3.19.1

fixes #2459

.gitignore

@@ -1,16 +1,26 @@
-coverage/
-.DS_Store
-*.seed
+# OS X
+.DS_Store*
+Icon?
+._*
+
+# Windows
+Thumbs.db
+ehthumbs.db
+Desktop.ini
+
+# Linux
+.directory
+*~
+
+
+# npm
+node_modules
 *.log
-*.csv
-*.dat
-*.out
-*.pid
-*.swp
-*.swo
+*.gz
+
+
+# Coveralls
+coverage
+
+# Benchmarking
 benchmarks/graphs
-testing
-node_modules/
-testing
-test.js
-.idea

.npmignore

@@ -1,10 +0,0 @@
-.git*
-benchmarks/
-coverage/
-docs/
-examples/
-support/
-test/
-testing.js
-.DS_Store
-.travis.yml

History.md

@@ -1,3 +1,445 @@
+3.19.1 / 2015-01-20
+===================
+
+  * deps: connect@2.28.2
+    - deps: body-parser@~1.10.2
+    - deps: serve-static@~1.8.1
+  * deps: send@0.11.1
+    - Fix root path disclosure
+
+3.19.0 / 2015-01-09
+===================
+
+  * Fix `OPTIONS` responses to include the `HEAD` method property
+  * Use `readline` for prompt in `express(1)`
+  * deps: commander@2.6.0
+  * deps: connect@2.28.1
+    - deps: body-parser@~1.10.1
+    - deps: compression@~1.3.0
+    - deps: connect-timeout@~1.5.0
+    - deps: csurf@~1.6.4
+    - deps: debug@~2.1.1
+    - deps: errorhandler@~1.3.2
+    - deps: express-session@~1.10.1
+    - deps: finalhandler@0.3.3
+    - deps: method-override@~2.3.1
+    - deps: morgan@~1.5.1
+    - deps: serve-favicon@~2.2.0
+    - deps: serve-index@~1.6.0
+    - deps: serve-static@~1.8.0
+    - deps: type-is@~1.5.5
+  * deps: debug@~2.1.1
+  * deps: methods@~1.1.1
+  * deps: proxy-addr@~1.0.5
+    - deps: ipaddr.js@0.1.6
+  * deps: send@0.11.0
+    - deps: debug@~2.1.1
+    - deps: etag@~1.5.1
+    - deps: ms@0.7.0
+    - deps: on-finished@~2.2.0
+
+3.18.6 / 2014-12-12
+===================
+
+  * Fix exception in `req.fresh`/`req.stale` without response headers
+
+3.18.5 / 2014-12-11
+===================
+
+  * deps: connect@2.27.6
+    - deps: compression@~1.2.2
+    - deps: express-session@~1.9.3
+    - deps: http-errors@~1.2.8
+    - deps: serve-index@~1.5.3
+    - deps: type-is@~1.5.4
+
+3.18.4 / 2014-11-23
+===================
+
+  * deps: connect@2.27.4
+    - deps: body-parser@~1.9.3
+    - deps: compression@~1.2.1
+    - deps: errorhandler@~1.2.3
+    - deps: express-session@~1.9.2
+    - deps: qs@2.3.3
+    - deps: serve-favicon@~2.1.7
+    - deps: serve-static@~1.5.1
+    - deps: type-is@~1.5.3
+  * deps: etag@~1.5.1
+  * deps: proxy-addr@~1.0.4
+    - deps: ipaddr.js@0.1.5
+
+3.18.3 / 2014-11-09
+===================
+
+  * deps: connect@2.27.3
+    - Correctly invoke async callback asynchronously
+    - deps: csurf@~1.6.3
+
+3.18.2 / 2014-10-28
+===================
+
+  * deps: connect@2.27.2
+    - Fix handling of URLs containing `://` in the path
+    - deps: body-parser@~1.9.2
+    - deps: qs@2.3.2
+
+3.18.1 / 2014-10-22
+===================
+
+  * Fix internal `utils.merge` deprecation warnings
+  * deps: connect@2.27.1
+    - deps: body-parser@~1.9.1
+    - deps: express-session@~1.9.1
+    - deps: finalhandler@0.3.2
+    - deps: morgan@~1.4.1
+    - deps: qs@2.3.0
+    - deps: serve-static@~1.7.1
+  * deps: send@0.10.1
+    - deps: on-finished@~2.1.1
+
+3.18.0 / 2014-10-17
+===================
+
+  * Use `content-disposition` module for `res.attachment`/`res.download`
+    - Sends standards-compliant `Content-Disposition` header
+    - Full Unicode support
+  * Use `etag` module to generate `ETag` headers
+  * deps: connect@2.27.0
+    - Use `http-errors` module for creating errors
+    - Use `utils-merge` module for merging objects
+    - deps: body-parser@~1.9.0
+    - deps: compression@~1.2.0
+    - deps: connect-timeout@~1.4.0
+    - deps: debug@~2.1.0
+    - deps: depd@~1.0.0
+    - deps: express-session@~1.9.0
+    - deps: finalhandler@0.3.1
+    - deps: method-override@~2.3.0
+    - deps: morgan@~1.4.0
+    - deps: response-time@~2.2.0
+    - deps: serve-favicon@~2.1.6
+    - deps: serve-index@~1.5.0
+    - deps: serve-static@~1.7.0
+  * deps: debug@~2.1.0
+    - Implement `DEBUG_FD` env variable support
+  * deps: depd@~1.0.0
+  * deps: send@0.10.0
+    - deps: debug@~2.1.0
+    - deps: depd@~1.0.0
+    - deps: etag@~1.5.0
+
+3.17.8 / 2014-10-15
+===================
+
+  * deps: connect@2.26.6
+    - deps: compression@~1.1.2
+    - deps: csurf@~1.6.2
+    - deps: errorhandler@~1.2.2
+
+3.17.7 / 2014-10-08
+===================
+
+  * deps: connect@2.26.5
+    - Fix accepting non-object arguments to `logger`
+    - deps: serve-static@~1.6.4
+
+3.17.6 / 2014-10-02
+===================
+
+  * deps: connect@2.26.4
+    - deps: morgan@~1.3.2
+    - deps: type-is@~1.5.2
+
+3.17.5 / 2014-09-24
+===================
+
+  * deps: connect@2.26.3
+    - deps: body-parser@~1.8.4
+    - deps: serve-favicon@~2.1.5
+    - deps: serve-static@~1.6.3
+  * deps: proxy-addr@~1.0.3
+    - Use `forwarded` npm module
+  * deps: send@0.9.3
+    - deps: etag@~1.4.0
+
+3.17.4 / 2014-09-19
+===================
+
+  * deps: connect@2.26.2
+    - deps: body-parser@~1.8.3
+    - deps: qs@2.2.4
+
+3.17.3 / 2014-09-18
+===================
+
+  * deps: proxy-addr@~1.0.2
+    - Fix a global leak when multiple subnets are trusted
+    - deps: ipaddr.js@0.1.3
+
+3.17.2 / 2014-09-15
+===================
+
+  * Use `crc` instead of `buffer-crc32` for speed
+  * deps: connect@2.26.1
+    - deps: body-parser@~1.8.2
+    - deps: depd@0.4.5
+    - deps: express-session@~1.8.2
+    - deps: morgan@~1.3.1
+    - deps: serve-favicon@~2.1.3
+    - deps: serve-static@~1.6.2
+  * deps: depd@0.4.5
+  * deps: send@0.9.2
+    - deps: depd@0.4.5
+    - deps: etag@~1.3.1
+    - deps: range-parser@~1.0.2
+
+3.17.1 / 2014-09-08
+===================
+
+  * Fix error in `req.subdomains` on empty host
+
+3.17.0 / 2014-09-08
+===================
+
+  * Support IP address host in `req.subdomains`
+  * deps: connect@2.26.0
+    - deps: body-parser@~1.8.1
+    - deps: compression@~1.1.0
+    - deps: connect-timeout@~1.3.0
+    - deps: cookie-parser@~1.3.3
+    - deps: cookie-signature@1.0.5
+    - deps: csurf@~1.6.1
+    - deps: debug@~2.0.0
+    - deps: errorhandler@~1.2.0
+    - deps: express-session@~1.8.1
+    - deps: finalhandler@0.2.0
+    - deps: fresh@0.2.4
+    - deps: media-typer@0.3.0
+    - deps: method-override@~2.2.0
+    - deps: morgan@~1.3.0
+    - deps: qs@2.2.3
+    - deps: serve-favicon@~2.1.3
+    - deps: serve-index@~1.2.1
+    - deps: serve-static@~1.6.1
+    - deps: type-is@~1.5.1
+    - deps: vhost@~3.0.0
+  * deps: cookie-signature@1.0.5
+  * deps: debug@~2.0.0
+  * deps: fresh@0.2.4
+  * deps: media-typer@0.3.0
+    - Throw error when parameter format invalid on parse
+  * deps: range-parser@~1.0.2
+  * deps: send@0.9.1
+    - Add `lastModified` option
+    - Use `etag` to generate `ETag` header
+    - deps: debug@~2.0.0
+    - deps: fresh@0.2.4
+  * deps: vary@~1.0.0
+    - Accept valid `Vary` header string as `field`
+
+3.16.10 / 2014-09-04
+====================
+
+  * deps: connect@2.25.10
+    - deps: serve-static@~1.5.4
+  * deps: send@0.8.5
+    - Fix a path traversal issue when using `root`
+    - Fix malicious path detection for empty string path
+
+3.16.9 / 2014-08-29
+===================
+
+  * deps: connect@2.25.9
+    - deps: body-parser@~1.6.7
+    - deps: qs@2.2.2
+
+3.16.8 / 2014-08-27
+===================
+
+  * deps: connect@2.25.8
+    - deps: body-parser@~1.6.6
+    - deps: csurf@~1.4.1
+    - deps: qs@2.2.0
+
+3.16.7 / 2014-08-18
+===================
+
+  * deps: connect@2.25.7
+    - deps: body-parser@~1.6.5
+    - deps: express-session@~1.7.6
+    - deps: morgan@~1.2.3
+    - deps: serve-static@~1.5.3
+  * deps: send@0.8.3
+    - deps: destroy@1.0.3
+    - deps: on-finished@2.1.0
+
+3.16.6 / 2014-08-14
+===================
+
+  * deps: connect@2.25.6
+    - deps: body-parser@~1.6.4
+    - deps: qs@1.2.2
+    - deps: serve-static@~1.5.2
+  * deps: send@0.8.2
+    - Work around `fd` leak in Node.js 0.10 for `fs.ReadStream`
+
+3.16.5 / 2014-08-11
+===================
+
+  * deps: connect@2.25.5
+    - Fix backwards compatibility in `logger`
+
+3.16.4 / 2014-08-10
+===================
+
+  * Fix original URL parsing in `res.location`
+  * deps: connect@2.25.4
+    - Fix `query` middleware breaking with argument
+    - deps: body-parser@~1.6.3
+    - deps: compression@~1.0.11
+    - deps: connect-timeout@~1.2.2
