Express 4.x changelog

4.19.2 (2024-03-25)

• Improved fix for open redirect allow list bypass

4.19.1 (2024-03-20)

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 (2024-03-20)

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 (2024-02-29)

The 4.18.3 patch release includes the following bug fix:

• Fix routing requests without method. (commit)

For a complete list of changes in this release, see History.md

4.18.2 (2022-10-08)

The 4.18.2 patch release includes the following bug fix:

• Fix regression routing a large stack in a single route. (commit)

For a complete list of changes in this release, see History.md

4.18.1 (2022-04-29)

The 4.18.1 patch release includes the following bug fix:

• Fix the condition where if an Express application is created with a very large stack of routes, and all of those routes are sync (call next() synchronously), then the request processing may hang.

For a complete list of changes in this release, see History.md.

4.18.0 (2022-04-25)

The 4.18.0 minor release includes bug fixes and some new features, including:

• The app.get() method and the app.set() method now ignores properties directly on Object.prototype when getting a setting value.

• The res.cookie() method now accepts a “priority” option to set the Priority attribute on the Set-Cookie response header.

• The res.cookie() method now rejects an Invalid Date object provided as the “expires” option.

• The res.cookie() method now works when null or undefined is explicitly provided as the “maxAge” argument.

• Starting with this version, Express supports Node.js 18.x.

• The res.download() method now accepts a “root” option to match res.sendFile().

• The res.download() method can be supplied with an options object without providing a filename argument, simplifying calls when the default filename is desired.

• The res.format() method now invokes the provided “default” handler with the same arguments as the type handlers (req, res, and next).

• The res.send() method will not attempt to send a response body when the response code is set to 205.

• The default error handler will now remove certain response headers that will break the error response rendering, if they were set previously.

• The status code 425 is now represented as the standard “Too Early” instead of “Unordered Collection”.

For a complete list of changes in this release, see History.md.

4.17.3 (2022-02-16)

The 4.17.3 patch release includes one bug fix:

• Update to qs module for a fix around parsing __proto__ properties.

For a complete list of changes in this release, see History.md.

4.17.2 (2021-12-16)

The 4.17.2 patch release includes the following bug fixes:

• Fix handling of undefined in res.jsonp when a callback is provided.

• Fix handling of undefined in res.json and res.jsonp when "json escape" is enabled.

• Fix handling of invalid values to the maxAge option of res.cookie().

• Update to jshttp/proxy-addr module to use req.socket over deprecated req.connection.

• Starting with this version, Express supports Node.js 14.x.

For a complete list of changes in this release, see History.md.

4.17.1 (2019-05-25)

The 4.17.1 patch release includes one bug fix:

• The change to the res.status() API has been reverted due to causing regressions in existing Express 4 applications.

For a complete list of changes in this release, see History.md.

4.17.0 (2019-05-16)

The 4.17.0 minor release includes bug fixes and some new features, including:

• The express.raw() and express.text() middleware have been added to provide request body parsing for more raw request payloads. This uses the expressjs/body-parser module module underneath, so apps that are currently requiring the module separately can switch to the built-in parsers.

• The res.cookie() API now supports the "none" value for the sameSite option.

• When the "trust proxy" setting is enabled, the req.hostname now supports multiple X-Forwarded-For headers in a request.

• Starting with this version, Express supports Node.js 10.x and 12.x.

• The res.sendFile() API now provides and more immediate and easier to understand error when a non-string is passed as the path argument.

• The res.status() API now provides and more immediate and easier to understand error when null or undefined is passed as the argument.

For a complete list of changes in this release, see History.md.

4.16.4 (2018-10-10)

The 4.16.4 patch release includes various bug fixes:

• Fix issue where "Request aborted" may be logged in res.sendfile.

For a complete list of changes in this release, see History.md.

4.16.3 (2018-03-12)

The 4.16.3 patch release includes various bug fixes:

• Fix issue where a plain % at the end of the url in the res.location method or the res.redirect method would not get encoded as %25.

• Fix issue where a blank req.url value can result in a thrown error within the default 404 handling.

• Fix the generated HTML document for express.static redirect responses to properly include </html>.

For a complete list of changes in this release, see History.md.

4.16.2 (2017-10-09)

The 4.16.2 patch release includes a regression bug fix:

• Fix a TypeError that can occur in the res.send method when a Buffer is passed to res.send and the ETag header is already set on the response.

For a complete list of changes in this release, see History.md.

4.16.1 (2017-09-29)

The 4.16.1 patch release includes a regression bug fix:

• Update to pillarjs/send module to fix an edge case scenario regression that affected certain users of express.static.

For a complete list of changes in this release, see History.md.

4.16.0 (2017-09-28)

The 4.16.0 minor release includes security updates, bug fixes, performance enhancements, and some new features, including:

• Update to jshttp/forwarded module to address a vulnerability. This may affect your application if the following APIs are used: req.host, req.hostname, req.ip, req.ips, req.protocol.

• Update a dependency of the pillarjs/send module to address a vulnerability in the mime dependency. This may affect your application if untrusted string input is passed to the following APIs: res.type().

• The pillarjs/send module has implemented a protection against the Node.js 8.5.0 vulnerability. Using any prior version of Express with Node.js 8.5.0 (that specific Node.js version) will make the following APIs vulnerable: express.static, res.sendfile, and res.sendFile.

