert #14764) #14874 #14863 #14862 #14842
• types: make SchemaType static setters property accessible in TypeScript #14881 #14879
• type(inferrawdoctype): infer Date types as JS dates rather than Mongoose SchemaType Date #14882 #14839

8.6.1 / 2024-09-03

• fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #14844 #14840 #14835
• fix(model): throw error if bulkSave() did not insert or update any documents #14837 #14763
• fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #14846
• types(query): add $expr to RootQuerySelector #14845
• docs: update populate.md to fix missing match: { } #14847 makhoulshbeeb

8.6.0 / 2024-08-28

• feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with MongooseError instead of MongoCursorExhaustedError #14813
• feat(model+query): support options parameter for distinct() #14772 #8006
• feat(QueryCursor): add getDriverCursor() function that returns the raw driver cursor #14745
• types: change query selector to disallow unknown top-level keys by default #14764 alex-statsig
• types: make toObject() and toJSON() not generic by default to avoid type widening #14819 #12883
• types: avoid automatically inferring lean result type when assigning to explicitly typed variable #14734

8.5.5 / 2024-08-28

• fix(populate): fix a couple of other places where Mongoose gets the document's _id with getters #14833 #14827 #14759

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.7.0 / 2024-09-27

• feat(model): add Model.applyVirtuals() to apply virtuals to a POJO #14905 #14818
• feat: upgrade mongodb -> 6.9.0 #14914
• feat(query): cast $rename to string #14887 #3027
• feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes #14880 #8389
• fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed #14884 #14763
• fix(connection): avoid returning readyState = connected if connection state is stale #14812 #14727
• fix: depopulate if push() or addToSet() with an ObjectId on a populated array #14883 #1635
• types: make __v a number, only set __v on top-level documents #14892

8.6.4 / 2024-09-26

• fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs #14910 #14897
• fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware #14904 dragontaek-lee
• fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware #14908 dragontaek-lee

7.8.2 / 2024-09-25

• fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #14894 #14893

8.6.3 / 2024-09-17

• fix: make getters convert uuid to string when calling toObject() and toJSON() #14890 #14869
• fix: fix missing Aggregate re-exports for ESM #14886 wongsean
• types(document): add generic param to depopulate() to allow updating properties #14891 #14876

6.13.2 / 2024-09-12

• fix(document): make set() respect merge option on deeply nested objects #14870 #14878

8.6.2 / 2024-09-11

• fix: make set merge deeply nested objects #14870 #14861 ianHeydoc
• types: allow arbitrary keys in query filters again (revert #14764) #14874 #14863 #14862 #14842
• types: make SchemaType static setters property accessible in TypeScript #14881 #14879
• type(inferrawdoctype): infer Date types as JS dates rather than Mongoose SchemaType Date #14882 #14839

8.6.1 / 2024-09-03

• fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #14844 #14840 #14835
• fix(model): throw error if bulkSave() did not insert or update any documents #14837 #14763
• fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #14846
• types(query): add $expr to RootQuerySelector #14845
• docs: update populate.md to fix missing match: { } #14847 makhoulshbeeb

8.6.0 / 2024-08-28

• feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with MongooseError instead of MongoCursorExhaustedError #14813
• feat(model+query): support options parameter for distinct() #14772 #8006

... (truncated)

Commits

• 136cab5 chore: release 8.7.0
• 49b0339 Merge pull request #14915 from Automattic/8.7
• c4d96ea chore: release 8.6.4
• a53f430 Merge pull request #14914 from Automattic/vkarpov15/mongodb-6.9
• a4e3308 Merge pull request #14905 from Automattic/vkarpov15/gh-14818-2
• 54844e3 types: add applyVirtuals() to types
• 5b86fa3 feat: upgrade mongodb -> 6.9.0
• adb4fb0 Merge branch 'master' into 8.7
• c6bd31d Merge branch '7.x'
• 3ede837 chore: release 7.8.2
• Additional commits viewable in compare view

Updates body-parser from 1.19.0 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to [email protected] by @​wesleytodd in expressjs/body-parser#527
• deps: [email protected] by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: [email protected]

1.20.1

• deps: [email protected]
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
• deps: [email protected]

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: [email protected]

1.20.1 / 2022-10-06

• deps: [email protected]
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
• deps: [email protected]
• deps: [email protected]
  • deps: [email protected]

1.19.2 / 2022-02-15

• deps: [email protected]
• deps: [email protected]
  • Fix handling of __proto__ keys
• deps: [email protected]
  • deps: [email protected]

1.19.1 / 2021-12-10

... (truncated)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: [email protected] (#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.17.0 to 4.21.0

Release notes

Sourced from express's releases.

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: [email protected] by @​blakeembrey in expressjs/express#5603

... (truncated)

Changelog

Sourced from express's changelog.

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: [email protected]
  • includes [email protected]
• deps: [email protected]
• deps: [email protected]

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5

... (truncated)

Commits

• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• 77ada90 Deprecate "back" magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates browserify-shim from 3.8.14 to 3.8.16

Commits

• a2b4e72 3.8.16
• 97855e6 resolve-shims: prevent prototype manipulation (#246)
• bae7ece fix readme h1
• 0d4c920 3.8.15
• 339ced5 deps: update mothership (#243)
• 5ad9c76 chore: remove patreon and npm badges
• 464b32b Bump jquery from 2.2.4 to 3.5.0 in /examples/shim-jquery-ui (#240)
• e81d2cc Bump request from 2.12.0 to 2.88.0 in /examples/dependency-with-global (#235)
• bc17073 Bump request from 2.12.0 to 2.88.0 in /examples/shim-jquery-ui (#236)
• ab0b6c7 Bump request from 2.12.0 to 2.88.0 in /examples/expose-jquery (#237)
• Additional commits viewable in compare view

Updates ejs from 2.6.1 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

v3.1.9

Version 3.1.9

v3.1.8

Version 3.1.8

v3.1.7

Version 3.1.7

v3.1.6

Version 3.1.6

v3.1.5

Version 3.1.5

v3.0.2

No release notes provided.

v2.7.4

Bug fixes

• Fixed Node 4 support, which broke in v2.7.3 (mde/ejs@5e42d6c, @​mde)

v2.7.3

Bug fixes

• Made the post-install message more discreet by following the example of opencollective-postinstall (mde/ejs@228d8e4, @​mde)

v2.7.2

Features

• Added support for destructuring locals (#452, @​ExE-Boss)
• Added support for disabling legacy include directives (#458, #459, @​ExE-Boss)
• Compiled functions are now shown in the debugger (#456, @​S2-)
• function.name is now set to the file base name in environments that support this (#466, @​ExE-Boss)

Bug Fixes

• The error message when async != true now correctly mention the existence of the async option (#460, @​ExE-Boss)
• Improved performance of HTML output generation (#470, @​nwoltman)

v2.7.1

Deprecated:

• Added deprecation notice for use of require.extensions (@​mde)

v2.6.2

• Correctly pass custom escape function to includes (@​alecgibson)

... (truncated)

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates express from 4.17.0 to 4.21.0

Release notes

Sourced from express's releases.

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: [email protected] by @​blakeembrey in expressjs/express#5603

... (truncated)

Changelog

Sourced from express's changelog.

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: [email protected]
  • includes [email protected]
• deps: [email protected]
• deps: [email protected]

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5

... (truncated)

Commits

• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• 77ada90 Deprecate "back" magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates i from 0.3.6 to 0.3.7

Commits

• 71961bd Version bump v0.3.7
• a9a0a8e Fix CVE-2021-3820
• c025e15 Fix formatting
• dace42b Move away from travis