+    - deps: express-session@~1.7.5
+    - deps: method-override@~2.1.3
+    - deps: on-headers@~1.0.0
+    - deps: parseurl@~1.3.0
+    - deps: qs@1.2.1
+    - deps: response-time@~2.0.1
+    - deps: serve-index@~1.1.6
+    - deps: serve-static@~1.5.1
+  * deps: parseurl@~1.3.0
+
+3.16.3 / 2014-08-07
+===================
+
+  * deps: connect@2.25.3
+    - deps: multiparty@3.3.2
+
+3.16.2 / 2014-08-07
+===================
+
+  * deps: connect@2.25.2
+    - deps: body-parser@~1.6.2
+    - deps: qs@1.2.0
+
+3.16.1 / 2014-08-06
+===================
+
+  * deps: connect@2.25.1
+    - deps: body-parser@~1.6.1
+    - deps: qs@1.1.0
+
+3.16.0 / 2014-08-05
+===================
+
+  * deps: connect@2.25.0
+    - deps: body-parser@~1.6.0
+    - deps: compression@~1.0.10
+    - deps: csurf@~1.4.0
+    - deps: express-session@~1.7.4
+    - deps: qs@1.0.2
+    - deps: serve-static@~1.5.0
+  * deps: send@0.8.1
+    - Add `extensions` option
+
+3.15.3 / 2014-08-04
+===================
+
+  * fix `res.sendfile` regression for serving directory index files
+  * deps: connect@2.24.3
+    - deps: serve-index@~1.1.5
+    - deps: serve-static@~1.4.4
+  * deps: send@0.7.4
+    - Fix incorrect 403 on Windows and Node.js 0.11
+    - Fix serving index files without root dir
+
+3.15.2 / 2014-07-27
+===================
+
+  * deps: connect@2.24.2
+    - deps: body-parser@~1.5.2
+    - deps: depd@0.4.4
+    - deps: express-session@~1.7.2
+    - deps: morgan@~1.2.2
+    - deps: serve-static@~1.4.2
+  * deps: depd@0.4.4
+    - Work-around v8 generating empty stack traces
+  * deps: send@0.7.2
+    - deps: depd@0.4.4
+
+3.15.1 / 2014-07-26
+===================
+
+  * deps: connect@2.24.1
+    - deps: body-parser@~1.5.1
+    - deps: depd@0.4.3
+    - deps: express-session@~1.7.1
+    - deps: morgan@~1.2.1
+    - deps: serve-index@~1.1.4
+    - deps: serve-static@~1.4.1
+  * deps: depd@0.4.3
+    - Fix exception when global `Error.stackTraceLimit` is too low
+  * deps: send@0.7.1
+    - deps: depd@0.4.3
+
+3.15.0 / 2014-07-22
+===================
+
+  * Fix `req.protocol` for proxy-direct connections
+  * Pass options from `res.sendfile` to `send`
+  * deps: connect@2.24.0
+    - deps: body-parser@~1.5.0
+    - deps: compression@~1.0.9
+    - deps: connect-timeout@~1.2.1
+    - deps: debug@1.0.4
+    - deps: depd@0.4.2
+    - deps: express-session@~1.7.0
+    - deps: finalhandler@0.1.0
+    - deps: method-override@~2.1.2
+    - deps: morgan@~1.2.0
+    - deps: multiparty@3.3.1
+    - deps: parseurl@~1.2.0
+    - deps: serve-static@~1.4.0
+  * deps: debug@1.0.4
+  * deps: depd@0.4.2
+    - Add `TRACE_DEPRECATION` environment variable
+    - Remove non-standard grey color from color output
+    - Support `--no-deprecation` argument
+    - Support `--trace-deprecation` argument
+  * deps: parseurl@~1.2.0
+    - Cache URLs based on original value
+    - Remove no-longer-needed URL mis-parse work-around
+    - Simplify the "fast-path" `RegExp`
+  * deps: send@0.7.0
+    - Add `dotfiles` option
+    - Cap `maxAge` value to 1 year
+    - deps: debug@1.0.4
+    - deps: depd@0.4.2
+
+3.14.0 / 2014-07-11
+===================
+
+ * add explicit "Rosetta Flash JSONP abuse" protection
+   - previous versions are not vulnerable; this is just explicit protection
+ * deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead
+ * fix `res.send(status, num)` to send `num` as json (not error)
+ * remove unnecessary escaping when `res.jsonp` returns JSON response
+ * deps: basic-auth@1.0.0
+   - support empty password
+   - support empty username
+ * deps: connect@2.23.0
+   - deps: debug@1.0.3
+   - deps: express-session@~1.6.4
+   - deps: method-override@~2.1.0
+   - deps: parseurl@~1.1.3
+   - deps: serve-static@~1.3.1
+  * deps: debug@1.0.3
+    - Add support for multiple wildcards in namespaces
+  * deps: methods@1.1.0
+    - add `CONNECT`
+  * deps: parseurl@~1.1.3
+    - faster parsing of href-only URLs
+
 3.13.0 / 2014-07-03
 ===================
 
@@ -43,8 +485,8 @@
  * deprecate things with `depd` module
  * deps: buffer-crc32@0.2.3
  * deps: connect@2.20.2
-   - deprecate `verify` option to `json` -- use `body-parser` module directly
-   - deprecate `verify` option to `urlencoded` -- use `body-parser` module directly
+   - deprecate `verify` option to `json` -- use `body-parser` npm module instead
+   - deprecate `verify` option to `urlencoded` -- use `body-parser` npm module instead
    - deprecate things with `depd` module
    - use `finalhandler` for final response handling
    - use `media-typer` to parse `content-type` for charset
@@ -118,7 +560,7 @@
 ===================
 
  * deps: connect@2.19.1
-   - deprecate `methodOverride()` -- use `method-override` module directly
+   - deprecate `methodOverride()` -- use `method-override` npm module instead
    - deps: body-parser@1.3.0
    - deps: method-override@2.0.1
    - deps: multiparty@3.2.8

Readme.md

@@ -2,7 +2,10 @@
 
   Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
 
-  [![NPM version](https://badge.fury.io/js/express.svg)](http://badge.fury.io/js/express) [![Build Status](https://travis-ci.org/visionmedia/express.svg?branch=master)](https://travis-ci.org/visionmedia/express) [![Coverage Status](https://img.shields.io/coveralls/visionmedia/express.svg)](https://coveralls.io/r/visionmedia/express) [![Gittip](http://img.shields.io/gittip/visionmedia.svg)](https://www.gittip.com/visionmedia/)
+  [![NPM version](https://img.shields.io/npm/v/express.svg?style=flat)](https://www.npmjs.org/package/express)
+  [![Build Status](https://img.shields.io/travis/strongloop/express.svg?style=flat)](https://travis-ci.org/strongloop/express)
+  [![Coverage Status](https://img.shields.io/coveralls/strongloop/express.svg?style=flat)](https://coveralls.io/r/strongloop/express)
+  [![Gratipay](https://img.shields.io/gratipay/dougwilson.svg?style=flat)](https://gratipay.com/dougwilson/)
 
 ```js
 var express = require('express');
@@ -62,11 +65,11 @@ app.listen(3000);
 
 ## More Information
 
-  * [Website and Documentation](http://expressjs.com/) stored at [visionmedia/expressjs.com](https://github.com/visionmedia/expressjs.com)
+  * [Website and Documentation](http://expressjs.com/) stored at [strongloop/expressjs.com](https://github.com/strongloop/expressjs.com)
   * Join #express on freenode
   * [Google Group](http://groups.google.com/group/express-js) for discussion
   * Follow [tjholowaychuk](http://twitter.com/tjholowaychuk) on twitter for updates
-  * Visit the [Wiki](http://github.com/visionmedia/express/wiki)
+  * Visit the [Wiki](http://github.com/strongloop/express/wiki)
   * [Русскоязычная документация](http://jsman.ru/express/)
   * Run express examples [online](https://runnable.com/express)
 
@@ -74,7 +77,7 @@ app.listen(3000);
 
 Clone the Express repo, then install the dev dependencies to install all the example / test suite dependencies:
 
-    $ git clone git://github.com/visionmedia/express.git --depth 1
+    $ git clone git://github.com/strongloop/express.git --depth 1
     $ cd express
     $ npm install
 
@@ -100,7 +103,7 @@ $ npm test
 
 ## Contributors
 
-  https://github.com/visionmedia/express/graphs/contributors
+  https://github.com/strongloop/express/graphs/contributors
 
 ## License
 

bin/express

@@ -7,6 +7,7 @@
 var program = require('commander')
   , mkdirp = require('mkdirp')
   , pkg = require('../package.json')
+  , readline = require('readline')
   , version = pkg.version
   , os = require('os')
   , fs = require('fs');
@@ -249,7 +250,7 @@ var app = [
     if (empty || program.force) {
       createApplicationAt(path);
     } else {
-      program.confirm('destination is not empty, continue? ', function(ok){
+      confirm('destination is not empty, continue? [y/N] ', function (ok) {
         if (ok) {
           process.stdin.destroy();
           createApplicationAt(path);
@@ -261,6 +262,22 @@ var app = [
   });
 })(path);
 
+/**
+ * Prompt for confirmation on STDOUT/STDIN
+ */
+
+function confirm(msg, callback) {
+  var rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+
+  rl.question(msg, function (input) {
+    rl.close();
+    callback(/^y|yes|ok|true$/i.test(input));
+  });
+}
+
 /**
  * Create application at the given directory `path`.
