v0.5.17

Compare Source

What's Changed

• entryHeader time setter more tolerant by @​thomasheritage in #​540
• Add check for local desc flag in crc check by @​issacgerges in #​543
• Create only if the directory does not exist by @​DennisHill in #​557
• Fix issue with absolute paths by @​kwolfy in #​559

New Contributors

• @​thomasheritage made their first contribution in #​540
• @​issacgerges made their first contribution in #​543
• @​DennisHill made their first contribution in #​557
• @​kwolfy made their first contribution in #​559

Full Changelog: cthackers/adm-zip@v0.5.16...v0.5.17

v0.5.16

Compare Source

What's Changed

• Fixing preserving linux file permissions by @​NickAllmakerOpsCompass in #​531
• fix: totalEntries is not defined by @​sidartaveloso in #​535

New Contributors

• @​NickAllmakerOpsCompass made their first contribution in #​531
• @​sidartaveloso made their first contribution in #​535

Full Changelog: cthackers/adm-zip@v0.5.15...v0.5.16

v0.5.15

Compare Source

What's Changed

• Fix utils canonical to valid posix by @​skoniks in #​499
• addFile backslash test by @​5saviahv in #​500
• added addLocalFolderAsync2 by @​5saviahv in #​501
• fixed windows paths by @​roosipuu in #​503
• Add Windows build by @​5saviahv in #​504
• inital "decoder" functionality by @​5saviahv in #​505
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot in #​506
• Write out Electron original-fs auto loading by @​5saviahv in #​502
• using writeZip() twice throws "Invalid LOC header (bad signature)" error by @​5saviahv in #​507
• Descriptor check & Main Header locating by @​5saviahv in #​508
• House keeping by @​5saviahv in #​509
• typo by @​5saviahv in #​510
• Allow interoperability files with non-UTF-8 (bit 11 = 0) name by @​yfdyh000 in #​450
• package lock update by @​5saviahv in #​511
• small updates by @​5saviahv in #​513
• CodeQL check by @​5saviahv in #​514
• Keep local extra data by @​5saviahv in #​515
• Update old test by @​5saviahv in #​516
• make all errors a function by @​5saviahv in #​517
• Update date time functions by @​5saviahv in #​518
• Add a length check when extra field parsed by @​code-sunbo in #​520
• deleteFile is too eager by @​5saviahv in #​525

New Contributors

• @​skoniks made their first contribution in #​499
• @​roosipuu made their first contribution in #​503
• @​code-sunbo made their first contribution in #​520

Full Changelog: cthackers/adm-zip@v0.5.14...v0.5.15

v0.5.14

Compare Source

Fixed an issue introduced on version 0.5.13 requiring a new mandatory parameter on the inflater on nodejs version >= 15

v0.5.13

Compare Source

• Fixed extractAllToAsync callback @​5saviahv
• Fixed issue with "toAsyncBuffer" where after that command all entries are gone @​5saviahv
• Minor fixes (tests, typos etc) @​5saviahv
• Added a an option to specificy the maximum expectedLength of the file to protect against zip bombs or limit memory usage @​undefined-moe
• Add check for invalid large disk entries @​criyle

v0.5.12

Compare Source

Fixed extraction error

v0.5.11

Compare Source

• Add support for Info-Zip password check spec for ZipCrypto @​lukemalcolm
• Extraction of password protected zip entries @​Santa77
• Fixed unnecessary scanning a local file headers (except in the case of corrupted archives) @​likev
• Added GitHub actions @​kibertoad
• Fixed cases when extra data was lost @​yfdyh000
• Fixed throw empty error in extractAllToAsync on operation done @​Autokaka

v0.5.10

Compare Source

• Add Unix mode attribute even when archive is created from Windows @​xfournet
• Fixed an issue where addLocalFolderAsync causes stack overflow when a lot of files are filtered @​miserylee
• Support to unzip symlinks @​netlify-team-account-1
• Fix parameter initialization bug of extractAllToAsync @​robincodex
• Allow for custom stat or permissions value in addLocalFolder @​dilan-dio4
• Various small fixes and tests @​clavery and @​nicholasruha

v0.5.9

Compare Source

v0.5.8

Compare Source

v0.5.7

Compare Source

v0.5.6: .