• Starting with this version, Express supports Node.js 8.x.

• The new setting "json escape" can be enabled to escape characters in res.json(), res.jsonp() and res.send() responses that can trigger clients to sniff the response as HTML instead of honoring the Content-Type. This can help protect an Express app from a class of persistent XSS-based attacks.

• The res.download() method now accepts an optional options object.

• The express.json() and express.urlencoded() middleware have been added to provide request body parsing support out-of-the-box. This uses the expressjs/body-parser module module underneath, so apps that are currently requiring the module separately can switch to the built-in parsers.

• The express.static() middleware and res.sendFile() method now support setting the immutable directive on the Cache-Control header. Setting this header with an appropriate maxAge will prevent supporting web browsers from sending any request to the server when the file is still in their cache.

• The pillarjs/send module has an updated list of MIME types to better set the Content-Type of more files. There are 70 new types for file extensions.

For a complete list of changes in this release, see History.md.

4.15.5 (2017-09-24)

The 4.15.5 patch release includes security updates, some minor performance enhancements, and a bug fix:

• Update to debug module to address a vulnerability, but this issue does not impact Express.

• Update to jshttp/fresh module to address a vulnerability. This will affect your application if the following APIs are used: express.static, req.fresh, res.json, res.jsonp, res.send, res.sendfile res.sendFile, res.sendStatus.

• Update to jshttp/fresh module fixes handling of modified headers with invalid dates and makes parsing conditional headers (like If-None-Match) faster.

For a complete list of changes in this release, see History.md.

4.15.4 (2017-08-06)

The 4.15.4 patch release includes some minor bug fixes:

• Fix array being set for "trust proxy" value being manipulated in certain conditions.

For a complete list of changes in this release, see History.md.

4.15.3 (2017-05-16)

The 4.15.3 patch release includes a security update and some minor bug fixes:

• Update a dependency of the pillarjs/send module to address a vulnerability. This may affect your application if untrusted string input is passed to the maxAge option in the following APIs: express.static, res.sendfile, and res.sendFile.

• Fix error when res.set cannot add charset to Content-Type.

• Fix missing </html> in HTML document.

For a complete list of changes in this release, see History.md.

4.15.2 (2017-03-06)

The 4.15.2 patch release includes a minor bug fix:

• Fix regression parsing keys starting with [ in the extended (default) query parser.

For a complete list of changes in this release, see History.md.

4.15.1 (2017-03-05)

The 4.15.1 patch release includes a minor bug fix:

• Fix compatibility issue when using the datejs 1.x library where the express.static() middleware and res.sendFile() method would incorrectly respond with 412 Precondition Failed.

For a complete list of changes in this release, see History.md.

4.15.0 (2017-03-01)

The 4.15.0 minor release includes bug fixes, performance improvements, and other minor feature additions, including:

• Starting with this version, Express supports Node.js 7.x.

• The express.static() middleware and res.sendFile() method now support the If-Match and If-Unmodified-Since request headers.

• Update to jshttp/etag module to generate the default ETags for responses which work when Node.js has FIPS-compliant crypto enabled.

• Various auto-generated HTML responses like the default not found and error handlers will respond with complete HTML 5 documents and additional security headers.

For a complete list of changes in this release, see History.md.

4.14.1 (2017-01-28)

The 4.14.1 patch release includes bug fixes and performance improvements, including:

• Update to pillarjs/finalhandler module fixes an exception when Express handles an Error object which has a headers property that is not an object.

For a complete list of changes in this release, see History.md.

4.14.0 (2016-06-16)

The 4.14.0 minor release includes bug fixes, security update, performance improvements, and other minor feature additions, including:

• Starting with this version, Express supports Node.js 6.x.

• Update to jshttp/negotiator module fixes a regular expression denial of service vulnerability.

• The res.sendFile() method now accepts two new options: acceptRanges and cacheControl.

  • acceptRanges (defaut is true), enables or disables accepting ranged requests. When disabled, the response does not send the Accept-Ranges header and ignores the contents of the Range request header.

  • cacheControl, (default is true), enables or disables the Cache-Control response header. Disabling it will ignore the maxAge option.

  • res.sendFile has also been updated to handle Range header and redirections better.

• The res.location() method and res.redirect() method will now URL-encode the URL string, if it is not already encoded.

• The performance of the res.json() method and res.jsonp() method have been improved in the common cases.

• The jshttp/cookie module (in addition to a number of other improvements) has been updated and now the res.cookie() method supports the sameSite option to let you specify the SameSite cookie attribute. NOTE: This attribute has not yet been fully standardized, may change in the future, and many clients may ignore it.

  The possible value for the sameSite option are:

  • true, which sets the SameSite attribute to Strict for strict same site enforcement.
  • false, which does not set the SameSite attribute.
  • 'lax', which sets the SameSite attribute to Lax for lax same site enforcement.
  • 'strict', which sets the SameSite attribute to Strict for strict same site enforcement.

• Absolute path checking on Windows, which was incorrect for some cases, has been fixed.

• IP address resolution with proxies has been greatly improved.

• The req.range() method options object now supports a combine option (false by default), which when true, combines overlapping and adjacent ranges and returns them as if they were specified that way in the header.

For a complete list of changes in this release, see History.md.