  *

examples/error-pages/index.js

@@ -8,7 +8,7 @@ var express = require('../../')
 
 // general config
 app.set('views', __dirname + '/views');
-app.set('view engine', 'jade');
+app.set('view engine', 'ejs');
 
 // our custom "verbose errors" setting
 // which we can use in the templates
@@ -82,7 +82,7 @@ app.use(function(err, req, res, next){
 // Routes
 
 app.get('/', function(req, res){
-  res.render('index.jade');
+  res.render('index.ejs');
 });
 
 app.get('/404', function(req, res, next){

examples/error-pages/views/404.ejs

@@ -0,0 +1,3 @@
+<% include error_header %>
+<h2>Cannot find <%= url %></h2>
+<% include footer %>

examples/error-pages/views/404.jade

@@ -1,5 +0,0 @@
-
-extends error
-
-block content
-  h2 Cannot find #{url}

examples/error-pages/views/500.ejs

@@ -0,0 +1,8 @@
+<% include error_header %>
+<h2>Error: <%= error.message %></h2>
+<% if (settings['verbose errors']) { %>
+  <pre><%= error.stack %></pre>
+<% } else { %>
+  <p>An error occurred!</p>
+<% } %>
+<% include footer %>

examples/error-pages/views/500.jade

@@ -1,13 +0,0 @@
-
-// note that we extend a different
-// layout with jade for 4xx & 5xx
-// responses
-
-extends error
-
-block content
-  h1 Error: #{error.message}
-  if settings['verbose errors']
-    pre= error.stack
-  else
-    p An error ocurred!

examples/error-pages/views/error.jade

@@ -1,6 +0,0 @@
-html
-  head 
-    title Error
-  body
-    h1 An error occurred!
-    block content

examples/error-pages/views/error_header.ejs

@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Error</title>
+</head>
+
+<body>
+<h1>An error occurred!</h1>

examples/error-pages/views/footer.ejs

@@ -0,0 +1,2 @@
+</body>
+</html>

examples/error-pages/views/index.ejs

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Custom Pages Example</title>
+</head>
+
+<body>
+<h1>My Site</h1>
+<h2>Pages Example</h2>
+
+<ul>
+<li>visit <a href="/500">500</a></li>
+<li>visit <a href="/404">404</a></li>
+<li>visit <a href="/403">403</a></li>
+</ul>
+
+</body>
+</html>

examples/error-pages/views/index.jade

@@ -1,15 +0,0 @@
-
-extends layout
-
-block content
-  h2 Pages Example
-  ul
-    li 
-      | visit 
-      a(href="/500") 500
-    li
-      | visit 
-      a(href="/404") 404
-    li
-      | visit 
-      a(href='/403') 403

examples/error-pages/views/layout.jade

@@ -1,6 +0,0 @@
-html
-  head 
-    title Custom Pages Example
-  body
-    h1 My Site
-    block content

examples/mvc/controllers/pet/index.js

@@ -1,7 +1,7 @@
 
 var db = require('../../db');
 
-exports.engine = 'jade';
+exports.engine = 'ejs';
 
 exports.before = function(req, res, next){
   var pet = db.pets[req.params.pet_id];

examples/mvc/controllers/pet/views/edit.ejs

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<link rel="stylesheet" href="/style.css">
+<title>Edit <%= pet.name %></title>
+</head>
+
+<body>
+<h1><%= pet.name %></h1>
+<form action="/pet/<%= pet.id %>" method="post">
+  <input type="hidden" name="_method" value="put">
+  <label>Name: <input type="text" name="user[name]" value="<%= pet.name %>"></label>
+  <input type="submit" value="Update">
+</form>
+</body>
+</html>

examples/mvc/controllers/pet/views/edit.jade

@@ -1,7 +0,0 @@
-link(rel='stylesheet', href='/style.css')
-h1= pet.name
-form(action='/pet/#{pet.id}', method='post')
-  input(type='hidden', name='_method', value='put')
-  label Name: 
-    input(type='text', name='user[name]', value=pet.name)
-  input(type='submit', value='Update')

examples/mvc/controllers/pet/views/show.ejs

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<link rel="stylesheet" href="/style.css">
+<title><%= pet.name %></title>
+</head>
+
+<body>
+<h1><%= pet.name %> <a href="/pet/<%= pet.id %>/edit">edit</a></h1>
+
+<p>You are viewing <%= pet.name %></p>
+</body>
+</html>

examples/mvc/controllers/pet/views/show.jade

@@ -1,6 +0,0 @@
-link(rel='stylesheet', href='/style.css')
-
-h1= pet.name
-  a(href='/pet/#{pet.id}/edit')  edit
-
-p You are viewing #{pet.name}

examples/view-constructor/github-view.js

@@ -35,13 +35,13 @@ function GithubView(name, options){
 GithubView.prototype.render = function(options, fn){
   var self = this;
   var opts = {
-    host: 'rawgithub.com',
-    port: 80,
+    host: 'raw.githubusercontent.com',
+    port: 443,
     path: this.path,
     method: 'GET'
   };
 
-  http.request(opts, function(res) {
+  https.request(opts, function(res) {
     var buf = '';
     res.setEncoding('utf8');
     res.on('data', function(str){ buf += str });

examples/view-constructor/index.js

@@ -24,7 +24,7 @@ app.engine('md', function(str, options, fn){
 })
 
 // pointing to a particular github repo to load files from it
-app.set('views', 'visionmedia/express');
+app.set('views', 'strongloop/express');
 
 // register a new view constructor
 app.set('view', GithubView);
@@ -37,7 +37,7 @@ app.get('/', function(req, res){
 })
 
 app.get('/Readme.md', function(req, res){
-  // rendering a view from https://github.com/visionmedia/express/blob/master/Readme.md
+  // rendering a view from https://github.com/strongloop/express/blob/master/Readme.md
   res.render('Readme.md');
 })
 

examples/web-service/index.js

@@ -73,7 +73,7 @@ var apiKeys = ['foo', 'bar', 'baz'];
 // these two objects will serve as our faux database
 
 var repos = [
-    { name: 'express', url: 'http://github.com/visionmedia/express' }
+    { name: 'express', url: 'http://github.com/strongloop/express' }
   , { name: 'stylus', url: 'http://github.com/learnboost/stylus' }
   , { name: 'cluster', url: 'http://github.com/learnboost/cluster' }
 ];

lib/application.js

@@ -11,9 +11,9 @@ var connect = require('connect')
   , compileETag = require('./utils').compileETag
   , compileTrust = require('./utils').compileTrust
   , View = require('./view')
-  , utils = connect.utils
   , http = require('http');
 var deprecate = require('depd')('express');
+var merge = require('utils-merge');
 
 /**
  * Application prototype.
@@ -484,13 +484,15 @@ app.render = function(name, options, fn){
   }
 
   // merge app.locals
-  utils.merge(opts, this.locals);
+  merge(opts, this.locals);
 
   // merge options._locals
-  if (options._locals) utils.merge(opts, options._locals);
+  if (options._locals) {
+    merge(opts, options._locals);
+  }
 
   // merge options
-  utils.merge(opts, options);
+  merge(opts, options);
 
   // set .cache unless explicitly provided
   opts.cache = null == opts.cache

lib/express.js

@@ -3,14 +3,14 @@
  */
 
 var deprecate = require('depd')('express');
-var merge = require('merge-descriptors');
+var mixin = require('merge-descriptors');
+var merge = require('utils-merge');
 var connect = require('connect')
   , proto = require('./application')
   , Route = require('./router/route')
   , Router = require('./router')
   , req = require('./request')
-  , res = require('./response')
-  , utils = connect.utils;
+  , res = require('./response');
 
 /**
  * Expose `createApplication()`.
@@ -33,7 +33,7 @@ exports.mime = connect.mime;
 
 function createApplication() {
   var app = connect();
-  utils.merge(app, proto);
+  merge(app, proto);
   app.request = { __proto__: req, app: app };
   app.response = { __proto__: res, app: app };
   app.init();
@@ -45,7 +45,7 @@ function createApplication() {
  * for example `express.logger` etc.
  */
 
-merge(exports, connect.middleware);
+mixin(exports, connect.middleware);
 
 /**
  * Deprecated createServer().

lib/request.js

@@ -13,6 +13,7 @@ var http = require('http')
   , parse = require('parseurl')
   , proxyaddr = require('proxy-addr')
   , mime = connect.mime;
+var isIP = require('net').isIP;
 
 /**
  * Request prototype.
@@ -341,7 +342,9 @@ req.is = function(type){
  * Return the protocol string "http" or "https"
  * when requested with TLS. When the "trust proxy"
  * setting trusts the socket address, the
- * "X-Forwarded-Proto" header field will be trusted.
+ * "X-Forwarded-Proto" header field will be trusted
+ * and used if present.
+ *
  * If you're running behind a reverse proxy that
  * supplies https for you this may be enabled.
  *
@@ -350,17 +353,18 @@ req.is = function(type){
  */
 
 req.__defineGetter__('protocol', function(){
+  var proto = this.connection.encrypted
+    ? 'https'
+    : 'http';
   var trust = this.app.get('trust proxy fn');
 
   if (!trust(this.connection.remoteAddress)) {
-    return this.connection.encrypted
-      ? 'https'
-      : 'http';
+    return proto;
   }
 
   // Note: X-Forwarded-Proto is normally only ever a
   //       single value, but this is to be safe.
-  var proto = this.get('X-Forwarded-Proto') || 'http';
+  proto = this.get('X-Forwarded-Proto') || proto;
   return proto.split(/\s*,\s*/)[0];
 });
 
@@ -424,7 +428,7 @@ req.__defineGetter__('ips', function(){
  */
 
 req.__defineGetter__('auth', function(){
-  deprecate('req.auth: Use basic-auth module directly');
+  deprecate('req.auth: Use basic-auth npm module instead');
 
   // credentials
   var creds = auth(this);
@@ -449,11 +453,16 @@ req.__defineGetter__('auth', function(){
  */
 
 req.__defineGetter__('subdomains', function(){
+  var host = this.host;
+
+  if (!host) return [];
+
   var offset = this.app.get('subdomain offset');
-  return (this.host || '')
-    .split('.')