Compare Source

v0.5.5

Compare Source

v0.5.4

Compare Source

==================

• Fixed relative paths
• Added zipcrypto encryption
• Lower verMade for macOS when generating zip file

v0.5.3

Compare Source

==================

• Fixed filemode when unzipping

v0.5.2

Compare Source

==================

• Fixed path traversal issue (GHSL-2020-198)

v0.5.1

Compare Source

==================

• Incremented version (cthackers)
• Fixed outFileName (cthackers)

v0.5.0

Compare Source

==================

• Added extra parameter to extractEntryTo so target filename can be renamed (cthackers)
• Updated dev dependency (cthackers)
• modified addLocalFolder method (5saviahv)
• modified addLocalFile method (5saviahv)
• Deflate needs min V2.0 (5saviahv)
• Node v6 (5saviahv)
• Added ZipCrypto decrypting ability (5saviahv)
• LICENSE filename in package.json (5saviahv)
• add multibyte-encoded comment with byte length instead of character length (Kosuke Suzuki)
• Bump lodash from 4.17.15 to 4.17.19 (dependabot[bot])
• now it works in browser (Emiliano Necciari)

v0.4.16

Compare Source

===================

• Updated mocha version to fix vulnerability (cthackers)
• Update project version (cthackers)
• fix: throw real exception objects on error (Matthew Sainsbury)
• Version number incremented (Saqib M)
• Update zipFile.js (Saqib M)
• Update README.md with the latest URLs (Takuya Noguchi)
• Update Node.js version to use in CI tests (Takuya Noguchi)
• process.versions is null when the library is used in browser (Emiliano Necciari)

v0.4.14

Compare Source

===================

• Version increment for npm publish (cthackers)
• Iterate over entries without storing their metadata (Pierre Lehnen)
• Add partial support for zip64 (larger number of entries) (Pierre Lehnen)
• Escape $ sign for regex in addLocalFolder() (William)
• fix accent filename (mart_-)
• Removed improperly raised error while decompressing empty file asynchronously. (Nicolas Leclerc)
• fix: CRC is unexpectedly changed after zip is re-created (teppeis)

v0.4.13

Compare Source

===================

• Add async version of addLocalFile Use open and readFile instead of existsSync and readFileSync. There are still some sync functions left in the Utils.findFiles call, but the impact is minimal compared to the readFileSync. (Maigret Aurelien)
• Fix jsdoc typings for functions. (Leon Aves)
• fixed Utils.FileSystem overwriting 'fs' module even when 'original-fs' is broken (Tom Wallroth)
• fix race-condition crash when extracting data and extracted files are (re)moved (Tom Wallroth)
• Fix: bad buffer.alloc for .toBuffer in async mode (Colin GILLE)
• Add a full license text to the distribution (Honza Javorek)
• Rename MIT-LICENSE.txt to LICENSE (Standa Opichal)
• fix bug when filename or path contains multi-byte characters (warbaby)
• bump version to 0.4.12 (Marsette Vona)
• change default compression method for added files back to DEFLATED from STORED (revert #​139) (Marsette Vona)
• remove JSDeflater() and JSInflater() in favor of zlib.deflateRawSync() and zlib.inflateRawSync() respectively (Marsette Vona)
• Fix (Mirko Tebaldi)
• 0.4.12 - Created a test to check Twizzeld's issue on Issue #​237. (was not able to replicate his issue) (cjacobs)
• Fix Buffer.alloc bug #​234 (keyesdav)
• 0.4.12 - Fix additional issue with extractEntryTo improperly handling directory children. (cjacobs)
• 0.4.12 - Fix #​237, add tests, update travis node versions. (cjacobs)
• 0.4.12 - Fix #​237, add tests, update travis node versions. (cjacobs)
• 0.4.12 - Fix #​237, add tests, update travis node versions. (cjacobs)
• 0.4.12 - Fix #​237, add tests, update travis node versions. (cjacobs)
• add tests for CRC fixes (Kevin Tjiam)
• compare calculated CRC with loaded CRC (Kevin Tjiam)
• handle errors in callback from getDataAsync (Kevin Tjiam)

