-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Upgrade express from 4.21.1 to 5.0.0 #2
base: main
Are you sure you want to change the base?
[Snyk] Upgrade express from 4.21.1 to 5.0.0 #2
Conversation
Snyk has created this PR to upgrade express from 4.21.1 to 5.0.0. See this package in npm: express See this project in Snyk: https://app.snyk.io/org/nerds-github/project/d8cc6035-006d-47b3-ad95-120e92094ace?utm_source=github&utm_medium=referral&page=upgrade-pr
🧙 Sourcery has finished reviewing your pull request! Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Hey @nerds-github, here is an example of how you can ask me to improve this pull request: @Sweep Add unit tests for `res.clearCookie()` to verify that `maxAge` and `expires` options are properly ignored in Express 5, since this was changed in the upgrade. 📖 For more information on how to use Sweep, please read our documentation. |
1 similar comment
Hey @nerds-github, here is an example of how you can ask me to improve this pull request: @Sweep Add unit tests for `res.clearCookie()` to verify that `maxAge` and `expires` options are properly ignored in Express 5, since this was changed in the upgrade. 📖 For more information on how to use Sweep, please read our documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have skipped reviewing this pull request. Here's why:
- It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
- We don't review packaging changes - Let us know if you'd like us to change this.
Snyk has created this PR to upgrade express from 4.21.1 to 5.0.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 12 versions ahead of your current version.
The recommended version was released on 2 months ago.
Release notes
Package name: express
Express v5.0.0
🎉 Express v5 is finally here! 🎉
After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.
For detailed information, please check out the official Express v5 release blog post.
Most relevant details
Major Changes in v5
[email protected]
, removing sub-expression regex patterns for security reasons (ReDoS mitigation).body-parser
changes: Several improvements including the ability to customizeurlencoded
body depth and defaultingextended
tofalse
.For a complete list of breaking changes and API deprecations, see the migration guide.
Security Updates
This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.
Migration
Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.
Security Guidance
For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.
What's Changed
http-errors
,expressjs.com
,morgan
,cors
,body-parser
by @ jonchurch in #5587res.clearCookie
acceptingoptions.maxAge
andoptions.expires
by @ jonchurch in #5672expires
andmaxAge
inres.clearCookie()
by @ jonchurch in #5792debug
dep from 3.10 to 4.3.6 by @ carpasse in #5829question
anddiscuss
by @ IamLizu in #5835merge-descriptors
with allowing minors by @ RobinTail in #5782merge-descriptors
dependency by @ RobinTail in #5781fresh@^2.0.0
by @ jonchurch in #5916back
as a magic string by @ blakeembrey in #5933New Contributors
Full Changelog: v5.0.0-beta.3...v5.0.0
Full Changelog: 5.0.0-beta.2...v5.0.0-beta.3
What's Changed
obj
as the context by @ shesek in #3587maxAge
appropriateness before use by @ cjbarth in #3936