-    .reverse()
-    .slice(offset);
+  var subdomains = !isIP(host)
+    ? host.split('.').reverse()
+    : [host];
+
+  return subdomains.slice(offset);
 });
 
 /**
@@ -517,7 +526,7 @@ req.__defineGetter__('fresh', function(){
 
   // 2xx or 304 as per rfc2616 14.26
   if ((s >= 200 && s < 300) || 304 == s) {
-    return fresh(this.headers, this.res._headers);
+    return fresh(this.headers, (this.res._headers || {}));
   }
 
   return false;

lib/response.js

@@ -2,13 +2,15 @@
  * Module dependencies.
  */
 
+var contentDisposition = require('content-disposition');
 var deprecate = require('depd')('express');
 var escapeHtml = require('escape-html');
+var merge = require('utils-merge');
+var parseUrl = require('parseurl');
 var vary = require('vary');
 var http = require('http')
   , path = require('path')
   , connect = require('connect')
-  , utils = connect.utils
   , sign = require('cookie-signature').sign
   , normalizeType = require('./utils').normalizeType
   , normalizeTypes = require('./utils').normalizeTypes
@@ -103,13 +105,15 @@ res.send = function(body){
     }
   }
 
+  // disambiguate res.send(status) and res.send(status, num)
+  if (typeof body === 'number' && arguments.length === 1) {
+    // res.send(status) will set status message as text string
+    this.get('Content-Type') || this.type('txt');
+    this.statusCode = body;
+    body = http.STATUS_CODES[body];
+  }
+
   switch (typeof body) {
-    // response status
-    case 'number':
-      this.get('Content-Type') || this.type('txt');
-      this.statusCode = body;
-      body = http.STATUS_CODES[body];
-      break;
     // string defaulting to html
     case 'string':
       if (!this.get('Content-Type')) {
@@ -118,6 +122,7 @@ res.send = function(body){
       }
       break;
     case 'boolean':
+    case 'number':
     case 'object':
       if (null == body) {
         body = '';
@@ -257,14 +262,15 @@ res.jsonp = function(obj){
   var app = this.app;
   var replacer = app.get('json replacer');
   var spaces = app.get('json spaces');
-  var body = JSON.stringify(obj, replacer, spaces)
-    .replace(/\u2028/g, '\\u2028')
-    .replace(/\u2029/g, '\\u2029');
+  var body = JSON.stringify(obj, replacer, spaces);
   var callback = this.req.query[app.get('jsonp callback name')];
 
   // content-type
-  this.charset = this.charset || 'utf-8';
-  this.get('Content-Type') || this.set('Content-Type', 'application/json');
+  if (!this.get('Content-Type')) {
+    this.charset = 'utf-8';
+    this.set('X-Content-Type-Options', 'nosniff');
+    this.set('Content-Type', 'application/json');
+  }
 
   // fixup callback
   if (Array.isArray(callback)) {
@@ -272,10 +278,22 @@ res.jsonp = function(obj){
   }
 
   // jsonp
-  if (callback && 'string' === typeof callback) {
+  if (typeof callback === 'string' && callback.length !== 0) {
+    this.charset = 'utf-8';
+    this.set('X-Content-Type-Options', 'nosniff');
     this.set('Content-Type', 'text/javascript');
-    var cb = callback.replace(/[^\[\]\w$.]/g, '');
-    body = 'typeof ' + cb + ' === \'function\' && ' + cb + '(' + body + ');';
+
+    // restrict callback charset
+    callback = callback.replace(/[^\[\]\w$.]/g, '');
+
+    // replace chars not allowed in JavaScript that are in JSON
+    body = body
+      .replace(/\u2028/g, '\\u2028')
+      .replace(/\u2029/g, '\\u2029');
+
+    // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse"
+    // the typeof check is just to reduce client error noise
+    body = '/**/ typeof ' + callback + ' === \'function\' && ' + callback + '(' + body + ');';
   }
 
   return this.send(body);
@@ -292,8 +310,11 @@ res.jsonp = function(obj){
  *
  * Options:
  *
- *   - `maxAge` defaulting to 0
- *   - `root`   root directory for relative filenames
+ *   - `maxAge`   defaulting to 0
+ *   - `root`     root directory for relative filenames
+ *   - `dotfiles` serve dotfiles, defaulting to false; can be `"allow"` to send them
+ *
+ * Other options are passed along to `send`.
  *
  * Examples:
  *
@@ -369,9 +390,7 @@ res.sendfile = function(path, options, fn){
   }
 
   // transfer
-  var file = send(req, path);
-  if (options.root) file.root(options.root);
-  file.maxage(options.maxAge || 0);
+  var file = send(req, path, options);
   file.on('error', error);
   file.on('directory', next);
   file.on('stream', stream);
@@ -395,15 +414,17 @@ res.sendfile = function(path, options, fn){
  * @api public
  */
 
-res.download = function(path, filename, fn){
+res.download = function download(path, filename, fn) {
   // support function as second arg
-  if ('function' == typeof filename) {
+  if (typeof filename === 'function') {
     fn = filename;
     filename = null;
   }
 
   filename = filename || path;
-  this.set('Content-Disposition', 'attachment; filename="' + basename(filename) + '"');
+
+  this.set('Content-Disposition', contentDisposition(filename));
+
   return this.sendfile(path, fn);
 };
 
@@ -526,11 +547,13 @@ res.format = function(obj){
  * @api public
  */
 
-res.attachment = function(filename){
-  if (filename) this.type(extname(filename));
-  this.set('Content-Disposition', filename
-    ? 'attachment; filename="' + basename(filename) + '"'
-    : 'attachment');
+res.attachment = function attachment(filename) {
+  if (filename) {
+    this.type(extname(filename));
+  }
+
+  this.set('Content-Disposition', contentDisposition(filename));
+
   return this;
 };
 
@@ -590,7 +613,7 @@ res.get = function(field){
 res.clearCookie = function(name, options){
   var opts = { expires: new Date(1), path: '/' };
   return this.cookie(name, '', options
-    ? utils.merge(opts, options)
+    ? merge(opts, options)
     : opts);
 };
 
@@ -618,7 +641,7 @@ res.clearCookie = function(name, options){
  */
 
 res.cookie = function(name, val, options){
-  options = utils.merge({}, options);
+  options = merge({}, options);
   var secret = this.req.secret;
   var signed = options.signed;
   if (signed && !secret) throw new Error('connect.cookieParser("secret") required for signed cookies');
@@ -676,7 +699,7 @@ res.location = function(url){
   if (!~url.indexOf('://') && 0 != url.indexOf('//')) {
     // relative to path
     if ('.' == url[0]) {
-      path = req.originalUrl.split('?')[0];
+      path = parseUrl.original(req).pathname;
       path = path + ('/' == path[path.length - 1] ? '' : '/');
       url = resolve(path, url);
       // relative to mount-point
@@ -704,11 +727,8 @@ res.location = function(url){
  *    res.redirect('/foo/bar');
  *    res.redirect('http://example.com');
  *    res.redirect(301, 'http://example.com');
- *    res.redirect('http://example.com', 301);
  *    res.redirect('../login'); // /blog/post/1 -> /blog/login
  *
- * @param {String} url
- * @param {Number} code
  * @api public
  */
 
@@ -723,6 +743,7 @@ res.redirect = function(url){
       status = url;
       url = arguments[1];
     } else {
+      deprecate('res.redirect(url, status): Use res.redirect(status, url) instead');
       status = arguments[1];
     }
   }

lib/router/index.js

@@ -196,17 +196,32 @@ Router.prototype._options = function(req, res, next){
  * @api private
  */
 
-Router.prototype._optionsFor = function(path){
-  var self = this;
-  return methods.filter(function(method){
-    var routes = self.map[method];
-    if (!routes || 'options' == method) return;
-    for (var i = 0, len = routes.length; i < len; ++i) {
-      if (routes[i].match(path)) return true;
+Router.prototype._optionsFor = function _optionsFor(path) {
+  var options = [];
+
+  for (var i = 0; i < methods.length; i++) {
+    var method = methods[i];
+
+    if (method === 'options') continue;
+
+    var routes = this.map[method];
+
+    // HEAD methods include GET routes
+    if (!routes && method === 'head') {
+      routes = this.map.get;
     }
-  }).map(function(method){
-    return method.toUpperCase();
-  });
+
+    if (!routes) continue;
+
+    for (var j = 0; j < routes.length; j++) {
+      if (routes[j].match(path)) {
+        options.push(method.toUpperCase());
+        break;
+      }
+    }
+  }
+
+  return options.sort();
 };
 
 /**

lib/utils.js

@@ -3,10 +3,9 @@
  * Module dependencies.