v1.20.4

Compare Source

===================

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

v1.20.3

Compare Source

===================

• deps: qs@​6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

v1.20.2

Compare Source

===================

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@​2.5.2

v1.20.1

Compare Source

===================

• deps: qs@​6.11.0
• perf: remove unnecessary object clone

v1.20.0

Compare Source

===================

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@​2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@​2.0.0
  • deps: depd@​2.0.0
  • deps: statuses@​2.0.1
• deps: on-finished@​2.4.1
• deps: qs@​6.10.3
• deps: raw-body@​2.5.1
  • deps: http-errors@​2.0.0

v1.19.2

Compare Source

===================

• deps: bytes@​3.1.2
• deps: qs@​6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@​2.4.3
  • deps: bytes@​3.1.2

v1.19.1

Compare Source

===================

• deps: bytes@​3.1.1
• deps: http-errors@​1.8.1
  • deps: inherits@​2.0.4
  • deps: toidentifier@​1.0.1
  • deps: setprototypeof@​1.2.0
• deps: qs@​6.9.6
• deps: raw-body@​2.4.2
  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
• deps: safe-buffer@​5.2.1
• deps: type-is@~1.6.18

v1.19.0

Compare Source

===================

• deps: bytes@​3.1.0
  • Add petabyte (pb) support
• deps: http-errors@​1.7.2
  • Set constructor name when possible
  • deps: setprototypeof@​1.1.1
  • deps: statuses@'>= 1.5.0 < 2'
• deps: iconv-lite@​0.4.24
  • Added encoding MIK
• deps: qs@​6.7.0
  • Fix parsing array brackets after index
• deps: raw-body@​2.4.0
  • deps: bytes@​3.1.0
  • deps: http-errors@​1.7.2
  • deps: iconv-lite@​0.4.24
• deps: type-is@~1.6.17
  • deps: mime-types@~2.1.24
  • perf: prevent internal throw on invalid type

v1.18.3

Compare Source

===================

• Fix stack trace for strict json parse error
• deps: depd@~1.1.2
  • perf: remove argument reassignment
• deps: http-errors@~1.6.3
  • deps: depd@~1.1.2
  • deps: setprototypeof@​1.1.0
  • deps: statuses@'>= 1.3.1 < 2'
• deps: iconv-lite@​0.4.23
  • Fix loading encoding with year appended
  • Fix deprecation warnings on Node.js 10+
• deps: qs@​6.5.2
• deps: raw-body@​2.3.3
  • deps: http-errors@​1.6.3
  • deps: iconv-lite@​0.4.23
• deps: type-is@~1.6.16
  • deps: mime-types@~2.1.18

v1.18.2

Compare Source

===================

• deps: debug@​2.6.9
• perf: remove argument reassignment

v1.18.1

Compare Source

===================

• deps: content-type@~1.0.4
  • perf: remove argument reassignment
  • perf: skip parameter parsing when no parameters
• deps: iconv-lite@​0.4.19
  • Fix ISO-8859-1 regression
  • Update Windows-1255
• deps: qs@​6.5.1
  • Fix parsing & compacting very deep objects
• deps: raw-body@​2.3.2
  • deps: iconv-lite@​0.4.19

