From 0b746953c4bd8e377123527db11f9cd866e39f94 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Thu, 21 Mar 2024 12:13:56 -0500 Subject: [PATCH 01/52] Improved fix for open redirect allow list bypass Co-authored-by: Jon Church Co-authored-by: Blake Embrey --- History.md | 5 + lib/response.js | 31 ++--- test/res.location.js | 307 +++++++++++++++++++++++++++++++++++++------ 3 files changed, 280 insertions(+), 63 deletions(-) diff --git a/History.md b/History.md index c4cdd94dac..f62574a7ee 100644 --- a/History.md +++ b/History.md @@ -1,3 +1,8 @@ +unreleased +========== + + * Improved fix for open redirect allow list bypass + 4.19.1 / 2024-03-20 ========== diff --git a/lib/response.js b/lib/response.js index 6fddbf3516..dd7b3c8201 100644 --- a/lib/response.js +++ b/lib/response.js @@ -34,7 +34,6 @@ var extname = path.extname; var mime = send.mime; var resolve = path.resolve; var vary = require('vary'); -var urlParse = require('url').parse; /** * Response prototype. @@ -56,6 +55,7 @@ module.exports = res */ var charsetRegExp = /;\s*charset\s*=/; +var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/; /** * Set status `code`. @@ -905,32 +905,23 @@ res.cookie = function (name, value, options) { */ res.location = function location(url) { - var loc = String(url); + var loc; // "back" is an alias for the referrer if (url === 'back') { loc = this.req.get('Referrer') || '/'; + } else { + loc = String(url); } - var lowerLoc = loc.toLowerCase(); - var encodedUrl = encodeUrl(loc); - if (lowerLoc.indexOf('https://') === 0 || lowerLoc.indexOf('http://') === 0) { - try { - var parsedUrl = urlParse(loc); - var parsedEncodedUrl = urlParse(encodedUrl); - // Because this can encode the host, check that we did not change the host - if (parsedUrl.host !== parsedEncodedUrl.host) { - // If the host changes after encodeUrl, return the original url - return this.set('Location', loc); - } - } catch (e) { - // If parse fails, return the original url - return this.set('Location', loc); - } - } + var m = schemaAndHostRegExp.exec(loc); + var pos = m ? m[0].length + 1 : 0; + + // Only encode after host to avoid invalid encoding which can introduce + // vulnerabilities (e.g. `\\` to `%5C`). + loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos)); - // set location - return this.set('Location', encodedUrl); + return this.set('Location', loc); }; /** diff --git a/test/res.location.js b/test/res.location.js index d1bbf4b687..c80b38de6b 100644 --- a/test/res.location.js +++ b/test/res.location.js @@ -2,6 +2,7 @@ var express = require('../') , request = require('supertest') + , assert = require('assert') , url = require('url'); describe('res', function(){ @@ -45,49 +46,6 @@ describe('res', function(){ .expect(200, done) }) - it('should not encode bad "url"', function (done) { - var app = express() - - app.use(function (req, res) { - // This is here to show a basic check one might do which - // would pass but then the location header would still be bad - if (url.parse(req.query.q).host !== 'google.com') { - res.status(400).end('Bad url'); - } - res.location(req.query.q).end(); - }); - - request(app) - .get('/?q=http://google.com' + encodeURIComponent('\\@apple.com')) - .expect(200) - .expect('Location', 'http://google.com\\@apple.com') - .end(function (err) { - if (err) { - throw err; - } - - // This ensures that our protocol check is case insensitive - request(app) - .get('/?q=HTTP://google.com' + encodeURIComponent('\\@apple.com')) - .expect(200) - .expect('Location', 'HTTP://google.com\\@apple.com') - .end(done) - }); - }); - - it('should not touch already-encoded sequences in "url"', function (done) { - var app = express() - - app.use(function (req, res) { - res.location('https://google.com?q=%A710').end() - }) - - request(app) - .get('/') - .expect('Location', 'https://google.com?q=%A710') - .expect(200, done) - }) - describe('when url is "back"', function () { it('should set location from "Referer" header', function (done) { var app = express() @@ -146,6 +104,79 @@ describe('res', function(){ }) }) + it('should encode data uri', function (done) { + var app = express() + app.use(function (req, res) { + res.location('data:text/javascript,export default () => { }').end(); + }); + + request(app) + .get('/') + .expect('Location', 'data:text/javascript,export%20default%20()%20=%3E%20%7B%20%7D') + .expect(200, done) + }) + + it('should encode data uri', function (done) { + var app = express() + app.use(function (req, res) { + res.location('data:text/javascript,export default () => { }').end(); + }); + + request(app) + .get('/') + .expect('Location', 'data:text/javascript,export%20default%20()%20=%3E%20%7B%20%7D') + .expect(200, done) + }) + + it('should consistently handle non-string input: boolean', function (done) { + var app = express() + app.use(function (req, res) { + res.location(true).end(); + }); + + request(app) + .get('/') + .expect('Location', 'true') + .expect(200, done) + }); + + it('should consistently handle non-string inputs: object', function (done) { + var app = express() + app.use(function (req, res) { + res.location({}).end(); + }); + + request(app) + .get('/') + .expect('Location', '[object%20Object]') + .expect(200, done) + }); + + it('should consistently handle non-string inputs: array', function (done) { + var app = express() + app.use(function (req, res) { + res.location([]).end(); + }); + + request(app) + .get('/') + .expect('Location', '') + .expect(200, done) + }); + + it('should consistently handle empty string input', function (done) { + var app = express() + app.use(function (req, res) { + res.location('').end(); + }); + + request(app) + .get('/') + .expect('Location', '') + .expect(200, done) + }); + + if (typeof URL !== 'undefined') { it('should accept an instance of URL', function (done) { var app = express(); @@ -161,4 +192,194 @@ describe('res', function(){ }); } }) + + describe('location header encoding', function() { + function createRedirectServerForDomain (domain) { + var app = express(); + app.use(function (req, res) { + var host = url.parse(req.query.q, false, true).host; + // This is here to show a basic check one might do which + // would pass but then the location header would still be bad + if (host !== domain) { + res.status(400).end('Bad host: ' + host + ' !== ' + domain); + } + res.location(req.query.q).end(); + }); + return app; + } + + function testRequestedRedirect (app, inputUrl, expected, expectedHost, done) { + return request(app) + // Encode uri because old supertest does not and is required + // to test older node versions. New supertest doesn't re-encode + // so this works in both. + .get('/?q=' + encodeURIComponent(inputUrl)) + .expect('') // No body. + .expect(200) + .expect('Location', expected) + .end(function (err, res) { + if (err) { + console.log('headers:', res.headers) + console.error('error', res.error, err); + return done(err, res); + } + + // Parse the hosts from the input URL and the Location header + var inputHost = url.parse(inputUrl, false, true).host; + var locationHost = url.parse(res.headers['location'], false, true).host; + + assert.strictEqual(locationHost, expectedHost); + + // Assert that the hosts are the same + if (inputHost !== locationHost) { + return done(new Error('Hosts do not match: ' + inputHost + " !== " + locationHost)); + } + + return done(null, res); + }); + } + + it('should not touch already-encoded sequences in "url"', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'https://google.com?q=%A710', + 'https://google.com?q=%A710', + 'google.com', + done + ); + }); + + it('should consistently handle relative urls', function (done) { + var app = createRedirectServerForDomain(null); + testRequestedRedirect( + app, + '/foo/bar', + '/foo/bar', + null, + done + ); + }); + + it('should not encode urls in such a way that they can bypass redirect allow lists', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'http://google.com\\@apple.com', + 'http://google.com\\@apple.com', + 'google.com', + done + ); + }); + + it('should not be case sensitive', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'HTTP://google.com\\@apple.com', + 'HTTP://google.com\\@apple.com', + 'google.com', + done + ); + }); + + it('should work with https', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'https://google.com\\@apple.com', + 'https://google.com\\@apple.com', + 'google.com', + done + ); + }); + + it('should correctly encode schemaless paths', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + '//google.com\\@apple.com/', + '//google.com\\@apple.com/', + 'google.com', + done + ); + }); + + it('should percent encode backslashes in the path', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'https://google.com/foo\\bar\\baz', + 'https://google.com/foo%5Cbar%5Cbaz', + 'google.com', + done + ); + }); + + it('should encode backslashes in the path after the first backslash that triggered path parsing', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'https://google.com\\@app\\l\\e.com', + 'https://google.com\\@app%5Cl%5Ce.com', + 'google.com', + done + ); + }); + + it('should escape header splitting for old node versions', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'http://google.com\\@apple.com/%0d%0afoo:%20bar', + 'http://google.com\\@apple.com/%0d%0afoo:%20bar', + 'google.com', + done + ); + }); + + it('should encode unicode correctly', function (done) { + var app = createRedirectServerForDomain(null); + testRequestedRedirect( + app, + '/%e2%98%83', + '/%e2%98%83', + null, + done + ); + }); + + it('should encode unicode correctly even with a bad host', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'http://google.com\\@apple.com/%e2%98%83', + 'http://google.com\\@apple.com/%e2%98%83', + 'google.com', + done + ); + }); + + it('should work correctly despite using deprecated url.parse', function (done) { + var app = createRedirectServerForDomain('google.com'); + testRequestedRedirect( + app, + 'https://google.com\'.bb.com/1.html', + 'https://google.com\'.bb.com/1.html', + 'google.com', + done + ); + }); + + it('should encode file uri path', function (done) { + var app = createRedirectServerForDomain(''); + testRequestedRedirect( + app, + 'file:///etc\\passwd', + 'file:///etc%5Cpasswd', + '', + done + ); + }); + }); }) From b28db2c12c3bd9cd763316824446f79bf81e0686 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Mon, 25 Mar 2024 09:26:03 -0500 Subject: [PATCH 02/52] 4.19.2 --- History.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index f62574a7ee..ac2e7cf719 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,4 @@ -unreleased +4.19.2 / 2024-03-25 ========== * Improved fix for open redirect allow list bypass diff --git a/package.json b/package.json index 51c6aba212..f299d882b0 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "express", "description": "Fast, unopinionated, minimalist web framework", - "version": "4.19.1", + "version": "4.19.2", "author": "TJ Holowaychuk ", "contributors": [ "Aaron Heckmann ", From 94669f9289fdd1c640b0c35acf4d9f8e996a646c Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Mon, 25 Mar 2024 10:03:18 -0500 Subject: [PATCH 03/52] remove duplicate location test for data uri --- test/res.location.js | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/test/res.location.js b/test/res.location.js index c80b38de6b..141ee90131 100644 --- a/test/res.location.js +++ b/test/res.location.js @@ -116,18 +116,6 @@ describe('res', function(){ .expect(200, done) }) - it('should encode data uri', function (done) { - var app = express() - app.use(function (req, res) { - res.location('data:text/javascript,export default () => { }').end(); - }); - - request(app) - .get('/') - .expect('Location', 'data:text/javascript,export%20default%20()%20=%3E%20%7B%20%7D') - .expect(200, done) - }) - it('should consistently handle non-string input: boolean', function (done) { var app = express() app.use(function (req, res) { From 51595d402ba155877e48a2a6c807b956a6d6d376 Mon Sep 17 00:00:00 2001 From: marco-ippolito Date: Tue, 26 Mar 2024 12:37:28 +0100 Subject: [PATCH 04/52] feat: document beta releases expectations --- Release-Process.md | 7 +++++++ Security.md | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/Release-Process.md b/Release-Process.md index 55e6218925..9ea0cf3212 100644 --- a/Release-Process.md +++ b/Release-Process.md @@ -77,6 +77,13 @@ non-patch flow. - This branch contains the commits accepted so far that implement the proposal in the tracking pull request. +### Beta releases + +Beta releases are made from a proposal branch. The version number should be +incremented to the next minor version with a `-beta` suffix. For example, if the +next release is `5.0.1`, the beta release would be `5.0.1-beta.0`. The beta +release should be considered unstable and not suitable for production use. + ### Patch flow In the patch flow, simple changes are committed to the release branch which diff --git a/Security.md b/Security.md index cdcd7a6e0a..d1c4bb7f02 100644 --- a/Security.md +++ b/Security.md @@ -29,6 +29,12 @@ announcement, and may ask for additional information or guidance. Report security bugs in third-party modules to the person or team maintaining the module. +## Beta releases + +Beta releases should be considered unstable and **not suitable for production use**. +Vulnerabilities found in beta releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. +Due to the unstable nature of the branch it is not garanteed that the fix will be released in the next beta release. + ## Disclosure Policy When the security team receives a security bug report, they will assign it to a From 88bd6d8e3a91f2059a89493a32952c5e01a1b40a Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Tue, 26 Mar 2024 15:32:34 +0100 Subject: [PATCH 05/52] Update Release-Process.md Co-authored-by: Wes Todd --- Release-Process.