Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency express to v4.20.0 [security] #1294

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency express to v4.20.0 [security] #1294

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 21, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
express (source) 4.19.2 -> 4.20.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template

Release Notes

expressjs/express (express)

v4.20.0

Compare Source

==========

  • deps: [email protected]
    • Remove link renderization in html while redirecting
  • deps: [email protected]
    • Remove link renderization in html while redirecting
  • deps: [email protected]
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: [email protected]
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner September 21, 2024 06:50
@renovate renovate bot added the renovate label Sep 21, 2024
@renovate renovate bot enabled auto-merge (rebase) September 21, 2024 06:50
renovate-approve[bot]
renovate-approve bot previously approved these changes Sep 21, 2024
View reviewed changes
renovate-approve-2[bot]
renovate-approve-2 bot previously approved these changes Sep 21, 2024
View reviewed changes
@socket-security Socket Security
Copy link

socket-security bot commented Sep 21, 2024
edited
Loading

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] 🔁 npm/[email protected] Transitive: eval, unsafe +70 2.47 MB ulisesgascon

View full report↗︎

@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from df8fd74 to 3617933 Compare November 13, 2024 18:51
renovate-approve-2[bot]
renovate-approve-2 bot previously approved these changes Nov 13, 2024
View reviewed changes
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 13, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 3617933 to 26aefe7 Compare November 13, 2024 18:54
@renovate renovate bot changed the title fix(deps): update dependency express to v4.20.0 [security] fix(deps): update dependency express to v4.20.0 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
auto-merge was automatically disabled December 8, 2024 18:43

Pull request was closed

@renovate renovate bot deleted the renovate/npm-express-vulnerability branch December 8, 2024 18:43
@renovate renovate bot changed the title fix(deps): update dependency express to v4.20.0 [security] - autoclosed fix(deps): update dependency express to v4.20.0 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from ca7c011 to 26aefe7 Compare December 8, 2024 22:50
@renovate renovate bot enabled auto-merge (squash) December 9, 2024 01:48
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 26aefe7 to 7f0ef1c Compare December 18, 2024 19:06
renovate-approve[bot]
renovate-approve bot previously approved these changes Dec 18, 2024
View reviewed changes
renovate-approve-2[bot]
renovate-approve-2 bot previously approved these changes Dec 18, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 7f0ef1c to 892b796 Compare December 19, 2024 14:17
renovate-approve-2[bot]
renovate-approve-2 bot previously approved these changes Dec 19, 2024
View reviewed changes
renovate-approve[bot]
renovate-approve bot previously approved these changes Dec 19, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 5 times, most recently from 2074d95 to e48f58e Compare December 23, 2024 19:43
@Nirajn2311 Nirajn2311 dismissed stale reviews from renovate-approve[bot] and renovate-approve-2[bot] December 23, 2024 19:46

The merge-base changed after approval.

@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from e48f58e to 330ca6b Compare December 23, 2024 19:46
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 330ca6b to 94a7fb2 Compare January 8, 2025 16:25
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 94a7fb2 to aae006f Compare January 22, 2025 18:34
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from aae006f to ffd1ea2 Compare January 30, 2025 12:49
@Sembauke Sembauke closed this Jan 30, 2025
auto-merge was automatically disabled January 30, 2025 12:49

Pull request was closed

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jan 30, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (4.20.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve-2 renovate-approve-2[bot] renovate-approve-2[bot] left review comments

@renovate-approve renovate-approve[bot] renovate-approve[bot] left review comments

Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Sembauke