v1.18.0

Compare Source

===================

• Fix JSON strict violation error to match native parse error
• Include the body property on verify errors
• Include the type property on all generated errors
• Use http-errors to set status code on errors
• deps: bytes@​3.0.0
• deps: debug@​2.6.8
• deps: depd@~1.1.1
  • Remove unnecessary Buffer loading
• deps: http-errors@~1.6.2
  • deps: depd@​1.1.1
• deps: iconv-lite@​0.4.18
  • Add support for React Native
  • Add a warning if not loaded as utf-8
  • Fix CESU-8 decoding in Node.js 8
  • Improve speed of ISO-8859-1 encoding
• deps: qs@​6.5.0
• deps: raw-body@​2.3.1
  • Use http-errors for standard emitted errors
  • deps: bytes@​3.0.0
  • deps: iconv-lite@​0.4.18
  • perf: skip buffer decoding on overage chunk
• perf: prevent internal throw when missing charset

v1.17.2

Compare Source

===================

• deps: debug@​2.6.7
  • Fix DEBUG_MAX_ARRAY_LENGTH
  • deps: ms@​2.0.0
• deps: type-is@~1.6.15
  • deps: mime-types@~2.1.15

v1.17.1

Compare Source

===================

• deps: qs@​6.4.0
  • Fix regression parsing keys starting with [

v1.17.0

Compare Source

===================

• deps: http-errors@~1.6.1
  • Make message property enumerable for HttpErrors
  • deps: setprototypeof@​1.0.3
• deps: qs@​6.3.1
  • Fix compacting nested arrays

v1.16.1

Compare Source

===================

• deps: debug@​2.6.1
  • Fix deprecation messages in WebStorm and other editors
  • Undeprecate DEBUG_FD set to 1 or 2

v1.16.0

Compare Source

===================

• deps: debug@​2.6.0
  • Allow colors in workers
  • Deprecated DEBUG_FD environment variable
  • Fix error when running under React Native
  • Use same color for same namespace
  • deps: ms@​0.7.2
• deps: http-errors@~1.5.1
  • deps: inherits@​2.0.3
  • deps: setprototypeof@​1.0.2
  • deps: statuses@'>= 1.3.1 < 2'
• deps: iconv-lite@​0.4.15
  • Added encoding MS-31J
  • Added encoding MS-932
  • Added encoding MS-936
  • Added encoding MS-949
  • Added encoding MS-950
  • Fix GBK/GB18030 handling of Euro character
• deps: qs@​6.2.1
  • Fix array parsing from skipping empty values
• deps: raw-body@~2.2.0
  • deps: iconv-lite@​0.4.15
• deps: type-is@~1.6.14
  • deps: mime-types@~2.1.13

v1.15.2

Compare Source

===================

• deps: bytes@​2.4.0
• deps: content-type@~1.0.2
  • perf: enable strict mode
• deps: http-errors@~1.5.0
  • Use setprototypeof module to replace __proto__ setting
  • deps: statuses@'>= 1.3.0 < 2'
  • perf: enable strict mode
• deps: qs@​6.2.0
• deps: raw-body@~2.1.7
  • deps: bytes@​2.4.0
  • perf: remove double-cleanup on happy path
• deps: type-is@~1.6.13
  • deps: mime-types@~2.1.11

v1.15.1

Compare Source

===================

• deps: bytes@​2.3.0
  • Drop partial bytes on all parsed units
  • Fix parsing byte string that looks like hex
• deps: raw-body@~2.1.6
  • deps: bytes@​2.3.0
• deps: type-is@~1.6.12
  • deps: mime-types@~2.1.10

v1.15.0

Compare Source

===================

• deps: http-errors@~1.4.0
  • Add HttpError export, for err instanceof createError.HttpError
  • deps: inherits@​2.0.1
  • deps: statuses@'>= 1.2.1 < 2'
• deps: qs@​6.1.0
• deps: type-is@~1.6.11
  • deps: mime-types@~2.1.9

v1.14.2

Compare Source

===================

• deps: bytes@​2.2.0
• deps: iconv-lite@​0.4.13
• deps: qs@​5.2.0
• deps: raw-body@~2.1.5
  • deps: bytes@​2.2.0
  • deps: iconv-lite@​0.4.13
• deps: type-is@~1.6.10
  • deps: mime-types@~2.1.8