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Release-Process.md b/Release-Process.md index 9ea0cf3212..0b95a6f3a7 100644 --- a/Release-Process.md +++ b/Release-Process.md @@ -77,7 +77,7 @@ non-patch flow. - This branch contains the commits accepted so far that implement the proposal in the tracking pull request. -### Beta releases +### Pre-release Versions Beta releases are made from a proposal branch. The version number should be incremented to the next minor version with a `-beta` suffix. For example, if the From 4e3f95c0ea4ba6b3f116e65dbb5828e918ea25fb Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Tue, 26 Mar 2024 15:41:07 +0100 Subject: [PATCH 06/52] Update Security.md Co-authored-by: Wes Todd --- Security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security.md b/Security.md index d1c4bb7f02..9a9986d73c 100644 --- a/Security.md +++ b/Security.md @@ -29,7 +29,7 @@ announcement, and may ask for additional information or guidance. Report security bugs in third-party modules to the person or team maintaining the module. -## Beta releases +## Pre-release Versions Beta releases should be considered unstable and **not suitable for production use**. Vulnerabilities found in beta releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. From 51a76366e34a9d5ac238c48ebfbd20a020cb635e Mon Sep 17 00:00:00 2001 From: marco-ippolito Date: Tue, 26 Mar 2024 15:44:10 +0100 Subject: [PATCH 07/52] refactor: reword to pre-releases --- Release-Process.md | 8 ++++---- Security.md | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Release-Process.md b/Release-Process.md index 0b95a6f3a7..c74f16f08b 100644 --- a/Release-Process.md +++ b/Release-Process.md @@ -79,10 +79,10 @@ non-patch flow. ### Pre-release Versions -Beta releases are made from a proposal branch. The version number should be -incremented to the next minor version with a `-beta` suffix. For example, if the -next release is `5.0.1`, the beta release would be `5.0.1-beta.0`. The beta -release should be considered unstable and not suitable for production use. +Alpha and Beta releases are made from a proposal branch. The version number should be +incremented to the next minor version with a `-beta` or `-alpha` suffix. +For example, if the next beta release is `5.0.1`, the beta release would be `5.0.1-beta.0`. +The pre-releases should be considered unstable and not suitable for production use. ### Patch flow diff --git a/Security.md b/Security.md index 9a9986d73c..d49ddd75a2 100644 --- a/Security.md +++ b/Security.md @@ -31,9 +31,9 @@ the module. ## Pre-release Versions -Beta releases should be considered unstable and **not suitable for production use**. -Vulnerabilities found in beta releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. -Due to the unstable nature of the branch it is not garanteed that the fix will be released in the next beta release. +Alpha and Beta releases should be considered unstable and **not suitable for production use**. +Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. +Due to the unstable nature of the branch it is not garanteed that the fix will be released in the next pre-release. ## Disclosure Policy From 6d98d2e1103dfe73cb8efc47521d42c269e5bf08 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Tue, 26 Mar 2024 17:01:11 +0100 Subject: [PATCH 08/52] Update Release-Process.md Co-authored-by: Chris de Almeida --- Release-Process.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Release-Process.md b/Release-Process.md index c74f16f08b..9ca0a15ab4 100644 --- a/Release-Process.md +++ b/Release-Process.md @@ -82,7 +82,7 @@ non-patch flow. Alpha and Beta releases are made from a proposal branch. The version number should be incremented to the next minor version with a `-beta` or `-alpha` suffix. For example, if the next beta release is `5.0.1`, the beta release would be `5.0.1-beta.0`. -The pre-releases should be considered unstable and not suitable for production use. +The pre-releases are unstable and not suitable for production use. ### Patch flow From 36b814811079d8d242e69257de46576822d6bb4f Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Tue, 26 Mar 2024 17:01:17 +0100 Subject: [PATCH 09/52] Update Security.md Co-authored-by: Chris de Almeida --- Security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security.md b/Security.md index d49ddd75a2..99e8d53773 100644 --- a/Security.md +++ b/Security.md @@ -31,7 +31,7 @@ the module. ## Pre-release Versions -Alpha and Beta releases should be considered unstable and **not suitable for production use**. +Alpha and Beta releases are unstable and **not suitable for production use**. Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. Due to the unstable nature of the branch it is not garanteed that the fix will be released in the next pre-release. From 8b6d34963d0bf0944d7da2da6fb2b71e36a61421 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Tue, 26 Mar 2024 17:01:30 +0100 Subject: [PATCH 10/52] Update Security.md Co-authored-by: Chris de Almeida --- Security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security.md b/Security.md index 99e8d53773..39f055b3b9 100644 --- a/Security.md +++ b/Security.md @@ -33,7 +33,7 @@ the module. Alpha and Beta releases are unstable and **not suitable for production use**. Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section. -Due to the unstable nature of the branch it is not garanteed that the fix will be released in the next pre-release. +Due to the unstable nature of the branch it is not guaranteed that any fixes will be released in the next pre-release. ## Disclosure Policy From 3ae704f67fbbea3d6ac6aeb9563b5bc48615743f Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 25 Mar 2024 21:43:35 -0400 Subject: [PATCH 11/52] update ci push trigger only to some branches, ignore examples, .md --- .github/workflows/ci.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 01c82f8196..a16debdef9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,8 +1,18 @@ name: ci on: -- pull_request -- push + push: + branches: + - master + - '4.x' + - '5.x' + paths-ignore: + - 'examples/**' + - '*.md' + pull_request: + paths-ignore: + - 'examples/**' + - '*.md' jobs: test: From 4771ba2bc3b5c6c26dd28783f0dc962d008edab8 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 25 Mar 2024 22:12:28 -0400 Subject: [PATCH 12/52] crib fastify's ci concurrency logic https://github.com/fastify/fastify/blob/76674fdf46e4da5f1c18e0c86f615c4b538282cd/.github/workflows/ci.yml#L18 --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a16debdef9..7fc216da6c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,12 @@ on: - 'examples/**' - '*.md' +# Cancel in progress workflows +# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run +concurrency: + group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + jobs: test: runs-on: ubuntu-latest From d546f93f2f4658c3c03828afacc6dfd26788f7a7 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 25 Mar 2024 22:29:05 -0400 Subject: [PATCH 13/52] add develop to branches --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7fc216da6c..81e4823373 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,7 @@ on: push: branches: - master + - develop - '4.x' - '5.x' paths-ignore: From 6da57c7819dfefa228ab68c884d701a8cf45f39b Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 25 Mar 2024 22:45:13 -0400 Subject: [PATCH 14/52] remove examples from the ignore --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 81e4823373..f43deeb538 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,11 +8,9 @@ on: - '4.x' - '5.x' paths-ignore: - - 'examples/**' - '*.md' pull_request: paths-ignore: - - 'examples/**' - '*.md' # Cancel in progress workflows From 2676a1f281e8f1cc73591d3fa8917344dcc60d38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 4 Apr 2024 13:01:35 +0200 Subject: [PATCH 15/52] docs: add reference to the Threat Model * docs: add Threat Model * docs: update reference Co-authored-by: Chris de Almeida * docs: improve readability Co-authored-by: Chris de Almeida * docs: add reference to the Threat Model --------- Co-authored-by: Chris de Almeida --- Security.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Security.md b/Security.md index 39f055b3b9..6b5d2b0686 100644 --- a/Security.md +++ b/Security.md @@ -46,6 +46,10 @@ involving the following steps: * Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible to npm. +## The Express Threat Model + +We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/tools/docs/ThreatModel.md) + ## Comments on this Policy If you have suggestions on how this process could be improved please submit a From 93cf646d5c3643b0d14563795eb45aba583b1568 Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Sun, 7 Apr 2024 09:40:16 -0700 Subject: [PATCH 16/52] docs: add blakeembrey as captain for encodeurl (#5579) --- Contributing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Contributing.md b/Contributing.md index a9ba84690c..599df10360 100644 --- a/Contributing.md +++ b/Contributing.md @@ -164,6 +164,7 @@ dissent. When the PR is merged, a TC member will add them to the proper GitHub/ - `expressjs/cookie-parser`: @wesleytodd - `expressjs/generator`: @wesleytodd - `expressjs/statusboard`: @wesleytodd +- `pillarjs/encodeurl`: @blakeembrey - `pillarjs/path-to-regexp`: @blakeembrey - `pillarjs/router`: @dougwilson, @wesleytodd - `pillarjs/finalhandler`: @wesleytodd @@ -173,4 +174,3 @@ dissent. When the PR is merged, a TC member will add them to the proper GitHub/ - `jshttp/on-finished`: @wesleytodd - `jshttp/forwarded`: @wesleytodd - `jshttp/proxy-addr`: @wesleytodd - From 7f9e5843b9690267cf87efe63b48d45425f9ebc3 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 8 Apr 2024 09:02:12 -0400 Subject: [PATCH 17/52] add jonchurch as repo captain on several packages --- Contributing.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Contributing.md b/Contributing.md index 599df10360..9baa666b71 100644 --- a/Contributing.md +++ b/Contributing.md @@ -158,10 +158,12 @@ dissent. When the PR is merged, a TC member will add them to the proper GitHub/ - `expressjs/express`: @wesleytodd - `expressjs/discussions`: @wesleytodd -- `expressjs/expressjs.com`: @crandmck -- `expressjs/body-parser`: @wesleytodd +- `expressjs/expressjs.com`: @crandmck, @jonchurch +- `expressjs/body-parser`: @wesleytodd, @jonchurch - `expressjs/multer`: @LinusU +- `expressjs/morgan`: @jonchurch - `expressjs/cookie-parser`: @wesleytodd +- `expressjs/cors`: @jonchurch - `expressjs/generator`: @wesleytodd - `expressjs/statusboard`: @wesleytodd - `pillarjs/encodeurl`: @blakeembrey @@ -169,7 +171,7 @@ dissent. When the PR is merged, a TC member will add them to the proper GitHub/ - `pillarjs/router`: @dougwilson, @wesleytodd - `pillarjs/finalhandler`: @wesleytodd - `pillarjs/request`: @wesleytodd -- `jshttp/http-errors`: @wesleytodd +- `jshttp/http-errors`: @wesleytodd, @jonchurch - `jshttp/cookie`: @wesleytodd - `jshttp/on-finished`: @wesleytodd - `jshttp/forwarded`: @wesleytodd From 815f799310a5627c000d4a5156c1c958e4947b4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Marqu=C3=ADnez=20Prado?= <25435858+inigomarquinez@users.noreply.github.com> Date: Wed, 10 Apr 2024 18:53:52 +0200 Subject: [PATCH 18/52] docs: update reference to the threat model (#5590) PR: https://github.com/expressjs/express/pull/5590 --- Security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security.md b/Security.md index 6b5d2b0686..dcfbe88abd 100644 --- a/Security.md +++ b/Security.md @@ -48,7 +48,7 @@ involving the following steps: ## The Express Threat Model -We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/tools/docs/ThreatModel.md) +We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) ## Comments on this Policy From e9bcdd399b244079f4cf77dd5ffa58c5831b8b90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 11 Apr 2024 19:16:20 +0200 Subject: [PATCH 19/52] ci: adopt Node@18 as the minimum supported version --- .github/workflows/ci.yml | 83 ---------------------------------------- appveyor.yml | 59 ---------------------------- 2 files changed, 142 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 89d95f85d7..0575f075e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,83 +11,12 @@ jobs: fail-fast: false matrix: name: - - Node.js 4.0 - - Node.js 4.x - - Node.js 5.x - - Node.js 6.x - - Node.js 7.x - - Node.js 8.x - - Node.js 9.x - - Node.js 10.x - - Node.js 11.x - - Node.js 12.x - - Node.js 13.x - - Node.js 14.x - - Node.js 15.x - - Node.js 16.x - - Node.js 17.x - Node.js 18.x - Node.js 19.x - Node.js 20.x - Node.js 21.x include: - - name: Node.js 4.0 - node-version: "4.0" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 4.x - node-version: "4.9" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 5.x - node-version: "5.12" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 6.x - node-version: "6.17" - npm-i: mocha@6.2.2 nyc@14.1.1 supertest@3.4.2 - - - name: Node.js 7.x - node-version: "7.10" - npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6 - - - name: Node.js 8.x - node-version: "8.17" - npm-i: mocha@7.2.0 nyc@14.1.1 - - - name: Node.js 9.x - node-version: "9.11" - npm-i: mocha@7.2.0 nyc@14.1.1 - - - name: Node.js 10.x - node-version: "10.24" - npm-i: mocha@8.4.0 - - - name: Node.js 11.x - node-version: "11.15" - npm-i: mocha@8.4.0 - - - name: Node.js 12.x - node-version: "12.22" - npm-i: mocha@9.2.2 - - - name: Node.js 13.x - node-version: "13.14" - npm-i: mocha@9.2.2 - - - name: Node.js 14.x - node-version: "14.20" - - - name: Node.js 15.x - node-version: "15.14" - - - name: Node.js 16.x - node-version: "16.20" - - - name: Node.js 17.x - node-version: "17.9" - - name: Node.js 18.x node-version: "18.19" @@ -125,18 +54,6 @@ jobs: - name: Remove non-test dependencies run: npm rm --silent --save-dev connect-redis - - name: Setup Node.js version-specific dependencies - shell: bash - run: | - # eslint for linting - # - remove on Node.js < 12 - if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 12 ]]; then - node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ - grep -E '^eslint(-|$)' | \ - sort -r | \ - xargs -n1 npm rm --silent --save-dev - fi - - name: Install Node.js dependencies run: npm install diff --git a/appveyor.yml b/appveyor.yml index 185eccf8ca..5506914898 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -1,19 +1,5 @@ environment: matrix: - - nodejs_version: "4.9" - - nodejs_version: "5.12" - - nodejs_version: "6.17" - - nodejs_version: "7.10" - - nodejs_version: "8.17" - - nodejs_version: "9.11" - - nodejs_version: "10.24" - - nodejs_version: "11.15" - - nodejs_version: "12.22" - - nodejs_version: "13.14" - - nodejs_version: "14.20" - - nodejs_version: "15.14" - - nodejs_version: "16.20" - - nodejs_version: "17.9" - nodejs_version: "18.19" - nodejs_version: "19.9" - nodejs_version: "20.11" @@ -41,51 +27,6 @@ install: cmd.exe /c "node -pe `"Object.keys(require('./package').devDependencies).join('\n')`"" | ` sls "^eslint(-|$)" | ` %{ npm rm --silent --save-dev $_ } - # Setup Node.js version-specific dependencies - - ps: | - # mocha for testing - # - use 5.x for Node.js < 6 - # - use 6.x for Node.js < 8 - # - use 7.x for Node.js < 10 - # - use 8.x for Node.js < 12 - # - use 9.x for Node.js < 14 - if ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev mocha@3.5.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev mocha@5.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev mocha@6.2.2 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 10) { - npm install --silent --save-dev mocha@7.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 12) { - npm install --silent --save-dev mocha@8.4.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 14) { - npm install --silent --save-dev mocha@9.2.2 - } - - ps: | - # nyc for test coverage - # - use 10.3.2 for Node.js < 4 - # - use 11.9.0 for Node.js < 6 - # - use 14.1.1 for Node.js < 10 - if ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev nyc@10.3.2 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev nyc@11.9.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 10) { - npm install --silent --save-dev nyc@14.1.1 - } - - ps: | - # supertest for http calls - # - use 2.0.0 for Node.js < 4 - # - use 3.4.2 for Node.js < 7 - # - use 6.1.6 for Node.js < 8 - if ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev supertest@2.0.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 7) { - npm install --silent --save-dev supertest@3.4.2 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev supertest@6.1.6 - } # Update Node.js modules - ps: | # Prune & rebuild node_modules From 4b3b8cc231381fe9357d7d98f6afd3e8e9f9d63c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 11 Apr 2024 19:19:47 +0200 Subject: [PATCH 20/52] feat: adopt Node@18 as the minimum supported version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 5a8f978e1c..06e67892dd 100644 --- a/package.json +++ b/package.json @@ -81,7 +81,7 @@ "vhost": "~3.0.2" }, "engines": { - "node": ">= 4" + "node": ">= 18" }, "files": [ "LICENSE", From 6abec204c0a6dc0b2a7adcd6f118ca5fb757e4aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 Apr 2024 13:53:16 +0200 Subject: [PATCH 21/52] docs: update triage nomination policy (#5600) PR-URL: https://github.com/expressjs/express/pull/5600 --- Contributing.md | 31 ++++++++----------------------- 1 file changed, 8 insertions(+), 23 deletions(-) diff --git a/Contributing.md b/Contributing.md index 9baa666b71..f2ffe4935a 100644 --- a/Contributing.md +++ b/Contributing.md @@ -63,29 +63,14 @@ compromise among committers be the default resolution mechanism. Anyone can become a triager! Read more about the process of being a triager in [the triage process document](Triager-Guide.md). -[Open an issue in `expressjs/express` repo](https://github.com/expressjs/express/issues/new) -to request the triage role. State that you have read and agree to the -[Code of Conduct](Code-Of-Conduct.md) and details of the role. - -Here is an example issue content you can copy and paste: - -``` -Title: Request triager role for - -I have read and understood the project's Code of Conduct. -I also have read and understood the process and best practices around Express triaging. - -I request for a triager role for the following GitHub organizations: - -jshttp -pillarjs -express -``` - -Once you have opened your issue, a member of the TC will add you to the `triage` team in -the organizations requested. They will then close the issue. - -Happy triaging! +Currently, any existing [organization member](https://github.com/orgs/expressjs/people) can nominate +a new triager. If you are interested in becoming a triager, our best advice is to actively participate +in the community by helping triaging issues and pull requests. As well we recommend +to engage in other community activities like attending the TC meetings, and participating in the Slack +discussions. + +You can also reach out to any of the [organization members](https://github.com/orgs/expressjs/people) +if you have questions or need guidance. ## Becoming a Committer From 26e53f0fbcaf1fa71a68a42dcd6c17af05fe6ac9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 Apr 2024 15:13:07 +0200 Subject: [PATCH 22/52] ci: add CodeQL (SAST) (#5433) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/expressjs/express/pull/5433 --------- Co-authored-by: Íñigo Marquínez Prado <25435858+inigomarquinez@users.noreply.github.com> --- .github/workflows/codeql.yml | 66 ++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..db4e01aff5 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + languages: javascript + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + # - name: Autobuild + # uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + category: "/language:javascript" From d97d79ed9a25099ec4f0537ad8bf2a9378350a6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 Apr 2024 14:25:38 +0200 Subject: [PATCH 23/52] docs: add UlisesGascon as triage initiative captain --- Contributing.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Contributing.md b/Contributing.md index f2ffe4935a..4262b0f20d 100644 --- a/Contributing.md +++ b/Contributing.md @@ -161,3 +161,7 @@ dissent. When the PR is merged, a TC member will add them to the proper GitHub/ - `jshttp/on-finished`: @wesleytodd - `jshttp/forwarded`: @wesleytodd - `jshttp/proxy-addr`: @wesleytodd + +### Current Initiative Captains + +- Triage team [ref](https://github.com/expressjs/discussions/issues/227): @UlisesGascon From bf91946bd406b0c6f045fe81331de1725e9cee43 Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Sat, 4 May 2024 13:53:09 -0700 Subject: [PATCH 24/52] deps: encodeurl@~2.0.0 (#5569) --- History.md | 6 ++++++ lib/response.js | 10 +--------- package.json | 2 +- test/res.location.js | 17 +++-------------- 4 files changed, 11 insertions(+), 24 deletions(-) diff --git a/History.md b/History.md index ac2e7cf719..1aefd4b968 100644 --- a/History.md +++ b/History.md @@ -1,3 +1,9 @@ +unreleased +========== + + * deps: encodeurl@~2.0.0 + - Removes encoding of `\`, `|`, and `^` to align better with URL spec + 4.19.2 / 2024-03-25 ========== diff --git a/lib/response.js b/lib/response.js index dd7b3c8201..29845a7d83 100644 --- a/lib/response.js +++ b/lib/response.js @@ -55,7 +55,6 @@ module.exports = res */ var charsetRegExp = /;\s*charset\s*=/; -var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/; /** * Set status `code`. @@ -914,14 +913,7 @@ res.location = function location(url) { loc = String(url); } - var m = schemaAndHostRegExp.exec(loc); - var pos = m ? m[0].length + 1 : 0; - - // Only encode after host to avoid invalid encoding which can introduce - // vulnerabilities (e.g. `\\` to `%5C`). - loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos)); - - return this.set('Location', loc); + return this.set('Location', encodeUrl(loc)); }; /** diff --git a/package.json b/package.json index f299d882b0..88e4206fe6 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,7 @@ "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", "finalhandler": "1.2.0", diff --git a/test/res.location.js b/test/res.location.js index 141ee90131..2e88002625 100644 --- a/test/res.location.js +++ b/test/res.location.js @@ -293,23 +293,12 @@ describe('res', function(){ ); }); - it('should percent encode backslashes in the path', function (done) { + it('should keep backslashes in the path', function (done) { var app = createRedirectServerForDomain('google.com'); testRequestedRedirect( app, 'https://google.com/foo\\bar\\baz', - 'https://google.com/foo%5Cbar%5Cbaz', - 'google.com', - done - ); - }); - - it('should encode backslashes in the path after the first backslash that triggered path parsing', function (done) { - var app = createRedirectServerForDomain('google.com'); - testRequestedRedirect( - app, - 'https://google.com\\@app\\l\\e.com', - 'https://google.com\\@app%5Cl%5Ce.com', + 'https://google.com/foo\\bar\\baz', 'google.com', done ); @@ -364,7 +353,7 @@ describe('res', function(){ testRequestedRedirect( app, 'file:///etc\\passwd', - 'file:///etc%5Cpasswd', + 'file:///etc\\passwd', '', done ); From 8417c60fcfd7a9523e8783fd3f489d771df1ce44 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Sat, 4 May 2024 17:09:52 -0400 Subject: [PATCH 25/52] skip QUERY method test (#5628) --- test/app.router.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/app.router.js b/test/app.router.js index 12b6c1fa51..d9ddc69afc 100644 --- a/test/app.router.js +++ b/test/app.router.js @@ -35,8 +35,25 @@ describe('app.router', function(){ }) describe('methods', function(){ + function getMajorVersion(versionString) { + return versionString.split('.')[0]; + } + + function shouldSkipQuery(versionString) { + // Temporarily skipping this test on 21 and 22 + // update this implementation to run on those release lines on supported versions once they exist + // upstream tracking https://github.com/nodejs/node/pull/51719 + // express tracking issue: https://github.com/expressjs/express/issues/5615 + var majorsToSkip = { + "21": true, + "22": true + } + return majorsToSkip[getMajorVersion(versionString)] + } + methods.concat('del').forEach(function(method){ if (method === 'connect') return; + if (method === 'query' && shouldSkipQuery(process.versions.node)) return it('should include ' + method.toUpperCase(), function(done){ var app = express(); From b44191eb3de5fcc94b384d7d6028b8c9a0144231 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Sat, 4 May 2024 18:01:42 -0400 Subject: [PATCH 26/52] ignore ETAG query test as well, reuse skip util (#5639) --- test/app.router.js | 18 ++---------------- test/res.send.js | 3 +++ test/support/utils.js | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/test/app.router.js b/test/app.router.js index d9ddc69afc..ae87092f00 100644 --- a/test/app.router.js +++ b/test/app.router.js @@ -6,6 +6,8 @@ var express = require('../') , assert = require('assert') , methods = require('methods'); +var shouldSkipQuery = require('./support/utils').shouldSkipQuery + describe('app.router', function(){ it('should restore req.params after leaving router', function(done){ var app = express(); @@ -35,22 +37,6 @@ describe('app.router', function(){ }) describe('methods', function(){ - function getMajorVersion(versionString) { - return versionString.split('.')[0]; - } - - function shouldSkipQuery(versionString) { - // Temporarily skipping this test on 21 and 22 - // update this implementation to run on those release lines on supported versions once they exist - // upstream tracking https://github.com/nodejs/node/pull/51719 - // express tracking issue: https://github.com/expressjs/express/issues/5615 - var majorsToSkip = { - "21": true, - "22": true - } - return majorsToSkip[getMajorVersion(versionString)] - } - methods.concat('del').forEach(function(method){ if (method === 'connect') return; if (method === 'query' && shouldSkipQuery(process.versions.node)) return diff --git a/test/res.send.js b/test/res.send.js index c92568db6a..1e1835f823 100644 --- a/test/res.send.js +++ b/test/res.send.js @@ -7,6 +7,8 @@ var methods = require('methods'); var request = require('supertest'); var utils = require('./support/utils'); +var shouldSkipQuery = require('./support/utils').shouldSkipQuery + describe('res', function(){ describe('.send()', function(){ it('should set body to ""', function(done){ @@ -407,6 +409,7 @@ describe('res', function(){ methods.forEach(function (method) { if (method === 'connect') return; + if (method === 'query' && shouldSkipQuery(process.versions.node)) return it('should send ETag in response to ' + method.toUpperCase() + ' request', function (done) { var app = express(); diff --git a/test/support/utils.js b/test/support/utils.js index 5b4062e0b2..440a0269bc 100644 --- a/test/support/utils.js +++ b/test/support/utils.js @@ -16,6 +16,7 @@ exports.shouldHaveBody = shouldHaveBody exports.shouldHaveHeader = shouldHaveHeader exports.shouldNotHaveBody = shouldNotHaveBody exports.shouldNotHaveHeader = shouldNotHaveHeader; +exports.shouldSkipQuery = shouldSkipQuery /** * Assert that a supertest response has a specific body. @@ -70,3 +71,20 @@ function shouldNotHaveHeader(header) { assert.ok(!