  */
 
-var mime = require('connect').mime
-  , proxyaddr = require('proxy-addr')
-  , crc32 = require('buffer-crc32')
-  , crypto = require('crypto');
+var etag = require('etag');
+var mime = require('connect').mime;
+var proxyaddr = require('proxy-addr');
 var typer = require('media-typer');
 
 /**
@@ -24,17 +23,12 @@ var toString = {}.toString;
  * @api private
  */
 
-exports.etag = function etag(body, encoding){
-  if (body.length === 0) {
-    // fast-path empty body
-    return '"1B2M2Y8AsgTpgAmY7PhCfg=="'
-  }
+exports.etag = function (body, encoding) {
+  var buf = !Buffer.isBuffer(body)
+    ? new Buffer(body, encoding)
+    : body;
 
-  var hash = crypto
-    .createHash('md5')
-    .update(body, encoding)
-    .digest('base64')
-  return '"' + hash + '"'
+  return etag(buf, {weak: false});
 };
 
 /**
@@ -47,16 +41,11 @@ exports.etag = function etag(body, encoding){
  */
 
 exports.wetag = function wetag(body, encoding){
-  if (body.length === 0) {
-    // fast-path empty body
-    return 'W/"0-0"'
-  }
+  var buf = !Buffer.isBuffer(body)
+    ? new Buffer(body, encoding)
+    : body;
 
-  var buf = Buffer.isBuffer(body)
-    ? body
-    : new Buffer(body, encoding)
-  var len = buf.length
-  return 'W/"' + len.toString(16) + '-' + crc32.unsigned(buf) + '"'
+  return etag(buf, {weak: true});
 };
 
 /**

package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Sinatra inspired web development framework",
-  "version": "3.13.0",
+  "version": "3.19.1",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -11,6 +11,9 @@
     "Jonathan Ong <me@jongleberry.com>",
     "Roman Shtylman <shtylman+expressjs@gmail.com"
   ],
+  "license": "MIT",
+  "repository": "strongloop/express",
+  "homepage": "http://expressjs.com/",
   "keywords": [
     "express",
     "framework",
@@ -22,39 +25,38 @@
     "app",
     "api"
   ],
-  "repository": "visionmedia/express",
-  "license": "MIT",
   "dependencies": {
-    "basic-auth": "0.0.1",
-    "buffer-crc32": "0.2.3",
-    "connect": "2.22.0",
-    "commander": "1.3.2",
-    "debug": "1.0.2",
-    "depd": "0.3.0",
+    "basic-auth": "1.0.0",
+    "connect": "2.28.2",
+    "content-disposition": "0.5.0",
+    "commander": "2.6.0",
+    "cookie-signature": "1.0.5",
+    "debug": "~2.1.1",
+    "depd": "~1.0.0",
     "escape-html": "1.0.1",
-    "media-typer": "0.2.0",
-    "methods": "1.0.1",
+    "etag": "~1.5.1",
+    "fresh": "0.2.4",
+    "media-typer": "0.3.0",
+    "methods": "~1.1.1",
     "mkdirp": "0.5.0",
-    "parseurl": "1.0.1",
-    "proxy-addr": "1.0.1",
-    "range-parser": "1.0.0",
-    "send": "0.5.0",
-    "vary": "0.1.0",
+    "parseurl": "~1.3.0",
+    "proxy-addr": "~1.0.5",
+    "range-parser": "~1.0.2",
+    "send": "0.11.1",
+    "utils-merge": "1.0.0",
+    "vary": "~1.0.0",
     "cookie": "0.1.2",
-    "fresh": "0.2.2",
-    "cookie-signature": "1.0.4",
     "merge-descriptors": "0.0.2"
   },
   "devDependencies": {
-    "istanbul": "0.2.12",
-    "mocha": "~1.20.0",
-    "should": "~4.0.0",
-    "ejs": "~1.0.0",
-    "jade": "~1.3.1",
+    "connect-redis": "~1.5.0",
+    "ejs": "2.1.4",
+    "istanbul": "0.3.5",
+    "mocha": "~2.1.0",
+    "should": "~4.6.1",
+    "supertest": "~0.15.0",
     "hjs": "~0.0.6",
-    "marked": "0.3.2",
-    "connect-redis": "~1.4.5",
-    "supertest": "~0.13.0"
+    "marked": "0.3.2"
   },
   "engines": {
     "node": ">= 0.8.0"
@@ -62,10 +64,18 @@
   "bin": {
     "express": "./bin/express"
   },
+  "files": [
+    "LICENSE",
+    "History.md",
+    "Readme.md",
+    "index.js",
+    "bin/",
+    "lib/"
+  ],
   "scripts": {
-    "prepublish": "npm prune",
     "test": "mocha --require test/support/env --reporter dot --check-leaks test/ test/acceptance/",
     "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --require test/support/env --reporter dot --check-leaks test/ test/acceptance/",
+    "test-tap": "mocha --require test/support/env --reporter tap --check-leaks test/ test/acceptance/",
     "test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --require test/support/env --reporter spec --check-leaks test/ test/acceptance/"
   }
 }

support/app.js

@@ -1,66 +0,0 @@
-
-/**
- * Module dependencies.
- */
-
-var express = require('../');
-
-var app = express()
-  , blog = express()
-  , admin = express();
-
-// app.use(express.logger('dev'))
-blog.use('/admin', admin);
-app.use('/blog', blog);
-app.set('views', __dirname + '/views');
-app.set('view engine', 'jade');
-app.locals.self = true;
-
-app.get('/render', function(req, res){
-  res.render('hello');
-});
-
-admin.get('/', function(req, res){
-  res.send('Hello World\n');
-});
-
-blog.get('/', function(req, res){
-  res.send('Hello World\n');
-});
-
-app.get('/', function(req, res){
-  res.send('Hello World\n');
-});
-
-app.get('/json', function(req, res){
-  res.send({ name: 'Tobi', role: 'admin' });
-});
-
-app.get('/json/:n', function(req, res){
-  var n = ~~req.params.n;
-  var arr = [];
-  var obj = { name: 'Tobi', role: 'admin' };
-  while (n--) arr.push(obj);
-  res.send(arr);
-});
-
-function foo(req, res, next) {
-  next();
-}
-
-app.get('/middleware', foo, foo, foo, foo, function(req, res){
-  res.send('Hello World\n');
-});
-
-var n = 100;
-while (n--) {
-  app.get('/foo', foo, foo, function(req, res){
-    
-  });
-}
-
-app.get('/match', function(req, res){
-  res.send('Hello World\n');
-});
-
-app.listen(8000);

support/docs

@@ -1,21 +0,0 @@
-#!/usr/bin/env node
-
-var buf = '';
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', function(chunk){
-  buf += chunk;
-}).on('end', function(){
-  var comments = JSON.parse(buf);
-  comments.forEach(function(comment){
-    if (comment.ignore) return;
-    if (comment.isPrivate) return;
-    if (!comment.ctx) return;
-    if (!comment.description.full.indexOf('Module dep')) return;
-    var ctx = comment.ctx;
-    console.log();
-    console.log('# %s', ctx.string);
-    console.log();
-    console.log(comment.description.full.trim().replace(/^/gm, '  '));
-  });
-  console.log();
-}).resume();

support/views/hello.jade

@@ -1 +0,0 @@
-p Hello

test/acceptance/web-service.js

@@ -53,7 +53,7 @@ describe('web-service', function(){
         .get('/api/repos?api-key=foo')
         .expect('Content-Type', 'application/json; charset=utf-8')
         .expect(/"name":"express"/)
-        .expect(/"url":"http:\/\/github.com\/visionmedia\/express"/)
+        .expect(/"url":"http:\/\/github.com\/strongloop\/express"/)
         .expect(200, done)
       })
     })

test/app.options.js

@@ -12,8 +12,8 @@ describe('OPTIONS', function(){
 
     request(app)
     .options('/users')
-    .expect('GET,PUT')
-    .expect('Allow', 'GET,PUT', done);
+    .expect('GET,HEAD,PUT')
+    .expect('Allow', 'GET,HEAD,PUT', done);
   })
 
   it('should not respond if the path is not defined', function(done){
@@ -36,8 +36,8 @@ describe('OPTIONS', function(){
 
     request(app)
     .options('/other')
-    .expect('GET')
-    .expect('Allow', 'GET', done);
+    .expect('GET,HEAD')
+    .expect('Allow', 'GET,HEAD', done);
   })
 })
 

test/app.render.js

@@ -1,14 +1,15 @@
 
-var express = require('../');
+var express = require('..');
+var tmpl = require('./support/tmpl');
 
 describe('app', function(){
   describe('.render(name, fn)', function(){
     it('should support absolute paths', function(done){
-      var app = express();
+      var app = createApp();
 
       app.locals.user = { name: 'tobi' };
 
-      app.render(__dirname + '/fixtures/user.jade', function(err, str){
+      app.render(__dirname + '/fixtures/user.tmpl', function (err, str) {
         if (err) return done(err);
         str.should.equal('<p>tobi</p>');
         done();
@@ -16,9 +17,9 @@ describe('app', function(){
     })
 
     it('should support absolute paths with "view engine"', function(done){
-      var app = express();
+      var app = createApp();
 
-      app.set('view engine', 'jade');
+      app.set('view engine', 'tmpl');
       app.locals.user = { name: 'tobi' };
 
       app.render(__dirname + '/fixtures/user', function(err, str){
@@ -29,12 +30,12 @@ describe('app', function(){
     })
 
     it('should expose app.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       app.locals.user = { name: 'tobi' };
 
-      app.render('user.jade', function(err, str){
+      app.render('user.tmpl', function (err, str) {
         if (err) return done(err);
         str.should.equal('<p>tobi</p>');
         done();
@@ -42,12 +43,12 @@ describe('app', function(){
     })
 
     it('should support index.<engine>', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
-      app.set('view engine', 'jade');
+      app.set('view engine', 'tmpl');
 
-      app.render('blog/post', function(err, str){
+      app.render('blog/post', function (err, str) {
         if (err) return done(err);
         str.should.equal('<h1>blog post</h1>');
         done();
@@ -77,10 +78,11 @@ describe('app', function(){
 
     describe('when the file does not exist', function(){
       it('should provide a helpful error', function(done){
-        var app = express();
+        var app = createApp();
+
         app.set('views', __dirname + '/fixtures');
-        app.render('rawr.jade', function(err){
-          err.message.should.equal('Failed to lookup view "rawr.jade" in views directory "' + __dirname + '/fixtures"');
+        app.render('rawr.tmpl', function (err) {
+          err.message.should.equal('Failed to lookup view "rawr.tmpl" in views directory "' + __dirname + '/fixtures"');
           done();
         });
       })
@@ -88,11 +90,11 @@ describe('app', function(){
 
     describe('when an error occurs', function(){
       it('should invoke the callback', function(done){
-        var app = express();
+        var app = createApp();
 
         app.set('views', __dirname + '/fixtures');
 
-        app.render('user.jade', function(err, str){
+        app.render('user.tmpl', function (err, str) {
           // nextTick to prevent cyclic
           process.nextTick(function(){
             err.message.should.match(/Cannot read property 'name' of undefined/);
@@ -104,11 +106,11 @@ describe('app', function(){
 
     describe('when an extension is given', function(){
       it('should render the template', function(done){
-        var app = express();
+        var app = createApp();
 
         app.set('views', __dirname + '/fixtures');
 
-        app.render('email.jade', function(err, str){
+        app.render('email.tmpl', function (err, str) {
           if (err) return done(err);
           str.should.equal('<p>This is an email</p>');
           done();
@@ -118,9 +120,9 @@ describe('app', function(){
 
     describe('when "view engine" is given', function(){
       it('should render the template', function(done){