v1.14.1

Compare Source

===================

• Fix issue where invalid charset results in 400 when verify used
• deps: iconv-lite@​0.4.12
  • Fix CESU-8 decoding in Node.js 4.x
• deps: raw-body@~2.1.4
  • Fix masking critical errors from iconv-lite
  • deps: iconv-lite@​0.4.12
• deps: type-is@~1.6.9
  • deps: mime-types@~2.1.7

v1.14.0

Compare Source

===================

• Fix JSON strict parse error to match syntax errors
• Provide static require analysis in urlencoded parser
• deps: depd@~1.1.0
  • Support web browser loading
• deps: qs@​5.1.0
• deps: raw-body@~2.1.3
  • Fix sync callback when attaching data listener causes sync read
• deps: type-is@~1.6.8
  • Fix type error when given invalid type to match against
  • deps: mime-types@~2.1.6

v1.13.3

Compare Source

===================

• deps: type-is@~1.6.6
  • deps: mime-types@~2.1.4

v1.13.2

Compare Source

===================

• deps: iconv-lite@​0.4.11
• deps: qs@​4.0.0
  • Fix dropping parameters like hasOwnProperty
  • Fix user-visible incompatibilities from 3.1.0
  • Fix various parsing edge cases
• deps: raw-body@~2.1.2
  • Fix error stack traces to skip makeError
  • deps: iconv-lite@​0.4.11
• deps: type-is@~1.6.4
  • deps: mime-types@~2.1.2
  • perf: enable strict mode
  • perf: remove argument reassignment

v1.13.1

Compare Source

===================

• deps: qs@​2.4.2
  • Downgraded from 3.1.0 because of user-visible incompatibilities

v1.13.0

Compare Source

===================

• Add statusCode property on Errors, in addition to status
• Change type default to application/json for JSON parser
• Change type default to application/x-www-form-urlencoded for urlencoded parser
• Provide static require analysis
• Use the http-errors module to generate errors
• deps: bytes@​2.1.0
  • Slight optimizations
• deps: iconv-lite@​0.4.10
  • The encoding UTF-16 without BOM now defaults to UTF-16LE when detection fails
  • Leading BOM is now removed when decoding
• deps: on-finished@~2.3.0
  • Add defined behavior for HTTP CONNECT requests
  • Add defined behavior for HTTP Upgrade requests
  • deps: ee-first@​1.1.1
• deps: qs@​3.1.0
  • Fix dropping parameters like hasOwnProperty
  • Fix various parsing edge cases
  • Parsed object now has null prototype
• deps: raw-body@~2.1.1
  • Use unpipe module for unpiping requests
  • deps: iconv-lite@​0.4.10
• deps: type-is@~1.6.3
  • deps: mime-types@~2.1.1
  • perf: reduce try block size
  • perf: remove bitwise operations
• perf: enable strict mode
• perf: remove argument reassignment
• perf: remove delete call

v1.12.4

Compare Source

===================

• deps: debug@~2.2.0
• deps: qs@​2.4.2
  • Fix allowing parameters like constructor
• deps: on-finished@~2.2.1
• deps: raw-body@~2.0.1
  • Fix a false-positive when unpiping in Node.js 0.8
  • deps: bytes@​2.0.1
• deps: type-is@~1.6.2
  • deps: mime-types@~2.0.11

v1.12.3

Compare Source

===================

• Slight efficiency improvement when not debugging
• deps: depd@~1.0.1
• deps: iconv-lite@​0.4.8
  • Add encoding alias UNICODE-1-1-UTF-7
• deps: raw-body@​1.3.4
  • Fix hanging callback if request aborts during read
  • deps: iconv-lite@​0.4.8

v1.12.2

Compare Source

===================

• deps: qs@​2.4.1
  • Fix error when parameter hasOwnProperty is present

v1.12.1

Compare Source

===================

• deps: debug@~2.1.3
  • Fix high intensity foreground color for bold
  • deps: ms@​0.7.0
• deps: type-is@~1.6.1
  • deps: mime-types@~2.0.10