(header.toLowerCase() in res.headers), 'should not have header ' + header); }; } + +function getMajorVersion(versionString) { + return versionString.split('.')[0]; +} + +function shouldSkipQuery(versionString) { + // Temporarily skipping this test on 21 and 22 + // update this implementation to run on those release lines on supported versions once they exist + // upstream tracking https://github.com/nodejs/node/pull/51719 + // express tracking issue: https://github.com/expressjs/express/issues/5615 + var majorsToSkip = { + "21": true, + "22": true + } + return majorsToSkip[getMajorVersion(versionString)] +} + From 4b9cd2fd0e13519a16bc36e8b4212e7924698b2e Mon Sep 17 00:00:00 2001 From: Mert Can Altin Date: Sun, 5 May 2024 01:15:53 +0300 Subject: [PATCH 27/52] add support Node.js@22 in the CI (#5627) Co-authored-by: Mert Can Altin --- .github/workflows/ci.yml | 4 ++++ appveyor.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f43deeb538..488d394f62 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,6 +49,7 @@ jobs: - Node.js 19.x - Node.js 20.x - Node.js 21.x + - Node.js 22.x include: - name: Node.js 0.10 @@ -134,6 +135,9 @@ jobs: - name: Node.js 21.x node-version: "21.6" + + - name: Node.js 22.x + node-version: "22.0" steps: - uses: actions/checkout@v4 diff --git a/appveyor.yml b/appveyor.yml index ce26523b3a..629499bf37 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -23,6 +23,7 @@ environment: - nodejs_version: "19.9" - nodejs_version: "20.11" - nodejs_version: "21.6" + - nodejs_version: "22.0" cache: - node_modules install: From 700349ffaf6140195a2d5f8173dd732c90c5aacc Mon Sep 17 00:00:00 2001 From: Mert Can Altin Date: Thu, 9 May 2024 00:02:11 +0300 Subject: [PATCH 28/52] doc: add table of contents, tc/triager lists to readme (#5619) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * doc: updated readme file * doc: updated readme file for doc lint * Update Readme.md Co-authored-by: krzysdz * Update Readme.md Co-authored-by: Ulises Gascón * Update Readme.md Co-authored-by: Ulises Gascón * Update Readme.md Co-authored-by: Christine Belzie <105683440+CBID2@users.noreply.github.com> * repair readme * added Emeritus area * Add @carpasse to the triager team * removed old collaborators * add missing triagers * lint * Update Readme.md Co-authored-by: Jon Church * Update Readme.md Co-authored-by: Jon Church * dedent to fix ToC spacing * fixup! dedent to fix ToC spacing * us @ for jonchurch * format names to use github handles first, single line * added emeritus triagers * edited title * added emeritus team members * added menu head * edited emeritus * Update Readme.md Co-authored-by: Jon Church * Update Readme.md Co-authored-by: Jon Church * edits to TC and anchors * Update Readme.md Co-authored-by: Jon Church * Update Readme.md Co-authored-by: Jon Church * Update Readme.md Co-authored-by: Jon Church * Update Readme.md Co-authored-by: Jon Church * Update Readme.md Co-authored-by: Jon Church * Update Readme.md Co-authored-by: Ulises Gascón * Update Readme.md Co-authored-by: Ulises Gascón * Update Readme.md Co-authored-by: Ulises Gascón * Update Readme.md Co-authored-by: Ulises Gascón * Update Readme.md Co-authored-by: Ulises Gascón --------- Co-authored-by: Mert Can Altin Co-authored-by: krzysdz Co-authored-by: Ulises Gascón Co-authored-by: Christine Belzie <105683440+CBID2@users.noreply.github.com> Co-authored-by: Jon Church --- Readme.md | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 94 insertions(+), 4 deletions(-) diff --git a/Readme.md b/Readme.md index d0f3cf56e6..01acf9e2f1 100644 --- a/Readme.md +++ b/Readme.md @@ -1,10 +1,27 @@ [![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](http://expressjs.com/) - Fast, unopinionated, minimalist web framework for [Node.js](http://nodejs.org). +**Fast, unopinionated, minimalist web framework for [Node.js](http://nodejs.org).** - [![NPM Version][npm-version-image]][npm-url] - [![NPM Install Size][npm-install-size-image]][npm-install-size-url] - [![NPM Downloads][npm-downloads-image]][npm-downloads-url] +**This project has a [Code of Conduct][].** + +## Table of contents + +* [Installation](#Installation) +* [Features](#Features) +* [Docs & Community](#docs--community) +* [Quick Start](#Quick-Start) +* [Running Tests](#Running-Tests) +* [Philosophy](#Philosophy) +* [Examples](#Examples) +* [Contributing to Express](#Contributing) +* [TC (Technical Committee)](#tc-technical-committee) +* [Triagers](#triagers) +* [License](#license) + + +[![NPM Version][npm-version-image]][npm-url] +[![NPM Install Size][npm-install-size-image]][npm-install-size-url] +[![NPM Downloads][npm-downloads-image]][npm-downloads-url] ```js const express = require('express') @@ -148,6 +165,78 @@ The current lead maintainer is [Douglas Christopher Wilson](https://github.com/d [List of all contributors](https://github.com/expressjs/express/graphs/contributors) +### TC (Technical Committee) + +* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him) +* [jonchurch](https://github.com/jonchurch) - **Jon Church** +* [wesleytodd](https://github.com/wesleytodd) - **Wes Todd** +* [LinusU](https://github.com/LinusU) - **Linus Unnebäck** +* [blakeembrey](https://github.com/blakeembrey) - **Blake Embrey** +* [sheplu](https://github.com/sheplu) - **Jean Burellier** +* [crandmck](https://github.com/crandmck) - **Rand McKinney** + +
+TC emeriti members + +#### TC emeriti members + + * [dougwilson](https://github.com/dougwilson) - **Douglas Wilson** + * [hacksparrow](https://github.com/hacksparrow) - **Hage Yaapa** + * [jonathanong](https://github.com/jonathanong) - **jongleberry** + * [niftylettuce](https://github.com/niftylettuce) - **niftylettuce** + * [troygoode](https://github.com/troygoode) - **Troy Goode** +
+ + +### Triagers + +* [aravindvnair99](https://github.com/aravindvnair99) - **Aravind Nair** +* [carpasse](https://github.com/carpasse) - **Carlos Serrano** +* [CBID2](https://github.com/CBID2) - **Christine Belzie** +* [enyoghasim](https://github.com/enyoghasim) - **David Enyoghasim** +* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him) +* [mertcanaltin](https://github.com/mertcanaltin) - **Mert Can Altin** +* [0ss](https://github.com/0ss) - **Salah** +* [import-brain](https://github.com/import-brain) - **Eric Cheng** (he/him) +* [3imed-jaberi](https://github.com/3imed-jaberi) - **Imed Jaberi** +* [dakshkhetan](https://github.com/dakshkhetan) - **Daksh Khetan** (he/him) +* [lucasraziel](https://github.com/lucasraziel) - **Lucas Soares Do Rego** +* [Sushmeet](https://github.com/Sushmeet) - **Sushmeet Sunger** + +
+Triagers emeriti members + +#### Emeritus Triagers + + * [AuggieH](https://github.com/AuggieH) - **Auggie Hudak** + * [G-Rath](https://github.com/G-Rath) - **Gareth Jones** + * [MohammadXroid](https://github.com/MohammadXroid) - **Mohammad Ayashi** + * [NawafSwe](https://github.com/NawafSwe) - **Nawaf Alsharqi** + * [NotMoni](https://github.com/NotMoni) - **Moni** + * [VigneshMurugan](https://github.com/VigneshMurugan) - **Vignesh Murugan** + * [davidmashe](https://github.com/davidmashe) - **David Ashe** + * [digitaIfabric](https://github.com/digitaIfabric) - **David** + * [e-l-i-s-e](https://github.com/e-l-i-s-e) - **Elise Bonner** + * [fed135](https://github.com/fed135) - **Frederic Charette** + * [firmanJS](https://github.com/firmanJS) - **Firman Abdul Hakim** + * [getspooky](https://github.com/getspooky) - **Yasser Ameur** + * [ghinks](https://github.com/ghinks) - **Glenn** + * [ghousemohamed](https://github.com/ghousemohamed) - **Ghouse Mohamed** + * [gireeshpunathil](https://github.com/gireeshpunathil) - **Gireesh Punathil** + * [jake32321](https://github.com/jake32321) - **Jake Reed** + * [jonchurch](https://github.com/jonchurch) - **Jon Church** + * [lekanikotun](https://github.com/lekanikotun) - **Troy Goode** + * [marsonya](https://github.com/marsonya) - **Lekan Ikotun** + * [mastermatt](https://github.com/mastermatt) - **Matt R. Wilson** + * [maxakuru](https://github.com/maxakuru) - **Max Edell** + * [mlrawlings](https://github.com/mlrawlings) - **Michael Rawlings** + * [rodion-arr](https://github.com/rodion-arr) - **Rodion Abdurakhimov** + * [sheplu](https://github.com/sheplu) - **Jean Burellier** + * [tarunyadav1](https://github.com/tarunyadav1) - **Tarun yadav** + * [tunniclm](https://github.com/tunniclm) - **Mike Tunnicliffe** +
+ + ## License [MIT](LICENSE) @@ -164,3 +253,4 @@ The current lead maintainer is [Douglas Christopher Wilson](https://github.com/d [npm-install-size-url]: https://packagephobia.com/result?p=express [npm-url]: https://npmjs.org/package/express [npm-version-image]: https://badgen.net/npm/v/express +[Code of Conduct]: https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md From 897290b68549034fb12f7bbb2cf6dae6c6f36096 Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Fri, 10 May 2024 16:09:39 -0700 Subject: [PATCH 29/52] List and sort all projects, add captains --- Contributing.md | 76 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 59 insertions(+), 17 deletions(-) diff --git a/Contributing.md b/Contributing.md index 4262b0f20d..46289af613 100644 --- a/Contributing.md +++ b/Contributing.md @@ -63,13 +63,13 @@ compromise among committers be the default resolution mechanism. Anyone can become a triager! Read more about the process of being a triager in [the triage process document](Triager-Guide.md). -Currently, any existing [organization member](https://github.com/orgs/expressjs/people) can nominate -a new triager. If you are interested in becoming a triager, our best advice is to actively participate +Currently, any existing [organization member](https://github.com/orgs/expressjs/people) can nominate +a new triager. If you are interested in becoming a triager, our best advice is to actively participate in the community by helping triaging issues and pull requests. As well we recommend -to engage in other community activities like attending the TC meetings, and participating in the Slack +to engage in other community activities like attending the TC meetings, and participating in the Slack discussions. -You can also reach out to any of the [organization members](https://github.com/orgs/expressjs/people) +You can also reach out to any of the [organization members](https://github.com/orgs/expressjs/people) if you have questions or need guidance. ## Becoming a Committer @@ -139,28 +139,70 @@ the project, their GitHub handle and npm username (if different). The PR will re at least 2 approvals from TC members and 2 weeks hold time to allow for comment and/or dissent. When the PR is merged, a TC member will add them to the proper GitHub/npm groups. -### Current Project Captains +### Active Projects and Captains -- `expressjs/express`: @wesleytodd -- `expressjs/discussions`: @wesleytodd -- `expressjs/expressjs.com`: @crandmck, @jonchurch +- `expressjs/badgeboard`: @wesleytodd +- `expressjs/basic-auth-connect`: N/A - `expressjs/body-parser`: @wesleytodd, @jonchurch -- `expressjs/multer`: @LinusU -- `expressjs/morgan`: @jonchurch +- `expressjs/compression`: N/A +- `expressjs/connect-multiparty`: N/A - `expressjs/cookie-parser`: @wesleytodd +- `expressjs/cookie-session`: N/A - `expressjs/cors`: @jonchurch +- `expressjs/discussions`: @wesleytodd +- `expressjs/errorhandler`: N/A +- `expressjs/express-paginate`: N/A +- `expressjs/express`: @wesleytodd +- `expressjs/expressjs.com`: @crandmck, @jonchurch +- `expressjs/flash`: N/A - `expressjs/generator`: @wesleytodd +- `expressjs/method-override`: N/A +- `expressjs/morgan`: @jonchurch +- `expressjs/multer`: @LinusU +- `expressjs/response-time`: @blakeembrey +- `expressjs/serve-favicon`: N/A +- `expressjs/serve-index`: N/A +- `expressjs/serve-static`: N/A +- `expressjs/session`: N/A - `expressjs/statusboard`: @wesleytodd -- `pillarjs/encodeurl`: @blakeembrey -- `pillarjs/path-to-regexp`: @blakeembrey -- `pillarjs/router`: @dougwilson, @wesleytodd -- `pillarjs/finalhandler`: @wesleytodd -- `pillarjs/request`: @wesleytodd -- `jshttp/http-errors`: @wesleytodd, @jonchurch +- `expressjs/timeout`: N/A +- `expressjs/vhost`: N/A +- `jshttp/accepts`: @blakeembrey +- `jshttp/basic-auth`: @blakeembrey +- `jshttp/compressible`: @blakeembrey +- `jshttp/content-disposition`: @blakeembrey +- `jshttp/content-type`: @blakeembrey - `jshttp/cookie`: @wesleytodd +- `jshttp/etag`: @blakeembrey +- `jshttp/forwarded`: @blakeembrey +- `jshttp/fresh`: @blakeembrey +- `jshttp/http-assert`: @wesleytodd, @jonchurch +- `jshttp/http-errors`: @wesleytodd, @jonchurch +- `jshttp/media-typer`: @blakeembrey +- `jshttp/methods`: @blakeembrey +- `jshttp/mime-db`: @blakeembrey +- `jshttp/mime-types`: @blakeembrey +- `jshttp/negotiator`: @blakeembrey - `jshttp/on-finished`: @wesleytodd -- `jshttp/forwarded`: @wesleytodd +- `jshttp/on-headers`: @blakeembrey - `jshttp/proxy-addr`: @wesleytodd +- `jshttp/range-parser`: @blakeembrey +- `jshttp/statuses`: @blakeembrey +- `jshttp/type-is`: @blakeembrey +- `jshttp/vary`: @blakeembrey +- `pillarjs/cookies`: @blakeembrey +- `pillarjs/csrf`: N/A +- `pillarjs/encodeurl`: @blakeembrey +- `pillarjs/finalhandler`: @wesleytodd +- `pillarjs/hbs`: N/A +- `pillarjs/multiparty`: @blakeembrey +- `pillarjs/parseurl`: @blakeembrey +- `pillarjs/path-to-regexp`: @blakeembrey +- `pillarjs/request`: @wesleytodd +- `pillarjs/resolve-path`: @blakeembrey +- `pillarjs/router`: @blakeembrey +- `pillarjs/send`: @blakeembrey +- `pillarjs/understanding-csrf`: N/A ### Current Initiative Captains From a7d6d29ed3a8eeb91954447696d1a28b982702a4 Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Mon, 13 May 2024 16:12:36 -0700 Subject: [PATCH 30/52] Add @UlisesGascon to mime repos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- Contributing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Contributing.md b/Contributing.md index 46289af613..292fdc40b7 100644 --- a/Contributing.md +++ b/Contributing.md @@ -180,8 +180,8 @@ dissent. When the PR is merged, a TC member will add them to the proper GitHub/ - `jshttp/http-errors`: @wesleytodd, @jonchurch - `jshttp/media-typer`: @blakeembrey - `jshttp/methods`: @blakeembrey -- `jshttp/mime-db`: @blakeembrey -- `jshttp/mime-types`: @blakeembrey +- `jshttp/mime-db`: @blakeembrey, @UlisesGascon +- `jshttp/mime-types`: @blakeembrey, @UlisesGascon - `jshttp/negotiator`: @blakeembrey - `jshttp/on-finished`: @wesleytodd - `jshttp/on-headers`: @blakeembrey From 2803a2b35ae37209a44a8d3b19c141482fd57437 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 23 May 2024 00:29:16 +0200 Subject: [PATCH 31/52] docs: add @UlisesGascon as captain for cookie-parser (#5666) --- Contributing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Contributing.md b/Contributing.md index 292fdc40b7..1654cee02f 100644 --- a/Contributing.md +++ b/Contributing.md @@ -146,7 +146,7 @@ dissent. When the PR is merged, a TC member will add them to the proper GitHub/ - `expressjs/body-parser`: @wesleytodd, @jonchurch - `expressjs/compression`: N/A - `expressjs/connect-multiparty`: N/A -- `expressjs/cookie-parser`: @wesleytodd +- `expressjs/cookie-parser`: @wesleytodd, @UlisesGascon - `expressjs/cookie-session`: N/A - `expressjs/cors`: @jonchurch - `expressjs/discussions`: @wesleytodd From 689073d657b646b5d01448a6a69f88016f40761b Mon Sep 17 00:00:00 2001 From: Chris de Almeida Date: Wed, 5 Jun 2024 16:25:58 -0500 Subject: [PATCH 32/52] =?UTF-8?q?=E2=9C=A8=20bring=20back=20query=20tests?= =?UTF-8?q?=20for=20node=2021=20(#5690)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/ci.yml | 11 +---------- .npmrc | 1 + test/support/utils.js | 3 +-- 3 files changed, 3 insertions(+), 12 deletions(-) create mode 100644 .npmrc diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 488d394f62..02137e595e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -135,7 +135,7 @@ jobs: - name: Node.js 21.x node-version: "21.6" - + - name: Node.js 22.x node-version: "22.0" @@ -148,15 +148,6 @@ jobs: nvm install --default ${{ matrix.node-version }} dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - - name: Configure npm - run: | - npm config set loglevel error - if [[ "$(npm config get package-lock)" == "true" ]]; then - npm config set package-lock false - else - npm config set shrinkwrap false - fi - - name: Install npm module(s) ${{ matrix.npm-i }} run: npm install --save-dev ${{ matrix.npm-i }} if: matrix.npm-i != '' diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000000..43c97e719a --- /dev/null +++ b/.npmrc @@ -0,0 +1 @@ +package-lock=false diff --git a/test/support/utils.js b/test/support/utils.js index 440a0269bc..a4d9fb8b54 100644 --- a/test/support/utils.js +++ b/test/support/utils.js @@ -77,12 +77,11 @@ function getMajorVersion(versionString) { } function shouldSkipQuery(versionString) { - // Temporarily skipping this test on 21 and 22 + // Temporarily skipping this test on 22 // update this implementation to run on those release lines on supported versions once they exist // upstream tracking https://github.com/nodejs/node/pull/51719 // express tracking issue: https://github.com/expressjs/express/issues/5615 var majorsToSkip = { - "21": true, "22": true } return majorsToSkip[getMajorVersion(versionString)] From f42b160bbc0c391c06cad1c6c37eea5305f78cd2 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Fri, 7 Jun 2024 19:48:48 -0400 Subject: [PATCH 33/52] [v4] Deprecate `res.clearCookie` accepting `options.maxAge` and `options.expires` (#5672) * add deprecation notice for res.clearCookie maxAge/expires * update History.md for clearCookie deprecation change * add tests to codify deprecated behavior Co-authored-by: Chris de Almeida --------- Co-authored-by: Chris de Almeida --- History.md | 2 ++ lib/response.js | 8 ++++++++ test/res.clearCookie.js | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/History.md b/History.md index 1aefd4b968..c02b24ffba 100644 --- a/History.md +++ b/History.md @@ -3,6 +3,8 @@ unreleased * deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec + * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` + - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie 4.19.2 / 2024-03-25 ========== diff --git a/lib/response.js b/lib/response.js index 29845a7d83..68d969ff05 100644 --- a/lib/response.js +++ b/lib/response.js @@ -822,6 +822,14 @@ res.get = function(field){ */ res.clearCookie = function clearCookie(name, options) { + if (options) { + if (options.maxAge) { + deprecate('res.clearCookie: Passing "options.maxAge" is deprecated. In v5.0.0 of Express, this option will be ignored, as res.clearCookie will automatically set cookies to expire immediately. Please update your code to omit this option.'); + } + if (options.expires) { + deprecate('res.clearCookie: Passing "options.expires" is deprecated. In v5.0.0 of Express, this option will be ignored, as res.clearCookie will automatically set cookies to expire immediately. Please update your code to omit this option.'); + } + } var opts = merge({ expires: new Date(1), path: '/' }, options); return this.cookie(name, '', opts); diff --git a/test/res.clearCookie.js b/test/res.clearCookie.js index fc0cfb99a3..3d8a6a5a81 100644 --- a/test/res.clearCookie.js +++ b/test/res.clearCookie.js @@ -32,5 +32,37 @@ describe('res', function(){ .expect('Set-Cookie', 'sid=; Path=/admin; Expires=Thu, 01 Jan 1970 00:00:00 GMT') .expect(200, done) }) + + it('should set expires when passed', function(done) { + var expiresAt = new Date() + var app = express(); + + app.use(function(req, res){ + res.clearCookie('sid', { expires: expiresAt }).end(); + }); + + request(app) + .get('/') + .expect('Set-Cookie', 'sid=; Path=/; Expires=' + expiresAt.toUTCString() ) + .expect(200, done) + }) + + it('should set both maxAge and expires when passed', function(done) { + var maxAgeInMs = 10000 + var expiresAt = new Date() + var expectedExpires = new Date(expiresAt.getTime() + maxAgeInMs) + var app = express(); + + app.use(function(req, res){ + res.clearCookie('sid', { expires: expiresAt, maxAge: maxAgeInMs }).end(); + }); + + request(app) + .get('/') + // yes, this is the behavior. When we set a max-age, we also set expires to a date 10 sec ahead of expires + // even if we set max-age only, we will also set an expires 10 sec in the future + .expect('Set-Cookie', 'sid=; Max-Age=10; Path=/; Expires=' + expectedExpires.toUTCString()) + .expect(200, done) + }) }) }) From 61421a8c0c2abf011868d90df93813992e3c7563 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Sat, 8 Jun 2024 23:25:42 -0400 Subject: [PATCH 34/52] skip QUERY tests for Node 21 only, still not supported (#5695) * skip QUERY tests for Node 21 only, still not supported QUERY support has now landed in Node 22.2.0, but is still not supported in 21.7.3 QUERY showed up in http.METHODS in 21.7.2. Only Node versions after that will attempt to run tests for it, based on the way we dynamically test members of the http.METHODS array from Node * update CI to run on 21.7 and 22.2 --- .github/workflows/ci.yml | 4 ++-- test/app.router.js | 4 +++- test/res.send.js | 4 +++- test/support/utils.js | 11 ++++------- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02137e595e..920db416d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -134,10 +134,10 @@ jobs: node-version: "20.11" - name: Node.js 21.x - node-version: "21.6" + node-version: "21.7" - name: Node.js 22.x - node-version: "22.0" + node-version: "22.2" steps: - uses: actions/checkout@v4 diff --git a/test/app.router.js b/test/app.router.js index ae87092f00..707333f043 100644 --- a/test/app.router.js +++ b/test/app.router.js @@ -39,9 +39,11 @@ describe('app.router', function(){ describe('methods', function(){ methods.concat('del').forEach(function(method){ if (method === 'connect') return; - if (method === 'query' && shouldSkipQuery(process.versions.node)) return it('should include ' + method.toUpperCase(), function(done){ + if (method === 'query' && shouldSkipQuery(process.versions.node)) { + this.skip() + } var app = express(); app[method]('/foo', function(req, res){ diff --git a/test/res.send.js b/test/res.send.js index 1e1835f823..b4cf68a7df 100644 --- a/test/res.send.js +++ b/test/res.send.js @@ -409,9 +409,11 @@ describe('res', function(){ methods.forEach(function (method) { if (method === 'connect') return; - if (method === 'query' && shouldSkipQuery(process.versions.node)) return it('should send ETag in response to ' + method.toUpperCase() + ' request', function (done) { + if (method === 'query' && shouldSkipQuery(process.versions.node)) { + this.skip() + } var app = express(); app[method]('/', function (req, res) { diff --git a/test/support/utils.js b/test/support/utils.js index a4d9fb8b54..5ad4ca9841 100644 --- a/test/support/utils.js +++ b/test/support/utils.js @@ -77,13 +77,10 @@ function getMajorVersion(versionString) { } function shouldSkipQuery(versionString) { - // Temporarily skipping this test on 22 - // update this implementation to run on those release lines on supported versions once they exist - // upstream tracking https://github.com/nodejs/node/pull/51719 + // Skipping HTTP QUERY tests on Node 21, it is reported in http.METHODS on 21.7.2 but not supported + // update this implementation to run on supported versions of 21 once they exist + // upstream tracking https://github.com/nodejs/node/issues/51562 // express tracking issue: https://github.com/expressjs/express/issues/5615 - var majorsToSkip = { - "22": true - } - return majorsToSkip[getMajorVersion(versionString)] + return Number(getMajorVersion(versionString)) === 21 } From 6d084715ba6ca5301e9ac1efe4309e555973b364 Mon Sep 17 00:00:00 2001 From: Chris de Almeida Date: Mon, 10 Jun 2024 16:19:11 -0500 Subject: [PATCH 35/52] =?UTF-8?q?=F0=9F=93=9D=20update=20people,=20add=20c?= =?UTF-8?q?tcpip=20to=20TC=20(#5683)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Readme.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 01acf9e2f1..365c7b6104 100644 --- a/Readme.md +++ b/Readme.md @@ -161,8 +161,6 @@ $ npm test The original author of Express is [TJ Holowaychuk](https://github.com/tj) -The current lead maintainer is [Douglas Christopher Wilson](https://github.com/dougwilson) - [List of all contributors](https://github.com/expressjs/express/graphs/contributors) ### TC (Technical Committee) @@ -174,6 +172,7 @@ The current lead maintainer is [Douglas Christopher Wilson](https://github.com/d * [blakeembrey](https://github.com/blakeembrey) - **Blake Embrey** * [sheplu](https://github.com/sheplu) - **Jean Burellier** * [crandmck](https://github.com/crandmck) - **Rand McKinney** +* [ctcpip](https://github.com/ctcpip) - **Chris de Almeida**
TC emeriti members From 4cf7eed927d3ccd3f1d0c9a14d562ec0a1635e86 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Wed, 26 Jun 2024 18:23:19 -0400 Subject: [PATCH 36/52] remove minor version pinning from ci (#5722) --- .github/workflows/ci.yml | 44 ++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 920db416d6..09004fec75 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,83 +61,83 @@ jobs: npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: io.js 1.x - node-version: "1.8" + node-version: "1" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: io.js 2.x - node-version: "2.5" + node-version: "2" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: io.js 3.x - node-version: "3.3" + node-version: "3" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: Node.js 4.x - node-version: "4.9" + node-version: "4" npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - name: Node.js 5.x - node-version: "5.12" + node-version: "5" npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - name: Node.js 6.x - node-version: "6.17" + node-version: "6" npm-i: mocha@6.2.2 nyc@14.1.1 supertest@3.4.2 - name: Node.js 7.x - node-version: "7.10" + node-version: "7" npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6 - name: Node.js 8.x - node-version: "8.17" + node-version: "8" npm-i: mocha@7.2.0 nyc@14.1.1 - name: Node.js 9.x - node-version: "9.11" + node-version: "9" npm-i: mocha@7.2.0 nyc@14.1.1 - name: Node.js 10.x - node-version: "10.24" + node-version: "10" npm-i: mocha@8.4.0 - name: Node.js 11.x - node-version: "11.15" + node-version: "11" npm-i: mocha@8.4.0 - name: Node.js 12.x - node-version: "12.22" + node-version: "12" npm-i: mocha@9.2.2 - name: Node.js 13.x - node-version: "13.14" + node-version: "13" npm-i: mocha@9.2.2 - name: Node.js 14.x - node-version: "14.20" + node-version: "14" - name: Node.js 15.x - node-version: "15.14" + node-version: "15" - name: Node.js 16.x - node-version: "16.20" + node-version: "16" - name: Node.js 17.x - node-version: "17.9" + node-version: "17" - name: Node.js 18.x - node-version: "18.19" + node-version: "18" - name: Node.js 19.x - node-version: "19.9" + node-version: "19" - name: Node.js 20.x - node-version: "20.11" + node-version: "20" - name: Node.js 21.x - node-version: "21.7" + node-version: "21" - name: Node.js 22.x - node-version: "22.2" + node-version: "22" steps: - uses: actions/checkout@v4 From 2ec589c1133e2eec29a951b4976c50db638f7dd5 Mon Sep 17 00:00:00 2001 From: S M Mahmudul Hasan Date: Thu, 18 Jul 2024 02:44:03 +0600 Subject: [PATCH 37/52] Fix Contributor Covenant link definition reference in attribution section (#5762) --- Code-Of-Conduct.