-        var app = express();
+        var app = createApp();
 
-        app.set('view engine', 'jade');
+        app.set('view engine', 'tmpl');
         app.set('views', __dirname + '/fixtures');
 
         app.render('email', function(err, str){
@@ -219,13 +221,13 @@ describe('app', function(){
 
   describe('.render(name, options, fn)', function(){
     it('should render the template', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
 
       var user = { name: 'tobi' };
 
-      app.render('user.jade', { user: user }, function(err, str){
+      app.render('user.tmpl', { user: user }, function (err, str) {
         if (err) return done(err);
         str.should.equal('<p>tobi</p>');
         done();
@@ -233,12 +235,12 @@ describe('app', function(){
     })
 
     it('should expose app.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       app.locals.user = { name: 'tobi' };
 
-      app.render('user.jade', {}, function(err, str){
+      app.render('user.tmpl', {}, function (err, str) {
         if (err) return done(err);
         str.should.equal('<p>tobi</p>');
         done();
@@ -246,13 +248,13 @@ describe('app', function(){
     })
 
     it('should give precedence to app.render() locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       app.locals.user = { name: 'tobi' };
       var jane = { name: 'jane' };
 
-      app.render('user.jade', { user: jane }, function(err, str){
+      app.render('user.tmpl', { user: jane }, function (err, str) {
         if (err) return done(err);
         str.should.equal('<p>jane</p>');
         done();
@@ -292,3 +294,11 @@ describe('app', function(){
     })
   })
 })
+
+function createApp() {
+  var app = express();
+
+  app.engine('.tmpl', tmpl);
+
+  return app;
+}

test/fixtures/.name

@@ -0,0 +1 @@
+tobi

test/fixtures/blog/index.html

@@ -0,0 +1 @@
+<b>index</b>

test/fixtures/blog/post/index.jade

@@ -1 +0,0 @@
-h1 blog post

test/fixtures/blog/post/index.tmpl

@@ -0,0 +1 @@
+<h1>blog post</h1>

test/fixtures/email.jade

@@ -1 +0,0 @@
-p This is an email

test/fixtures/email.tmpl

@@ -0,0 +1 @@
+<p>This is an email</p>

test/fixtures/pet.jade

@@ -1 +0,0 @@
-p #{first} #{last} is a #{species}

test/fixtures/user.jade

@@ -1 +0,0 @@
-p= user.name

test/fixtures/user.tmpl

@@ -0,0 +1 @@
+<p>$user.name</p>

test/req.fresh.js

@@ -32,5 +32,18 @@ describe('req', function(){
       .set('If-None-Match', '"12345"')
       .expect(200, 'false', done);
     })
+
+    it('should return false without response headers', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res._headers = null;
+        res.send(req.fresh);
+      });
+
+      request(app)
+      .get('/')
+      .expect(200, 'false', done);
+    })
   })
 })

test/req.ip.js

@@ -45,10 +45,9 @@ describe('req', function(){
             res.send(req.ip);
           });
 
-          request(app)
-          .get('/')
-          .set('X-Forwarded-For', 'client, p1, p2')
-          .expect('127.0.0.1', done);
+          var test = request(app).get('/')
+          test.set('X-Forwarded-For', 'client, p1, p2')
+          test.expect(200, getExpectedClientAddress(test._server), done);
         })
       })
     })
@@ -63,10 +62,19 @@ describe('req', function(){
           res.send(req.ip);
         });
 
-        request(app)
-        .get('/')
-        .expect('127.0.0.1', done);
+          var test = request(app).get('/')
+          test.expect(200, getExpectedClientAddress(test._server), done);
       })
     })
   })
 })
+
+/**
+ * Get the local client address depending on AF_NET of server
+ */
+
+function getExpectedClientAddress(server) {
+  return server.address().address === '::'
+    ? '::ffff:127.0.0.1'
+    : '127.0.0.1';
+}

test/req.protocol.js

@@ -32,6 +32,21 @@ describe('req', function(){
         .expect('https', done);
       })
 
+      it('should default to the socket addr if X-Forwarded-Proto not present', function(done){
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.use(function(req, res){
+          req.connection.encrypted = true;
+          res.end(req.protocol);
+        });
+
+        request(app)
+        .get('/')
+        .expect('https', done);
+      })
+
       it('should ignore X-Forwarded-Proto if socket addr not trusted', function(done){
         var app = express();
 

test/req.stale.js

@@ -32,5 +32,18 @@ describe('req', function(){
       .set('If-None-Match', '"12345"')
       .expect(200, 'true', done);
     })
+
+    it('should return true without response headers', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res._headers = null;
+        res.send(req.stale);
+      });
+
+      request(app)
+      .get('/')
+      .expect(200, 'true', done);
+    })
   })
 })

test/req.subdomains.js

@@ -15,7 +15,33 @@ describe('req', function(){
         request(app)
         .get('/')
         .set('Host', 'tobi.ferrets.example.com')
-        .expect(["ferrets","tobi"], done);
+        .expect(200, ['ferrets', 'tobi'], done);
+      })
+
+      it('should work with IPv4 address', function(done){
+        var app = express();
+
+        app.use(function(req, res){
+          res.send(req.subdomains);
+        });
+
+        request(app)
+        .get('/')
+        .set('Host', '127.0.0.1')
+        .expect(200, [], done);
+      })
+
+      it('should work with IPv6 address', function(done){
+        var app = express();
+
+        app.use(function(req, res){
+          res.send(req.subdomains);
+        });
+
+        request(app)
+        .get('/')
+        .set('Host', '[::1]')
+        .expect(200, [], done);
       })
     })
 
@@ -30,7 +56,7 @@ describe('req', function(){
         request(app)
         .get('/')
         .set('Host', 'example.com')
-        .expect([], done);
+        .expect(200, [], done);
       })
     })
 
@@ -45,7 +71,23 @@ describe('req', function(){
 
         request(app)
         .get('/')
-        .expect([], done);
+        .expect(200, [], done);
+      })
+    })
+
+    describe('with trusted X-Forwarded-Host', function () {
+      it('should return an array', function (done) {
+        var app = express();
+
+        app.set('trust proxy', true);
+        app.use(function (req, res) {
+          res.send(req.subdomains);
+        });
+
+        request(app)
+        .get('/')
+        .set('X-Forwarded-Host', 'tobi.ferrets.example.com')
+        .expect(200, ['ferrets', 'tobi'], done);
       })
     })
 
@@ -62,7 +104,35 @@ describe('req', function(){
           request(app)
           .get('/')
           .set('Host', 'tobi.ferrets.sub.example.com')
-          .expect(["com","example","sub","ferrets","tobi"], done);
+          .expect(200, ['com', 'example', 'sub', 'ferrets', 'tobi'], done);
+        })
+
+        it('should return an array with the whole IPv4', function (done) {
+          var app = express();
+          app.set('subdomain offset', 0);
+
+          app.use(function(req, res){
+            res.send(req.subdomains);
+          });
+
+          request(app)
+          .get('/')
+          .set('Host', '127.0.0.1')
+          .expect(200, ['127.0.0.1'], done);
+        })
+
+        it('should return an array with the whole IPv6', function (done) {
+          var app = express();
+          app.set('subdomain offset', 0);
+
+          app.use(function(req, res){
+            res.send(req.subdomains);
+          });
+
+          request(app)
+          .get('/')
+          .set('Host', '[::1]')
+          .expect(200, ['[::1]'], done);
         })
       })
 
@@ -78,7 +148,7 @@ describe('req', function(){
           request(app)
           .get('/')
           .set('Host', 'tobi.ferrets.sub.example.com')
-          .expect(["ferrets","tobi"], done);
+          .expect(200, ['ferrets', 'tobi'], done);
         })
       })
 
@@ -94,7 +164,7 @@ describe('req', function(){
           request(app)
           .get('/')
           .set('Host', 'sub.example.com')
-          .expect([], done);
+          .expect(200, [], done);
         })
       })
     })

test/res.cookie.js

@@ -1,8 +1,8 @@
 
 var express = require('../')
   , request = require('supertest')
-  , utils = require('connect').utils
   , cookie = require('cookie');
+var merge = require('utils-merge');
 
 describe('res', function(){
   describe('.cookie(name, object)', function(){
@@ -111,7 +111,7 @@ describe('res', function(){
         var app = express();
 
         var options = { maxAge: 1000 };
-        var optionsCopy = utils.merge({}, options);
+        var optionsCopy = merge({}, options);
 
         app.use(function(req, res){
           res.cookie('name', 'tobi', options)

test/res.format.js

@@ -81,7 +81,7 @@ describe('res', function(){
       it('should be invoked instead of auto-responding', function(done){
         request(app3)
         .get('/')
-        .set('Accept: text/html')
+        .set('Accept', 'text/html')
         .expect('default', done);
       })
     })

test/res.get.js

@@ -1,14 +1,20 @@
 
-var express = require('../')
-  , res = express.response;
+var express = require('..');
+var request = require('supertest');
 
 describe('res', function(){
   describe('.get(field)', function(){
-    it('should get the response header field', function(){
-      res.setHeader('Content-Type', 'text/x-foo');
-      res.get('Content-Type').should.equal('text/x-foo');
-      res.get('Content-type').should.equal('text/x-foo');
-      res.get('content-type').should.equal('text/x-foo');
+    it('should get the response header field', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.setHeader('Content-Type', 'text/x-foo');
+        res.send(res.get('Content-Type'));
+      });
+
+      request(app)
+      .get('/')
+      .expect(200, 'text/x-foo', done);
     })
   })
 })

test/res.jsonp.js

@@ -14,11 +14,8 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=something')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof something === \'function\' && something({"count":1});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /something\(\{"count":1\}\);/, done);
     })
 
     it('should use first callback parameter with jsonp', function(done){
@@ -29,12 +26,9 @@ describe('res', function(){
       });
 
       request(app)
-          .get('/?callback=something&callback=somethingelse')
-          .end(function(err, res){
-            res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-            res.text.should.equal('typeof something === \'function\' && something({"count":1});');
-            done();
-          })
+      .get('/?callback=something&callback=somethingelse')
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /something\(\{"count":1\}\);/, done);
     })
 
     it('should ignore object callback parameter with jsonp', function(done){
@@ -61,11 +55,8 @@ describe('res', function(){
 