v1.12.0

Compare Source

===================

• add debug messages
• accept a function for the type option
• use content-type to parse Content-Type headers
• deps: iconv-lite@​0.4.7
  • Gracefully support enumerables on Object.prototype
• deps: raw-body@​1.3.3
  • deps: iconv-lite@​0.4.7
• deps: type-is@~1.6.0
  • fix argument reassignment
  • fix false-positives in hasBody Transfer-Encoding check
  • support wildcard for both type and subtype (*/*)
  • deps: mime-types@~2.0.9

v1.11.0

Compare Source

===================

• make internal extended: true depth limit infinity
• deps: type-is@~1.5.6
  • deps: mime-types@~2.0.8

v1.10.2

Compare Source

===================

• deps: iconv-lite@​0.4.6
  • Fix rare aliases of single-byte encodings
• deps: raw-body@​1.3.2
  • deps: iconv-lite@​0.4.6

v1.10.1

Compare Source

===================

• deps: on-finished@~2.2.0
• deps: type-is@~1.5.5
  • deps: mime-types@~2.0.7

v1.10.0

Compare Source

===================

• make internal extended: true array limit dynamic

v1.9.3

Compare Source

==================

• deps: iconv-lite@​0.4.5
  • Fix Windows-31J and X-SJIS encoding support
• deps: qs@​2.3.3
  • Fix arrayLimit behavior
• deps: raw-body@​1.3.1
  • deps: iconv-lite@​0.4.5
• deps: type-is@~1.5.3
  • deps: mime-types@~2.0.3

v1.9.2

Compare Source

==================

• deps: qs@​2.3.2
  • Fix parsing of mixed objects and values

v1.9.1

Compare Source

==================

• deps: on-finished@~2.1.1
  • Fix handling of pipelined requests
• deps: qs@​2.3.0
  • Fix parsing of mixed implicit and explicit arrays
• deps: type-is@~1.5.2
  • deps: mime-types@~2.0.2

v1.4.7

Compare Source

==========

• deps: cookie@​0.7.2
  • Fix object assignment of hasOwnProperty
• deps: cookie@​0.7.1
  • Allow leading dot for domain
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
• deps: cookie@​0.7.0
  • perf: parse cookies ~10% faster
  • fix: narrow the validation of cookies to match RFC6265
  • fix: add main to package.json for rspack
• deps: cookie@​0.6.0
  • Add partitioned option
• deps: cookie@​0.5.0
  • Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse
• deps: cookie@​0.4.2
  • pref: read value only when assigning in parse
  • pref: remove unnecessary regexp in parse

v1.4.6

Compare Source

==================

• deps: cookie@​0.4.1

v1.4.5

Compare Source

==================

• deps: cookie@​0.4.0

v1.4.4

Compare Source

==================

• perf: normalize secret argument only once

v1.4.3

Compare Source

==================

• deps: cookie@​0.3.1
  • perf: use for loop in parse

v1.4.2

Compare Source

==================

• deps: cookie@​0.2.4
  • perf: enable strict mode
  • perf: use for loop in parse
  • perf: use string concatenation for serialization

v1.4.1

Compare Source

==================

• deps: cookie@​0.2.3
• perf: enable strict mode

v1.4.0

Compare Source

==================

• Accept array of secrets in addition to a single secret
• Fix JSONCookie to return undefined for non-string arguments
• Fix signedCookie to return undefined for non-string arguments
• deps: cookie@​0.2.2

v1.3.5

Compare Source

==================

• deps: cookie@​0.1.3
  • Slight optimizations

v1.3.4

Compare Source

==================

• deps: cookie-signature@​1.0.6

v4.22.1

Compare Source

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in #​6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

v4.22.0

Compare Source

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in #​6190
• ci: add support for Node.js@​23.0 by @​UlisesGascon in #​6080
• Method functions with no path should error by @​wesleytodd in #​5957
• ci: updated github actions ci workflow by @​Phillip9587 in #​6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in #​6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in #​6506
• chore(4.x): wider range for query test skip by @​jonchurch in #​6513
• use tilde notation for certain dependencies by @​UlisesGascon in #​6905
• deps: qs@​6.14.0 by @​UlisesGascon in #​6909
• deps: use tilde notation for qs by @​Phillip9587 in #​6919
• Release: 4.22.0 by @​UlisesGascon in #​6921