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Code-Of-Conduct.md b/Code-Of-Conduct.md index bbb8996a65..ca4c6b3146 100644 --- a/Code-Of-Conduct.md +++ b/Code-Of-Conduct.md @@ -127,7 +127,7 @@ project community. ## Attribution -This Code of Conduct is adapted from the [Contributor Covenant, version 2.0](cc-20-doc). +This Code of Conduct is adapted from the [Contributor Covenant, version 2.0][cc-20-doc]. Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity). From 088856c3f82d5101d2831db8516e1ec991eb426a Mon Sep 17 00:00:00 2001 From: ctcpip Date: Thu, 25 Jul 2024 12:30:07 -0500 Subject: [PATCH 38/52] =?UTF-8?q?=F0=9F=92=9A=20add=20legacy=20CI,=20clean?= =?UTF-8?q?=20up?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/ci.yml | 26 ++--- .github/workflows/legacy.yml | 182 +++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/legacy.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0575f075e7..7718a2fa9e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,24 +10,10 @@ jobs: strategy: fail-fast: false matrix: - name: - - Node.js 18.x - - Node.js 19.x - - Node.js 20.x - - Node.js 21.x + node-version: [18, 19, 20, 21, 22] + # Node.js release schedule: https://nodejs.org/en/about/releases/ - include: - - name: Node.js 18.x - node-version: "18.19" - - - name: Node.js 19.x - node-version: "19.9" - - - name: Node.js 20.x - node-version: "20.11" - - - name: Node.js 21.x - node-version: "21.6" + name: Node.js ${{ matrix.node-version }} steps: - uses: actions/checkout@v4 @@ -70,7 +56,7 @@ jobs: shell: bash run: | npm run test-ci - cp coverage/lcov.info "coverage/${{ matrix.name }}.lcov" + cp coverage/lcov.info "coverage/${{ matrix.node-version }}.lcov" - name: Lint code if: steps.list_env.outputs.eslint != '' @@ -78,9 +64,9 @@ jobs: - name: Collect code coverage run: | - mv ./coverage "./${{ matrix.name }}" + mv ./coverage "./${{ matrix.node-version }}" mkdir ./coverage - mv "./${{ matrix.name }}" "./coverage/${{ matrix.name }}" + mv "./${{ matrix.node-version }}" "./coverage/${{ matrix.node-version }}" - name: Upload code coverage uses: actions/upload-artifact@v3 diff --git a/.github/workflows/legacy.yml b/.github/workflows/legacy.yml new file mode 100644 index 0000000000..5bf3b69a9f --- /dev/null +++ b/.github/workflows/legacy.yml @@ -0,0 +1,182 @@ +name: legacy + +on: +- pull_request +- push + +jobs: + test: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + name: + - Node.js 4.0 + - Node.js 4.x + - Node.js 5.x + - Node.js 6.x + - Node.js 7.x + - Node.js 8.x + - Node.js 9.x + - Node.js 10.x + - Node.js 11.x + - Node.js 12.x + - Node.js 13.x + - Node.js 14.x + - Node.js 15.x + - Node.js 16.x + - Node.js 17.x + + include: + - name: Node.js 4.0 + node-version: "4.0" + npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 + + - name: Node.js 4.x + node-version: "4.9" + npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 + + - name: Node.js 5.x + node-version: "5.12" + npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 + + - name: Node.js 6.x + node-version: "6.17" + npm-i: mocha@6.2.2 nyc@14.1.1 supertest@3.4.2 + + - name: Node.js 7.x + node-version: "7.10" + npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6 + + - name: Node.js 8.x + node-version: "8.17" + npm-i: mocha@7.2.0 nyc@14.1.1 + + - name: Node.js 9.x + node-version: "9.11" + npm-i: mocha@7.2.0 nyc@14.1.1 + + - name: Node.js 10.x + node-version: "10.24" + npm-i: mocha@8.4.0 + + - name: Node.js 11.x + node-version: "11.15" + npm-i: mocha@8.4.0 + + - name: Node.js 12.x + node-version: "12.22" + npm-i: mocha@9.2.2 + + - name: Node.js 13.x + node-version: "13.14" + npm-i: mocha@9.2.2 + + - name: Node.js 14.x + node-version: "14.20" + + - name: Node.js 15.x + node-version: "15.14" + + - name: Node.js 16.x + node-version: "16.20" + + - name: Node.js 17.x + node-version: "17.9" + + steps: + - uses: actions/checkout@v4 + + - name: Install Node.js ${{ matrix.node-version }} + shell: bash -eo pipefail -l {0} + run: | + nvm install --default ${{ matrix.node-version }} + dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" + + - name: Configure npm + run: | + npm config set loglevel error + if [[ "$(npm config get package-lock)" == "true" ]]; then + npm config set package-lock false + else + npm config set shrinkwrap false + fi + + - name: Install npm module(s) ${{ matrix.npm-i }} + run: npm install --save-dev ${{ matrix.npm-i }} + if: matrix.npm-i != '' + + - name: Remove non-test dependencies + run: npm rm --silent --save-dev connect-redis + + - name: Setup Node.js version-specific dependencies + shell: bash + run: | + # eslint for linting + # - remove on Node.js < 12 + if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 12 ]]; then + node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ + grep -E '^eslint(-|$)' | \ + sort -r | \ + xargs -n1 npm rm --silent --save-dev + fi + + - name: Install Node.js dependencies + run: npm install + + - name: List environment + id: list_env + shell: bash + run: | + echo "node@$(node -v)" + echo "npm@$(npm -v)" + npm -s ls ||: + (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print $2 "=" $3 }' >> "$GITHUB_OUTPUT" + + - name: Run tests + shell: bash + run: | + npm run test-ci + cp coverage/lcov.info "coverage/${{ matrix.name }}.lcov" + + - name: Lint code + if: steps.list_env.outputs.eslint != '' + run: npm run lint + + - name: Collect code coverage + run: | + mv ./coverage "./${{ matrix.name }}" + mkdir ./coverage + mv "./${{ matrix.name }}" "./coverage/${{ matrix.name }}" + + - name: Upload code coverage + uses: actions/upload-artifact@v3 + with: + name: coverage + path: ./coverage + retention-days: 1 + + coverage: + needs: test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install lcov + shell: bash + run: sudo apt-get -y install lcov + + - name: Collect coverage reports + uses: actions/download-artifact@v3 + with: + name: coverage + path: ./coverage + + - name: Merge coverage reports + shell: bash + run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./coverage/lcov.info + + - name: Upload coverage report + uses: coverallsapp/github-action@master + with: + github-token: ${{ secrets.GITHUB_TOKEN }} From f4bd86ed361ea9710ed0f7b4634e66c8e3b88b40 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Sat, 27 Jul 2024 14:15:55 -0400 Subject: [PATCH 39/52] Replace Appveyor windows testing with GHA (#5599) This PR moves us off of Appveyor for windows testing. We are now doing windows/linux testing on GHA. With the exception of iojs, which we are only testing on Linux and have split out to it's own workflow. We have also added npm-shrinkwrap.json to our gitignore, in order to not have to configure npm in CI to ignore it. If it's never checked in, it shouldn't exist in CI as you need to go out of your way to create it w/ npm. --- .github/workflows/ci.yml | 288 ++++++++++++++++--------------------- .github/workflows/iojs.yml | 69 +++++++++ .gitignore | 1 + package.json | 4 +- 4 files changed, 197 insertions(+), 165 deletions(-) create mode 100644 .github/workflows/iojs.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 09004fec75..b3ddd6b23a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,187 +20,149 @@ concurrency: cancel-in-progress: true jobs: - test: + lint: + name: Lint runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Setup Node.js {{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: 'lts/*' + persist-credentials: false + + - name: Install dependencies + run: npm install --ignore-scripts --only=dev + + - name: Run lint + run: npm run lint + + test: + name: Run tests strategy: fail-fast: false matrix: - name: - - Node.js 0.10 - - Node.js 0.12 - - io.js 1.x - - io.js 2.x - - io.js 3.x - - Node.js 4.x - - Node.js 5.x - - Node.js 6.x - - Node.js 7.x - - Node.js 8.x - - Node.js 9.x - - Node.js 10.x - - Node.js 11.x - - Node.js 12.x - - Node.js 13.x - - Node.js 14.x - - Node.js 15.x - - Node.js 16.x - - Node.js 17.x - - Node.js 18.x - - Node.js 19.x - - Node.js 20.x - - Node.js 21.x - - Node.js 22.x - + os: [ubuntu-latest, windows-latest] + node-version: + - "0.10" + - "0.12" + - "4" + - "5" + - "6" + - "7" + - "8" + - "9" + - "10" + - "11" + - "12" + - "13" + - "14" + - "15" + - "16" + - "17" + - "18" + - "19" + - "20" + - "21" + - "22" + # Use supported versions of our testing tools under older versions of Node + # Install npm in some specific cases where we need to include: - - name: Node.js 0.10 - node-version: "0.10" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: Node.js 0.12 - node-version: "0.12" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 1.x - node-version: "1" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 2.x - node-version: "2" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 3.x - node-version: "3" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: Node.js 4.x - node-version: "4" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 5.x - node-version: "5" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 6.x - node-version: "6" - npm-i: mocha@6.2.2 nyc@14.1.1 supertest@3.4.2 - - - name: Node.js 7.x - node-version: "7" - npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6 - - - name: Node.js 8.x - node-version: "8" - npm-i: mocha@7.2.0 nyc@14.1.1 + - node-version: "0.10" + npm-i: "mocha@3.5.3 nyc@10.3.2 supertest@2.0.0" + # Npm isn't being installed on windows w/ setup-node for + # 0.10 and 0.12, which will end up choking when npm uses es6 + npm-version: "npm@2.15.1" - - name: Node.js 9.x - node-version: "9" - npm-i: mocha@7.2.0 nyc@14.1.1 + - node-version: "0.12" + npm-i: "mocha@3.5.3 nyc@10.3.2 supertest@2.0.0" + npm-version: "npm@2.15.11" - - name: Node.js 10.x - node-version: "10" - npm-i: mocha@8.4.0 + - node-version: "4" + npm-i: "mocha@5.2.0 nyc@11.9.0 supertest@3.4.2" - - name: Node.js 11.x - node-version: "11" - npm-i: mocha@8.4.0 + - node-version: "5" + npm-i: "mocha@5.2.0 nyc@11.9.0 supertest@3.4.2" + # fixes https://github.com/npm/cli/issues/681 + npm-version: "npm@3.10.10" - - name: Node.js 12.x - node-version: "12" - npm-i: mocha@9.2.2 + - node-version: "6" + npm-i: "mocha@6.2.2 nyc@14.1.1 supertest@3.4.2" - - name: Node.js 13.x - node-version: "13" - npm-i: mocha@9.2.2 + - node-version: "7" + npm-i: "mocha@6.2.2 nyc@14.1.1 supertest@6.1.6" - - name: Node.js 14.x - node-version: "14" + - node-version: "8" + npm-i: "mocha@7.2.0 nyc@14.1.1" - - name: Node.js 15.x - node-version: "15" + - node-version: "9" + npm-i: "mocha@7.2.0 nyc@14.1.1" - - name: Node.js 16.x - node-version: "16" + - node-version: "10" + npm-i: "mocha@8.4.0" - - name: Node.js 17.x - node-version: "17" + - node-version: "11" + npm-i: "mocha@8.4.0" - - name: Node.js 18.x - node-version: "18" + - node-version: "12" + npm-i: "mocha@9.2.2" - - name: Node.js 19.x - node-version: "19" - - - name: Node.js 20.x - node-version: "20" - - - name: Node.js 21.x - node-version: "21" - - - name: Node.js 22.x - node-version: "22" + - node-version: "13" + npm-i: "mocha@9.2.2" + runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 - - - name: Install Node.js ${{ matrix.node-version }} - shell: bash -eo pipefail -l {0} - run: | - nvm install --default ${{ matrix.node-version }} - dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - - - name: Install npm module(s) ${{ matrix.npm-i }} - run: npm install --save-dev ${{ matrix.npm-i }} - if: matrix.npm-i != '' - - - name: Remove non-test dependencies - run: npm rm --silent --save-dev connect-redis - - - name: Setup Node.js version-specific dependencies - shell: bash - run: | - # eslint for linting - # - remove on Node.js < 12 - if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 12 ]]; then - node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ - grep -E '^eslint(-|$)' | \ - sort -r | \ - xargs -n1 npm rm --silent --save-dev - fi - - - name: Install Node.js dependencies - run: npm install - - - name: List environment - id: list_env - shell: bash - run: | - echo "node@$(node -v)" - echo "npm@$(npm -v)" - npm -s ls ||: - (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print $2 "=" $3 }' >> "$GITHUB_OUTPUT" - - - name: Run tests - shell: bash - run: | - npm run test-ci - cp coverage/lcov.info "coverage/${{ matrix.name }}.lcov" - - - name: Lint code - if: steps.list_env.outputs.eslint != '' - run: npm run lint - - - name: Collect code coverage - run: | - mv ./coverage "./${{ matrix.name }}" - mkdir ./coverage - mv "./${{ matrix.name }}" "./coverage/${{ matrix.name }}" - - - name: Upload code coverage - uses: actions/upload-artifact@v3 - with: - name: coverage - path: ./coverage - retention-days: 1 + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + + - name: Npm version fixes + if: ${{matrix.npm-version != ''}} + run: npm install -g ${{ matrix.npm-version }} + + - name: Configure npm loglevel + run: | + npm config set loglevel error + shell: bash + + - name: Install dependencies + run: npm install + + - name: Install Node version specific dev deps + if: ${{ matrix.npm-i != '' }} + run: npm install --save-dev ${{ matrix.npm-i }} + + - name: Remove non-test dependencies + run: npm rm --silent --save-dev connect-redis + + - name: Output Node and NPM