Express NES Changelog
3.21.2-express-3.21.5 (NES) - October 17, 2024
This release improves the handling of header data and attributes in the response component as well as dependency updates to resolve vulnerabilities.
Fixes:
-
response:
- Improve handling and sanitizing of content used in default HTML from
response.redirect()
- This fixes a Medium Severity XSS vulnerability (CVE-2024-43796)
- Improve handling of cookie attributes used in
response.clearCookie()
- Improve handling of Link header attributes used in
response.links()
- This fixes a Medium Severity Resource Injection vulnerability (CVE-2024-10491)
- Improve handling and sanitizing of content used in default HTML from
-
Dependencies:
-
cookie@0.7.2
to remediate CVE-2024-47764 -
mkdirp@0.5.6
to remediate CVE-2021-44906 and CVE-2020-7598 viaminimist@1.2.6
dependency -
fresh@0.5.2
to remediate CVE-2017-16119 -
debug@2.6.9
to remediate CVE-2017-16137 -
send@0.19.1
to remediate CVE-2017-16138 viamime@1.6.0
dependency -
ejs@2.5.9
to remediate CVE-2017-1000188, CVE-2018-1000189, and CVE-2018-1000228 -
marked@0.3.19
to remediate CVE-2017-1000427, CVE-2016-10531, and CVE-2017-16114
-
Breaking Changes:
- None
3.21.2-express-3.21.4 (NES) - August 23, 2024
This release further improves the handling of URLs when used for setting the Location
header in the response component.
Fixes:
-
response: Improve handling of path strings and relative URLs used when setting the
Location
header for redirects.- This fixes a Medium Severity XSS vulnerability (CVE-2024-9266)
Breaking Changes:
- None
3.21.2-express-3.21.3 (NES) - August 23, 2024
This is the initial base release of Express 3.21.x NES. This release contains no functional changes from Express 3.21.2.
Breaking Changes:
- None