3.21.x Release Notes
Express NES Changelog
3.21.5 (NES) - October 17, 2024
This release improves the handling of header data and attributes in the response component as well as dependency updates to resolve vulnerabilities.
- Response: Improve handling and sanitizing of content used in default HTML from
response.redirect()
- This fixes a Medium Severity XSS vulnerability (CVE-2024-43796)
- Response: Improve handling of cookie attributes used in
response.clearCookie()
- Response: Improve handling of Link header attributes used in
response.links()
- This fixes a Medium Severity Resource Injection vulnerability (CVE-2024-10491)
- Dependencies:
- cookie@0.7.2 to remediate CVE-2024-47764
- mkdirp@0.5.6 to remediate CVE-2021-44906 and CVE-2020-7598 via minimist@1.2.6 dependency
- fresh@0.5.2 to remediate CVE-2017-16119
- debug@2.6.9 to remediate CVE-2017-16137
- send@0.19.1 to remediate CVE-2017-16138 via mime@1.6.0 dependency
- ejs@2.5.9 to remediate CVE-2017-1000188, CVE-2018-1000189, and CVE-2018-1000228
- marked@0.3.19 to remediate CVE-2017-1000427, CVE-2016-10531, and CVE-2017-16114
- Full Version:
3.21.2-express-3.21.5
Breaking Changes:
- None
3.21.4 (NES) - August 23, 2024
This release further improves the handling of URLs when used for setting the "Location" header in the response component.
- Response: Improve handling of path strings and relative URLs used when setting the "Location" header for redirects
- This fixes a Medium Severity XSS vulnerability (CVE-2024-9266)
- Full Version:
3.21.2-express-3.21.4
Breaking Changes:
- None
3.21.3 (NES) - August 23, 2024
- This is the initial base release of Express 3.21.x NES. This release contains no functional changes from Express 3.21.2.
- Full Version:
3.21.2-express-3.21.3
Breaking Changes:
- None