versions + run: | + echo "Node.js version: $(node -v)" + echo "NPM version: $(npm -v)" + + - name: Run tests + shell: bash + run: | + npm run test-ci + cp coverage/lcov.info "coverage/${{ matrix.node-version }}.lcov" + + - name: Collect code coverage + run: | + mv ./coverage "./${{ matrix.node-version }}" + mkdir ./coverage + mv "./${{ matrix.node-version }}" "./coverage/${{ matrix.node-version }}" + + - name: Upload code coverage + uses: actions/upload-artifact@v3 + with: + name: coverage + path: ./coverage + retention-days: 1 coverage: needs: test diff --git a/.github/workflows/iojs.yml b/.github/workflows/iojs.yml new file mode 100644 index 0000000000..c1268abd68 --- /dev/null +++ b/.github/workflows/iojs.yml @@ -0,0 +1,69 @@ +name: iojs-ci + +on: + push: + branches: + - master + - '4.x' + paths-ignore: + - '*.md' + pull_request: + paths-ignore: + - '*.md' + +concurrency: + group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + +jobs: + test: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + node-version: ["1.8", "2.5", "3.3"] + include: + - node-version: "1.8" + npm-i: "mocha@3.5.3 nyc@10.3.2 supertest@2.0.0" + - node-version: "2.5" + npm-i: "mocha@3.5.3 nyc@10.3.2 supertest@2.0.0" + - node-version: "3.3" + npm-i: "mocha@3.5.3 nyc@10.3.2 supertest@2.0.0" + + steps: + - uses: actions/checkout@v4 + + - name: Install iojs ${{ matrix.node-version }} + shell: bash -eo pipefail -l {0} + run: | + nvm install --default ${{ matrix.node-version }} + dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" + + - name: Configure npm + run: | + npm config set loglevel error + npm config set shrinkwrap false + + - name: Install npm module(s) ${{ matrix.npm-i }} + run: npm install --save-dev ${{ matrix.npm-i }} + if: matrix.npm-i != '' + + - name: Remove non-test dependencies + run: npm rm --silent --save-dev connect-redis + + - name: Install Node.js dependencies + run: npm install + + - name: List environment + id: list_env + shell: bash + run: | + echo "node@$(node -v)" + echo "npm@$(npm -v)" + npm -s ls ||: + (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print $2 "=" $3 }' >> "$GITHUB_OUTPUT" + + - name: Run tests + shell: bash + run: npm run test + diff --git a/.gitignore b/.gitignore index 3a673d9cc0..1bd5c02b28 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # npm node_modules package-lock.json +npm-shrinkwrap.json *.log *.gz diff --git a/package.json b/package.json index 88e4206fe6..71781e11d6 100644 --- a/package.json +++ b/package.json @@ -91,8 +91,8 @@ "scripts": { "lint": "eslint .", "test": "mocha --require test/support/env --reporter spec --bail --check-leaks test/ test/acceptance/", - "test-ci": "nyc --reporter=lcovonly --reporter=text npm test", - "test-cov": "nyc --reporter=html --reporter=text npm test", + "test-ci": "nyc --exclude examples --exclude test --exclude benchmarks --reporter=lcovonly --reporter=text npm test", + "test-cov": "nyc --exclude examples --exclude test --exclude benchmarks --reporter=html --reporter=text npm test", "test-tap": "mocha --require test/support/env --reporter tap --check-leaks test/ test/acceptance/" } } From 2177f67f5439494f7a29a8d04f744cc20fb9f201 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 28 Jul 2024 12:55:10 +0200 Subject: [PATCH 40/52] docs: add OSSF Scorecard badge (#5436) PR-URL: https://github.com/expressjs/express/pull/5436 --- Readme.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Readme.md b/Readme.md index 365c7b6104..0fa719e237 100644 --- a/Readme.md +++ b/Readme.md @@ -22,6 +22,8 @@ [![NPM Version][npm-version-image]][npm-url] [![NPM Install Size][npm-install-size-image]][npm-install-size-url] [![NPM Downloads][npm-downloads-image]][npm-downloads-url] +[![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer] + ```js const express = require('express') @@ -252,4 +254,6 @@ The original author of Express is [TJ Holowaychuk](https://github.com/tj) [npm-install-size-url]: https://packagephobia.com/result?p=express [npm-url]: https://npmjs.org/package/express [npm-version-image]: https://badgen.net/npm/v/express +[ossf-scorecard-badge]: https://api.securityscorecards.dev/projects/github.com/expressjs/express/badge +[ossf-scorecard-visualizer]: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/expressjs/express [Code of Conduct]: https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md From 9c756b01050de1d0a52eca507093862fb1cf2fe1 Mon Sep 17 00:00:00 2001 From: ctcpip Date: Fri, 2 Aug 2024 13:15:51 -0500 Subject: [PATCH 41/52] =?UTF-8?q?=F0=9F=92=9A=20remove=20node=20<11,=20all?= =?UTF-8?q?=20failing=20permanently=20now?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/legacy.yml | 40 ------------------------------------ 1 file changed, 40 deletions(-) diff --git a/.github/workflows/legacy.yml b/.github/workflows/legacy.yml index 5bf3b69a9f..2d9d50440d 100644 --- a/.github/workflows/legacy.yml +++ b/.github/workflows/legacy.yml @@ -11,14 +11,6 @@ jobs: fail-fast: false matrix: name: - - Node.js 4.0 - - Node.js 4.x - - Node.js 5.x - - Node.js 6.x - - Node.js 7.x - - Node.js 8.x - - Node.js 9.x - - Node.js 10.x - Node.js 11.x - Node.js 12.x - Node.js 13.x @@ -28,38 +20,6 @@ jobs: - Node.js 17.x include: - - name: Node.js 4.0 - node-version: "4.0" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 4.x - node-version: "4.9" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 5.x - node-version: "5.12" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 6.x - node-version: "6.17" - npm-i: mocha@6.2.2 nyc@14.1.1 supertest@3.4.2 - - - name: Node.js 7.x - node-version: "7.10" - npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6 - - - name: Node.js 8.x - node-version: "8.17" - npm-i: mocha@7.2.0 nyc@14.1.1 - - - name: Node.js 9.x - node-version: "9.11" - npm-i: mocha@7.2.0 nyc@14.1.1 - - - name: Node.js 10.x - node-version: "10.24" - npm-i: mocha@8.4.0 - - name: Node.js 11.x node-version: "11.15" npm-i: mocha@8.4.0 From f5b6e67aed1d8e81c30bd5be7bb88dbbfabfeb64 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Sun, 18 Aug 2024 13:37:51 -0500 Subject: [PATCH 42/52] docs: update scorecard link (#5814) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- Readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 0fa719e237..34362d856f 100644 --- a/Readme.md +++ b/Readme.md @@ -254,6 +254,6 @@ The original author of Express is [TJ Holowaychuk](https://github.com/tj) [npm-install-size-url]: https://packagephobia.com/result?p=express [npm-url]: https://npmjs.org/package/express [npm-version-image]: https://badgen.net/npm/v/express -[ossf-scorecard-badge]: https://api.securityscorecards.dev/projects/github.com/expressjs/express/badge -[ossf-scorecard-visualizer]: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/expressjs/express +[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/express/badge +[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/express [Code of Conduct]: https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md From e35380a39d94937e3d0f7119e0efbc7cd69d003f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 19 Aug 2024 22:12:24 +0200 Subject: [PATCH 43/52] docs: add @IamLizu to the triage team (#5836) PR-URL: https://github.com/expressjs/express/pull/5836 --- Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Readme.md b/Readme.md index 34362d856f..bc108d55fc 100644 --- a/Readme.md +++ b/Readme.md @@ -202,6 +202,7 @@ The original author of Express is [TJ Holowaychuk](https://github.com/tj) * [3imed-jaberi](https://github.com/3imed-jaberi) - **Imed Jaberi** * [dakshkhetan](https://github.com/dakshkhetan) - **Daksh Khetan** (he/him) * [lucasraziel](https://github.com/lucasraziel) - **Lucas Soares Do Rego** +* [IamLizu](https://github.com/IamLizu) - **S M Mahmudul Hasan** (he/him) * [Sushmeet](https://github.com/Sushmeet) - **Sushmeet Sunger**
From c5addb9a17c5b4c9fccdd2c04153a30595e03385 Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Wed, 21 Aug 2024 20:15:02 -0700 Subject: [PATCH 44/52] deps: path-to-regexp@0.1.8 (#5603) --- History.md | 2 ++ package.json | 2 +- test/app.router.js | 26 ++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index c02b24ffba..d81f423d16 100644 --- a/History.md +++ b/History.md @@ -1,6 +1,8 @@ unreleased ========== + * deps: path-to-regexp@0.1.8 + - Adds support for named matching groups in the routes using a regex * deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` diff --git a/package.json b/package.json index 71781e11d6..e88618f997 100644 --- a/package.json +++ b/package.json @@ -47,7 +47,7 @@ "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.7", + "path-to-regexp": "0.1.8", "proxy-addr": "~2.0.7", "qs": "6.11.0", "range-parser": "~1.2.1", diff --git a/test/app.router.js b/test/app.router.js index 707333f043..8e427bd6dc 100644 --- a/test/app.router.js +++ b/test/app.router.js @@ -193,6 +193,23 @@ describe('app.router', function(){ .expect('editing user 10', done); }) + if (supportsRegexp('(?.*)')) { + it('should populate req.params with named captures', function(done){ + var app = express(); + var re = new RegExp('^/user/(?[0-9]+)/(view|edit)?$'); + + app.get(re, function(req, res){ + var id = req.params.userId + , op = req.params[0]; + res.end(op + 'ing user ' + id); + }); + + request(app) + .get('/user/10/edit') + .expect('editing user 10', done); + }) + } + it('should ensure regexp matches path prefix', function (done) { var app = express() var p = [] @@ -1114,3 +1131,12 @@ describe('app.router', function(){ assert.strictEqual(app.get('/', function () {}), app) }) }) + +function supportsRegexp(source) { + try { + new RegExp(source) + return true + } catch (e) { + return false + } +} From a3e7e05e0a435b7b4be25bd38d8d0ca19a773ca9 Mon Sep 17 00:00:00 2001 From: S M Mahmudul Hasan Date: Thu, 22 Aug 2024 22:25:14 +0600 Subject: [PATCH 45/52] docs: specify new instructions for `question` and `discuss` PR-URL: https://github.com/expressjs/express/pull/5835 --- Triager-Guide.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Triager-Guide.md b/Triager-Guide.md index a2909ef30d..c15e6be531 100644 --- a/Triager-Guide.md +++ b/Triager-Guide.md @@ -9,11 +9,18 @@ classification: * `needs triage`: This can be kept if the triager is unsure which next steps to take * `awaiting more info`: If more info has been requested from the author, apply this label. -* `question`: User questions that do not appear to be bugs or enhancements. -* `discuss`: Topics for discussion. Might end in an `enhancement` or `question` label. * `bug`: Issues that present a reasonable conviction there is a reproducible bug. * `enhancement`: Issues that are found to be a reasonable candidate feature additions. +If the issue is a question or discussion, it should be moved to GitHub Discussions. + +### Moving Discussions and Questions to GitHub Discussions + +For issues labeled with `question` or `discuss`, it is recommended to move them to GitHub Discussions instead: + +* **Questions**: User questions that do not appear to be bugs or enhancements should be moved to GitHub Discussions. +* **Discussions**: Topics for discussion should be moved to GitHub Discussions. If the discussion leads to a new feature or bug identification, it can be moved back to Issues. + In all cases, issues may be closed by maintainers if they don't receive a timely response when further information is sought, or when additional questions are asked. From 2a980ad16052e53b398c9953fea50e3daa0b495c Mon Sep 17 00:00:00 2001 From: Anna Bocharova Date: Fri, 23 Aug 2024 22:39:13 +0200 Subject: [PATCH 46/52] merge-descriptors@1.0.3 (#5781) * Allow patches for `merge-descriptors` dependency * Set fixed latest of v1 (1.0.3) --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e88618f997..91e29013a3 100644 --- a/package.json +++ b/package.json @@ -43,7 +43,7 @@ "finalhandler": "1.2.0", "fresh": "0.5.2", "http-errors": "2.0.0", - "merge-descriptors": "1.0.1", + "merge-descriptors": "1.0.3", "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", From 125bb742a38cd97938a3932b47cc301e41c31f5d Mon Sep 17 00:00:00 2001 From: Blake Embrey Date: Mon, 9 Sep 2024 14:02:06 -0700 Subject: [PATCH 47/52] path-to-regexp@0.1.10 (#5902) * path-to-regexp@0.1.10 * Update History.md --- History.md | 3 ++- package.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index d81f423d16..b0aa2e0959 100644 --- a/History.md +++ b/History.md @@ -1,8 +1,9 @@ unreleased ========== - * deps: path-to-regexp@0.1.8 + * deps: path-to-regexp@0.1.10 - Adds support for named matching groups in the routes using a regex + - Adds backtracking protection to parameters without regexes defined * deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` diff --git a/package.json b/package.json index 91e29013a3..87cf10be9c 100644 --- a/package.json +++ b/package.json @@ -47,7 +47,7 @@ "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.8", + "path-to-regexp": "0.1.10", "proxy-addr": "~2.0.7", "qs": "6.11.0", "range-parser": "~1.2.1", From 54271f69b511fea198471e6ff3400ab805d6b553 Mon Sep 17 00:00:00 2001 From: Chris de Almeida Date: Mon, 9 Sep 2024 17:16:58 -0500 Subject: [PATCH 48/52] fix: don't render redirect values in anchor href MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- lib/response.js | 2 +- test/res.redirect.js | 24 +++++++++++++++++++++--- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/lib/response.js b/lib/response.js index 68d969ff05..76b6b54a3b 100644 --- a/lib/response.js +++ b/lib/response.js @@ -969,7 +969,7 @@ res.redirect = function redirect(url) { html: function(){ var u = escapeHtml(address); - body = '