       request(app)
       .get('/?clb=something')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof something === \'function\' && something({"count":1});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /something\(\{"count":1\}\);/, done);
     })
 
     it('should allow []', function(done){
@@ -77,11 +68,8 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=callbacks[123]')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof callbacks[123] === \'function\' && callbacks[123]({"count":1});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /callbacks\[123\]\(\{"count":1\}\);/, done);
     })
 
     it('should disallow arbitrary js', function(done){
@@ -93,11 +81,8 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=foo;bar()')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof foobar === \'function\' && foobar({});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /foobar\(\{\}\);/, done);
     })
 
     it('should escape utf whitespace', function(done){
@@ -109,13 +94,37 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=foo')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof foo === \'function\' && foo({"str":"\\u2028 \\u2029 woot"});');
-        done();
-      });
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /foo\(\{"str":"\\u2028 \\u2029 woot"\}\);/, done);
     });
 
+    it('should not escape utf whitespace for json fallback', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.jsonp({ str: '\u2028 \u2029 woot' });
+      });
+
+      request(app)
+      .get('/')
+      .expect('Content-Type', 'application/json; charset=utf-8')
+      .expect(200, '{"str":"\u2028 \u2029 woot"}', done);
+    });
+
+    it('should include security header and prologue', function (done) {
+      var app = express();
+
+      app.use(function(req, res){
+        res.jsonp({ count: 1 });
+      });
+
+      request(app)
+      .get('/?callback=something')
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect('X-Content-Type-Options', 'nosniff')
+      .expect(200, /^\/\*\*\//, done);
+    })
+
     it('should not override previous Content-Types with no callback', function(done){
       var app = express();
 
@@ -127,7 +136,11 @@ describe('res', function(){
       request(app)
       .get('/')
       .expect('Content-Type', 'application/vnd.example+json; charset=utf-8')
-      .expect(200, '{"hello":"world"}', done);
+      .expect(200, '{"hello":"world"}', function (err, res) {
+        if (err) return done(err);
+        res.headers.should.not.have.property('x-content-type-options');
+        done();
+      });
     })
 
     it('should override previous Content-Types with callback', function(done){
@@ -141,6 +154,7 @@ describe('res', function(){
       request(app)
       .get('/?callback=cb')
       .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect('X-Content-Type-Options', 'nosniff')
       .expect(200, /cb\(\{"hello":"world"\}\);$/, done);
     })
 

test/res.links.js

@@ -1,41 +1,46 @@
 
-var express = require('../')
-  , res = express.response;
+var express = require('..');
+var request = require('supertest');
 
 describe('res', function(){
-
-  beforeEach(function() {
-    res.removeHeader('link');
-  });
-
   describe('.links(obj)', function(){
-    it('should set Link header field', function(){
-      res.links({
-        next: 'http://api.example.com/users?page=2',
-        last: 'http://api.example.com/users?page=5'
+    it('should set Link header field', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.links({
+          next: 'http://api.example.com/users?page=2',
+          last: 'http://api.example.com/users?page=5'
+        });
+        res.end();
       });
 
-      res.get('link')
-      .should.equal(
-          '<http://api.example.com/users?page=2>; rel="next", '
-        + '<http://api.example.com/users?page=5>; rel="last"');
+      request(app)
+      .get('/')
+      .expect('Link', '<http://api.example.com/users?page=2>; rel="next", <http://api.example.com/users?page=5>; rel="last"')
+      .expect(200, done);
     })
 
-    it('should set Link header field for multiple calls', function() {
-      res.links({
-        next: 'http://api.example.com/users?page=2',
-        last: 'http://api.example.com/users?page=5'
+    it('should set Link header field for multiple calls', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.links({
+          next: 'http://api.example.com/users?page=2',
+          last: 'http://api.example.com/users?page=5'
+        });
+
+        res.links({
+          prev: 'http://api.example.com/users?page=1'
+        });
+
+        res.end();
       });
 
-      res.links({
-        prev: 'http://api.example.com/users?page=1',
-      });
-
-      res.get('link')
-      .should.equal(
-          '<http://api.example.com/users?page=2>; rel="next", '
-        + '<http://api.example.com/users?page=5>; rel="last", '
-        + '<http://api.example.com/users?page=1>; rel="prev"');
+      request(app)
+      .get('/')
+      .expect('Link', '<http://api.example.com/users?page=2>; rel="next", <http://api.example.com/users?page=5>; rel="last", <http://api.example.com/users?page=1>; rel="prev"')
+      .expect(200, done);
     })
   })
 })

test/res.render.js

@@ -1,16 +1,17 @@
 
-var express = require('../')
-  , request = require('supertest');
+var express = require('..');
+var request = require('supertest');
+var tmpl = require('./support/tmpl');
 
 describe('res', function(){
   describe('.render(name)', function(){
     it('should support absolute paths', function(done){
-      var app = express();
+      var app = createApp();
 
       app.locals.user = { name: 'tobi' };
 
       app.use(function(req, res){
-        res.render(__dirname + '/fixtures/user.jade');
+        res.render(__dirname + '/fixtures/user.tmpl');
       });
 
       request(app)
@@ -19,10 +20,10 @@ describe('res', function(){
     })
 
     it('should support absolute paths with "view engine"', function(done){
-      var app = express();
+      var app = createApp();
 
       app.locals.user = { name: 'tobi' };
-      app.set('view engine', 'jade');
+      app.set('view engine', 'tmpl');
 
       app.use(function(req, res){
         res.render(__dirname + '/fixtures/user');
@@ -34,13 +35,13 @@ describe('res', function(){
     })
 
     it('should expose app.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       app.locals.user = { name: 'tobi' };
 
       app.use(function(req, res){
-        res.render('user.jade');
+        res.render('user.tmpl');
       });
 
       request(app)
@@ -49,10 +50,10 @@ describe('res', function(){
     })
   
     it('should support index.<engine>', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
-      app.set('view engine', 'jade');
+      app.set('view engine', 'tmpl');
 
       app.use(function(req, res){
         res.render('blog/post');
@@ -65,12 +66,12 @@ describe('res', function(){
 
     describe('when an error occurs', function(){
       it('should next(err)', function(done){
-        var app = express();
+        var app = createApp();
 
         app.set('views', __dirname + '/fixtures');
 
         app.use(function(req, res){
-          res.render('user.jade');
+          res.render('user.tmpl');
         });
 
         app.use(function(err, req, res, next){
@@ -85,9 +86,9 @@ describe('res', function(){
 
     describe('when "view engine" is given', function(){
       it('should render the template', function(done){
-        var app = express();
+        var app = createApp();
 
-        app.set('view engine', 'jade');
+        app.set('view engine', 'tmpl');
         app.set('views', __dirname + '/fixtures');
 
         app.use(function(req, res){
@@ -103,14 +104,14 @@ describe('res', function(){
 
   describe('.render(name, option)', function(){
     it('should render the template', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
 
       var user = { name: 'tobi' };
 
       app.use(function(req, res){
-        res.render('user.jade', { user: user });
+        res.render('user.tmpl', { user: user });
       });
 
       request(app)
@@ -119,13 +120,13 @@ describe('res', function(){
     })
 
     it('should expose app.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       app.locals.user = { name: 'tobi' };
 
       app.use(function(req, res){
-        res.render('user.jade');
+        res.render('user.tmpl');
       });
 
       request(app)
@@ -134,13 +135,13 @@ describe('res', function(){
     })
 
     it('should expose res.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
 
       app.use(function(req, res){
         res.locals.user = { name: 'tobi' };
-        res.render('user.jade');
+        res.render('user.tmpl');
       });
 
       request(app)
@@ -149,14 +150,14 @@ describe('res', function(){
     })
 
     it('should give precedence to res.locals over app.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       app.locals.user = { name: 'tobi' };
 
       app.use(function(req, res){
         res.locals.user = { name: 'jane' };
-        res.render('user.jade', {});
+        res.render('user.tmpl', {});
       });
 
       request(app)
@@ -165,14 +166,14 @@ describe('res', function(){
     })
 
     it('should give precedence to res.render() locals over res.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       var jane = { name: 'jane' };
 
       app.use(function(req, res){
         res.locals.user = { name: 'tobi' };
-        res.render('user.jade', { user: jane });
+        res.render('user.tmpl', { user: jane });
       });
 
       request(app)
@@ -181,14 +182,14 @@ describe('res', function(){
     })
 
     it('should give precedence to res.render() locals over app.locals', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
       app.locals.user = { name: 'tobi' };
       var jane = { name: 'jane' };
 
       app.use(function(req, res){
-        res.render('user.jade', { user: jane });
+        res.render('user.tmpl', { user: jane });
       });
 
       request(app)
@@ -199,13 +200,13 @@ describe('res', function(){
 
   describe('.render(name, options, fn)', function(){
     it('should pass the resulting string', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
 
       app.use(function(req, res){
         var tobi = { name: 'tobi' };
-        res.render('user.jade', { user: tobi }, function(err, html){
+        res.render('user.tmpl', { user: tobi }, function (err, html) {
           html = html.replace('tobi', 'loki');
           res.end(html);
         });
@@ -219,13 +220,13 @@ describe('res', function(){
 
   describe('.render(name, fn)', function(){
     it('should pass the resulting string', function(done){
-      var app = express();
+      var app = createApp();
 