Full Changelog: expressjs/express@4.21.2...4.22.0

v4.21.2

Compare Source

What's Changed

• Add funding field (v4) by @​bjohansebas in #​6065
• deps: path-to-regexp@​0.1.11 by @​blakeembrey in #​5956
• deps: bump path-to-regexp@​0.1.12 by @​jonchurch in #​6209
• Release: 4.21.2 by @​UlisesGascon in #​6094

Full Changelog: expressjs/express@4.21.1...4.21.2

v4.21.1

Compare Source

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in #​6029
• Release: 4.21.1 by @​UlisesGascon in #​6031

Full Changelog: expressjs/express@4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in #​5935
• finalhandler@​1.3.1 by @​wesleytodd in #​5954
• fix(deps): serve-static@​1.16.2 by @​wesleytodd in #​5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in #​5946

New Contributors

• @​agadzinski93 made their first contribution in #​5946

Full Changelog: expressjs/express@4.20.0...4.21.0

v4.20.0

Compare Source

==========

• deps: serve-static@​0.16.0
  • Remove link renderization in html while redirecting
• deps: send@​0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@​0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@​0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

• Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

• Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@​0.6.0

v4.18.3

Compare Source

==========

• Fix routing requests without method
• deps: body-parser@​1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@​2.5.2
• deps: cookie@​0.6.0
  • Add partitioned option

v4.18.2

Compare Source

===================

• Fix regression routing a large stack in a single route
• deps: body-parser@​1.20.1
  • deps: qs@​6.11.0
  • perf: remove unnecessary object clone
• deps: qs@​6.11.0

v4.18.1

Compare Source

===================

• Fix hanging on large stack of sync routes

v4.18.0

Compare Source

===================

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: body-parser@​1.20.0
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@​2.0.0
  • deps: http-errors@​2.0.0
  • deps: on-finished@​2.4.1
  • deps: qs@​6.10.3
  • deps: raw-body@​2.5.1
• deps: cookie@​0.5.0
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: depd@​2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: finalhandler@​1.2.0
  • Remove set content headers that break response
  • deps: on-finished@​2.4.1
  • deps: statuses@​2.0.1
• deps: on-finished@​2.4.1
  • Prevent loss of async hooks context
• deps: qs@​6.10.3
• deps: send@​0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@​2.0.0
  • deps: destroy@​1.2.0
  • deps: http-errors@​2.0.0
  • deps: on-finished@​2.4.1
  • deps: statuses@​2.0.1
• deps: serve-static@​1.15.0
  • deps: send@​0.18.0
• deps: statuses@​2.0.1
  • Remove code 306
  • Rename 425 Unordered Collection to standard 425 Too Early

v4.17.3

Compare Source

===================

• deps: accepts@~1.3.8
  • deps: mime-types@~2.1.34
  • deps: negotiator@​0.6.3
• deps: body-parser@​1.19.2
  • deps: bytes@​3.1.2
  • deps: qs@​6.9.7
  • deps: raw-body@​2.4.3
• deps: cookie@​0.4.2
• deps: qs@​6.9.7
  • Fix handling of __proto__ keys
• pref: remove unnecessary regexp for trust proxy

v4.17.2

Compare Source

===================

• Fix handling of undefined in res.jsonp
• Fix handling of undefined when "json escape" is enabled
• Fix incorrect middleware execution with unanchored RegExps
• Fix res.jsonp(obj, status) deprecation message
• Fix typo in res.is JSDoc
• deps: body-parser@​1.19.1
  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
  • deps: qs@​6.9.6
  • deps: raw-body@​2.4.2
  • deps: safe-buffer@​5.2.1
  • deps: type-is@~1.6.18
• deps: content