' + statuses.message[status] + '. Redirecting to ' + u + '

' + body = '

' + statuses.message[status] + '. Redirecting to ' + u + '

' }, default: function(){ diff --git a/test/res.redirect.js b/test/res.redirect.js index 5ffc7e48f1..f7214d9331 100644 --- a/test/res.redirect.js +++ b/test/res.redirect.js @@ -106,7 +106,7 @@ describe('res', function(){ .set('Accept', 'text/html') .expect('Content-Type', /html/) .expect('Location', 'http://google.com') - .expect(302, '

Found. Redirecting to http://google.com

', done) + .expect(302, '

Found. Redirecting to http://google.com

', done) }) it('should escape the url', function(done){ @@ -122,9 +122,27 @@ describe('res', function(){ .set('Accept', 'text/html') .expect('Content-Type', /html/) .expect('Location', '%3Cla\'me%3E') - .expect(302, '

Found. Redirecting to %3Cla'me%3E

', done) + .expect(302, '

Found. Redirecting to %3Cla'me%3E

', done) }) + it('should not render evil javascript links in anchor href (prevent XSS)', function(done){ + var app = express(); + var xss = 'javascript:eval(document.body.innerHTML=`

XSS

`);'; + var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);'; + + app.use(function(req, res){ + res.redirect(xss); + }); + + request(app) + .get('/') + .set('Host', 'http://example.com') + .set('Accept', 'text/html') + .expect('Content-Type', /html/) + .expect('Location', encodedXss) + .expect(302, '

Found. Redirecting to ' + encodedXss +'

', done); + }); + it('should include the redirect type', function(done){ var app = express(); @@ -137,7 +155,7 @@ describe('res', function(){ .set('Accept', 'text/html') .expect('Content-Type', /html/) .expect('Location', 'http://google.com') - .expect(301, '

Moved Permanently. Redirecting to http://google.com

', done); + .expect(301, '

Moved Permanently. Redirecting to http://google.com

', done); }) }) From ec4a01b6b8814d7b007f36a3023f4dbafdbc3d09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 10 Sep 2024 01:36:30 +0200 Subject: [PATCH 49/52] feat: upgrade to body-parser@1.20.3 (#5926) PR-URL: https://github.com/expressjs/express/pull/5926 --- History.md | 5 ++++- package.json | 2 +- test/express.urlencoded.js | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/History.md b/History.md index b0aa2e0959..904db45b23 100644 --- a/History.md +++ b/History.md @@ -1,6 +1,9 @@ unreleased ========== - + * deps: body-parser@0.6.0 + * add `depth` option to customize the depth level in the parser + * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) + * Remove link renderization in html while using `res.redirect` * deps: path-to-regexp@0.1.10 - Adds support for named matching groups in the routes using a regex - Adds backtracking protection to parameters without regexes defined diff --git a/package.json b/package.json index 87cf10be9c..4c0fea2d2e 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,7 @@ "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", - "body-parser": "1.20.2", + "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", "cookie": "0.6.0", diff --git a/test/express.urlencoded.js b/test/express.urlencoded.js index e07432c86c..537fb797e7 100644 --- a/test/express.urlencoded.js +++ b/test/express.urlencoded.js @@ -212,7 +212,7 @@ describe('express.urlencoded()', function () { it('should parse deep object', function (done) { var str = 'foo' - for (var i = 0; i < 500; i++) { + for (var i = 0; i < 32; i++) { str += '[p]' } @@ -230,7 +230,7 @@ describe('express.urlencoded()', function () { var depth = 0 var ref = obj.foo while ((ref = ref.p)) { depth++ } - assert.strictEqual(depth, 500) + assert.strictEqual(depth, 32) }) .expect(200, done) }) From 9ebe5d500d22cbb2b8aaa73446866b084c747971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 10 Sep 2024 02:46:25 +0200 Subject: [PATCH 50/52] feat: upgrade to send@0.19.0 (#5928) --- History.md | 2 ++ package.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/History.md b/History.md index 904db45b23..9f47885e3d 100644 --- a/History.md +++ b/History.md @@ -1,5 +1,7 @@ unreleased ========== + * deps: send@0.19.0 + * Remove link renderization in html while redirecting * deps: body-parser@0.6.0 * add `depth` option to customize the depth level in the parser * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) diff --git a/package.json b/package.json index 4c0fea2d2e..1dc8c5b70c 100644 --- a/package.json +++ b/package.json @@ -52,7 +52,7 @@ "qs": "6.11.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", - "send": "0.18.0", + "send": "0.19.0", "serve-static": "1.15.0", "setprototypeof": "1.2.0", "statuses": "2.0.1", From 4c9ddc1c47bf579e55c2fe837d76a952e9fd8959 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 10 Sep 2024 03:24:32 +0200 Subject: [PATCH 51/52] feat: upgrade to serve-static@0.16.0 --- History.md | 2 ++ package.json | 2 +- test/express.static.js | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/History.md b/History.md index 9f47885e3d..3fe5fc7aaf 100644 --- a/History.md +++ b/History.md @@ -1,5 +1,7 @@ unreleased ========== + * deps: serve-static@0.16.0 + * Remove link renderization in html while redirecting * deps: send@0.19.0 * Remove link renderization in html while redirecting * deps: body-parser@0.6.0 diff --git a/package.json b/package.json index 1dc8c5b70c..e9045763b0 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "range-parser": "~1.2.1", "safe-buffer": "5.2.1", "send": "0.19.0", - "serve-static": "1.15.0", + "serve-static": "1.16.0", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "~1.6.18", diff --git a/test/express.static.js b/test/express.static.js index 245fd5929c..23e607ed93 100644 --- a/test/express.static.js +++ b/test/express.static.js @@ -486,7 +486,7 @@ describe('express.static()', function () { request(this.app) .get('/users') .expect('Location', '/users/') - .expect(301, //, done) + .expect(301, /\/users\//, done) }) it('should redirect directories with query string', function (done) { @@ -508,7 +508,7 @@ describe('express.static()', function () { .get('/snow') .expect('Location', '/snow%20%E2%98%83/') .expect('Content-Type', /html/) - .expect(301, />Redirecting to \/snow%20%E2%98%83\/<\/a>Redirecting to \/snow%20%E2%98%83\/ Date: Tue, 10 Sep 2024 03:32:10 +0200 Subject: [PATCH 52/52] 4.20.0 --- History.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index 3fe5fc7aaf..887a38f182 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,4 @@ -unreleased +4.20.0 / 2024-09-10 ========== * deps: serve-static@0.16.0 * Remove link renderization in html while redirecting diff --git a/package.json b/package.json index e9045763b0..bffa70a6f1 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "express", "description": "Fast, unopinionated, minimalist web framework", - "version": "4.19.2", + "version": "4.20.0", "author": "TJ Holowaychuk ", "contributors": [ "Aaron Heckmann ",