       app.set('views', __dirname + '/fixtures');
 
       app.use(function(req, res){
         res.locals.user = { name: 'tobi' };
-        res.render('user.jade', function(err, html){
+        res.render('user.tmpl', function (err, html) {
           html = html.replace('tobi', 'loki');
           res.end(html);
         });
@@ -238,12 +239,12 @@ describe('res', function(){
 
     describe('when an error occurs', function(){
       it('should pass it to the callback', function(done){
-        var app = express();
+        var app = createApp();
 
         app.set('views', __dirname + '/fixtures');
 
         app.use(function(req, res){
-          res.render('user.jade', function(err){
+          res.render('user.tmpl', function (err) {
             res.end(err.message);
           });
         });
@@ -255,3 +256,11 @@ describe('res', function(){
     })
   })
 })
+
+function createApp() {
+  var app = express();
+
+  app.engine('.tmpl', tmpl);
+
+  return app;
+}

test/res.send.js

@@ -77,6 +77,21 @@ describe('res', function(){
     })
   })
 
+  describe('.send(code, number)', function(){
+    it('should send number as json', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.send(200, 0.123);
+      });
+
+      request(app)
+      .get('/')
+      .expect('Content-Type', 'application/json; charset=utf-8')
+      .expect(200, '0.123', done);
+    })
+  })
+
   describe('.send(String)', function(){
     it('should send as html', function(done){
       var app = express();
@@ -105,7 +120,7 @@ describe('res', function(){
 
       request(app)
       .get('/')
-      .expect('ETag', 'W/"7ff-2796319984"')
+      .expect('ETag', 'W/"fz/jGo0ONwzb+aKy/rWipg=="')
       .end(done);
     })
 
@@ -194,7 +209,7 @@ describe('res', function(){
 
       request(app)
       .get('/')
-      .expect('ETag', 'W/"7ff-2796319984"')
+      .expect('ETag', 'W/"fz/jGo0ONwzb+aKy/rWipg=="')
       .end(done);
     })
 
@@ -310,7 +325,7 @@ describe('res', function(){
 
     request(app)
     .get('/')
-    .set('If-None-Match', 'W/"7ff-2796319984"')
+    .set('If-None-Match', 'W/"fz/jGo0ONwzb+aKy/rWipg=="')
     .expect(304, done);
   })
 
@@ -356,7 +371,7 @@ describe('res', function(){
 
         request(app)
         .get('/')
-        .expect('etag', 'W/"c-1525560792"', done)
+        .expect('etag', 'W/"c-5aee35d8"', done)
       })
 
       it('should send ETag for empty string response', function(done){
@@ -385,7 +400,7 @@ describe('res', function(){
 
         request(app)
         .get('/')
-        .expect('etag', 'W/"7ff-2796319984"', done)
+        .expect('etag', 'W/"fz/jGo0ONwzb+aKy/rWipg=="', done)
       });
 
       it('should not override ETag when manually set', function(done){
@@ -484,7 +499,7 @@ describe('res', function(){
 
         request(app)
         .get('/')
-        .expect('etag', 'W/"d-1486392595"', done)
+        .expect('etag', 'W/"d-58988d13"', done)
       })
     })
 

test/res.sendfile.js

@@ -106,6 +106,54 @@ describe('res', function(){
   })
 
   describe('.sendfile(path)', function(){
+    it('should not serve dotfiles', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.sendfile('test/fixtures/.name');
+      });
+
+      request(app)
+      .get('/')
+      .expect(404, done);
+    })
+
+    it('should accept dotfiles option', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.sendfile('test/fixtures/.name', { dotfiles: 'allow' });
+      });
+
+      request(app)
+      .get('/')
+      .expect(200, 'tobi', done);
+    })
+
+    it('should transfer a file', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.sendfile('test/fixtures/name.txt');
+      });
+
+      request(app)
+      .get('/')
+      .expect(200, 'tobi', done);
+    });
+
+    it('should transfer a directory index file', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.sendfile('test/fixtures/blog/');
+      });
+
+      request(app)
+      .get('/')
+      .expect(200, '<b>index</b>', done);
+    });
+
     describe('with an absolute path', function(){
       it('should transfer the file', function(done){
         var app = express();

test/res.set.js

@@ -1,7 +1,6 @@
 
-var express = require('../')
-  , request = require('supertest')
-  , res = express.response;
+var express = require('..');
+var request = require('supertest');
 
 describe('res', function(){
   describe('.set(field, value)', function(){
@@ -18,10 +17,18 @@ describe('res', function(){
       .end(done);
     })
 
-    it('should coerce to a string', function(){
-      res.headers = {};
-      res.set('X-Number', 123);
-      res.get('X-Number').should.equal('123');
+    it('should coerce to a string', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.set('X-Number', 123);
+        res.end(typeof res.get('X-Number'));
+      });
+
+      request(app)
+      .get('/')
+      .expect('X-Number', '123')
+      .expect(200, 'string', done);
     })
   })
 
@@ -39,11 +46,18 @@ describe('res', function(){
       .expect('["type=ninja","language=javascript"]', done);
     })
 
-    it('should coerce to an array of strings', function(){
-      res.headers = {};
-      res.set('X-Numbers', [123, 456]);
-      JSON.stringify(res.get('X-Numbers'))
-      .should.equal('["123","456"]');
+    it('should coerce to an array of strings', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.set('X-Numbers', [123, 456]);
+        res.end(JSON.stringify(res.get('X-Numbers')));
+      });
+
+      request(app)
+      .get('/')
+      .expect('X-Numbers', '123, 456')
+      .expect(200, '["123","456"]', done);
     })
   })
 
@@ -65,10 +79,18 @@ describe('res', function(){
       .end(done);
     })
 
-    it('should coerce to a string', function(){
-      res.headers = {};
-      res.set({ 'X-Number': 123 });
-      res.get('X-Number').should.equal('123');
+    it('should coerce to a string', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.set({ 'X-Number': 123 });
+        res.end(typeof res.get('X-Number'));
+      });
+
+      request(app)
+      .get('/')
+      .expect('X-Number', '123')
+      .expect(200, 'string', done);
     })
   })
 })

test/res.vary.js

@@ -1,55 +1,96 @@
 
-var express = require('../')
-  , should = require('should');
-
-function response() {
-  var res = Object.create(express.response);
-  res._headers = {};
-  return res;
-}
+var assert = require('assert');
+var express = require('..');
+var request = require('supertest');
 
 describe('res.vary()', function(){
   describe('with no arguments', function(){
-    it('should not set Vary', function(){
-      var res = response();
-      res.vary();
-      should.not.exist(res.get('Vary'));
+    it('should not set Vary', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.vary();
+        res.end();
+      });
+
+      request(app)
+      .get('/')
+      .expect(shouldNotHaveHeader('Vary'))
+      .expect(200, done);
     })
   })
 
   describe('with an empty array', function(){
-    it('should not set Vary', function(){
-      var res = response();
-      res.vary([]);
-      should.not.exist(res.get('Vary'));
+    it('should not set Vary', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.vary([]);
+        res.end();
+      });
+
+      request(app)
+      .get('/')
+      .expect(shouldNotHaveHeader('Vary'))
+      .expect(200, done);
     })
   })
 
   describe('with an array', function(){
-    it('should set the values', function(){
-      var res = response();
-      res.vary(['Accept', 'Accept-Language', 'Accept-Encoding']);
-      res.get('Vary').should.equal('Accept, Accept-Language, Accept-Encoding');
+    it('should set the values', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.vary(['Accept', 'Accept-Language', 'Accept-Encoding']);
+        res.end();
+      });
+
+      request(app)
+      .get('/')
+      .expect('Vary', 'Accept, Accept-Language, Accept-Encoding')
+      .expect(200, done);
     })
   })
 
   describe('with a string', function(){
-    it('should set the value', function(){
-      var res = response();
-      res.vary('Accept');
-      res.get('Vary').should.equal('Accept');
+    it('should set the value', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.vary('Accept');
+        res.end();
+      });
+
+      request(app)
+      .get('/')
+      .expect('Vary', 'Accept')
+      .expect(200, done);
     })
   })
 
   describe('when the value is present', function(){
-    it('should not add it again', function(){
-      var res = response();
-      res.vary('Accept');
-      res.vary('Accept-Encoding');
-      res.vary('Accept-Encoding');
-      res.vary('Accept-Encoding');
-      res.vary('Accept');
-      res.get('Vary').should.equal('Accept, Accept-Encoding');
+    it('should not add it again', function (done) {
+      var app = express();
+
+      app.use(function (req, res) {
+        res.vary('Accept');
+        res.vary('Accept-Encoding');
+        res.vary('Accept-Encoding');
+        res.vary('Accept-Encoding');
+        res.vary('Accept');
+        res.end();
+      });
+
+      request(app)
+      .get('/')
+      .expect('Vary', 'Accept, Accept-Encoding')
+      .expect(200, done);
     })
   })
 })
+
+function shouldNotHaveHeader(header) {
+  return function (res) {
+    assert.ok(!(header.toLowerCase() in res.headers), 'should not have header ' + header);
+  };
+}

test/support/tmpl.js

@@ -0,0 +1,35 @@
+var fs = require('fs');
+
+var variableRegExp = /\$([0-9a-zA-Z\.]+)/g;
+
+module.exports = function renderFile(fileName, options, callback) {
+  function onReadFile(err, str) {
+    if (err) {
+      callback(err);
+      return;
+    }
+
+    try {
+      str = str.replace(variableRegExp, generateVariableLookup(options));
+    } catch (e) {
+      err = e;
+    }
+
+    callback(err, str);
+  }
+
+  fs.readFile(fileName, 'utf8', onReadFile);
+};
+
+function generateVariableLookup(data) {
+  return function variableLookup(str, path) {
+    var parts = path.split('.');
+    var value = data;
+
+    for (var i = 0; i < parts.length; i++) {
+      value = value[parts[i]];
+    }
+
+    return value;
+  };
+}

test/utils.js

@@ -28,18 +28,18 @@ describe('utils.etag(body, encoding)', function(){
 describe('utils.wetag(body, encoding)', function(){
   it('should support strings', function(){
     utils.wetag('express!')
-    .should.eql('W/"8-3098196679"')
+    .should.eql('W/"8-b8aabac7"')
   })
 
   it('should support utf8 strings', function(){
     utils.wetag('express❤', 'utf8')
-    .should.eql('W/"a-1751845617"')
+    .should.eql('W/"a-686b0af1"')
   })
 
   it('should support buffer', function(){
     var buf = new Buffer('express!')
     utils.wetag(buf)
-    .should.eql('W/"8-3098196679"');
+    .should.eql('W/"8-b8aabac7"');
   })
 
   it('should support empty string', function(){