4.21.2

Signed-off-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
deps: bump path-to-regexp@0.1.12 (#6209 )
2026-02-26 18:57:43 +00:00 · 2024-12-05 17:27:56 -05:00 · 2024-12-05 17:16:48 -05:00 · 2024-10-20 20:09:32 +02:00 · 2024-10-20 19:58:25 +02:00 · 2024-10-08 20:36:08 +02:00
3 changed files with 34 additions and 6 deletions
--- a/History.md
+++ b/History.md
@@ -1,3 +1,26 @@
+4.21.2 / 2024-11-06
+==========
+
+  * deps: path-to-regexp@0.1.12
+    - Fix backtracking protection
+  * deps: path-to-regexp@0.1.11
+    - Throws an error on invalid path values
+
+4.21.1 / 2024-10-08
+==========
+
+  * Backported a fix for [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764)
+
+
+4.21.0 / 2024-09-11
+==========
+
+  * Deprecate `res.location("back")` and `res.redirect("back")` magic string
+  * deps: serve-static@1.16.2
+    * includes send@0.19.0
+  * deps: finalhandler@1.3.1
+  * deps: qs@6.13.0
+
 4.20.0 / 2024-09-10
 ==========
  * deps: serve-static@0.16.0
--- a/lib/response.js
+++ b/lib/response.js
@@ -916,6 +916,7 @@ res.location = function location(url) {

  // "back" is an alias for the referrer
  if (url === 'back') {
+    deprecate('res.location("back"): use res.location(req.get("Referrer") || "/") and refer to https://dub.sh/security-redirect for best practices');
    loc = this.req.get('Referrer') || '/';
  } else {
    loc = String(url);
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "express",
  "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.20.0",
+  "version": "4.21.2",
  "author": "TJ Holowaychuk <tj@vision-media.ca>",
  "contributors": [
    "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -15,6 +15,10 @@
  "license": "MIT",
  "repository": "expressjs/express",
  "homepage": "http://expressjs.com/",
+  "funding": {
+    "type": "opencollective",
+    "url": "https://opencollective.com/express"
+  },
  "keywords": [
    "express",
    "framework",
@@ -33,27 +37,27 @@
    "body-parser": "1.20.3",
    "content-disposition": "0.5.4",
    "content-type": "~1.0.4",
-    "cookie": "0.6.0",
+    "cookie": "0.7.1",
    "cookie-signature": "1.0.6",
    "debug": "2.6.9",
    "depd": "2.0.0",
    "encodeurl": "~2.0.0",
    "escape-html": "~1.0.3",
    "etag": "~1.8.1",
-    "finalhandler": "1.2.0",
+    "finalhandler": "1.3.1",
    "fresh": "0.5.2",
    "http-errors": "2.0.0",
    "merge-descriptors": "1.0.3",
    "methods": "~1.1.2",
    "on-finished": "2.4.1",
    "parseurl": "~1.3.3",
-    "path-to-regexp": "0.1.10",
+    "path-to-regexp": "0.1.12",
    "proxy-addr": "~2.0.7",
-    "qs": "6.11.0",
+    "qs": "6.13.0",
    "range-parser": "~1.2.1",
    "safe-buffer": "5.2.1",
    "send": "0.19.0",
-    "serve-static": "1.16.0",
+    "serve-static": "1.16.2",
    "setprototypeof": "1.2.0",
    "statuses": "2.0.1",
    "type-is": "~1.6.18",
Author	SHA1	Message	Date
Ulises Gascón	1faf228935	4.21.2 Signed-off-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>	2024-12-05 17:27:56 -05:00
Jon Church	2e0fb646d0	deps: bump path-to-regexp@0.1.12 (#6209 ) fix backtracking protection	2024-12-05 17:16:48 -05:00
Blake Embrey	59fc27028e	deps: path-to-regexp@0.1.11 (#5956 ) Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>	2024-10-20 20:09:32 +02:00
Sebastian Beltran	51fc39ccf8	docs: add funding (#6065 )	2024-10-20 19:58:25 +02:00
Ulises Gascón	8e229f9275	4.21.1 PR-URL: https://github.com/expressjs/express/pull/6031	2024-10-08 20:36:08 +02:00
Josh Buker	a024c8a7b6	fix(deps): cookie@0.7.1 Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>	2024-10-08 12:13:25 +02:00
Wes Todd	7e562c6d8d	4.21.0	2024-09-11 17:32:14 -05:00
agadzinski93	1bcde96bc8	fix(deps): qs@6.13.0 (#5946 ) Co-authored-by: Wes Todd <wes@wesleytodd.com>	2024-09-11 17:27:37 -05:00
Wes Todd	7d36477568	fix(deps): serve-static@1.16.2 (#5951 )	2024-09-11 17:26:00 -05:00
Wes Todd	40d2d8f2c8	fix(deps): finalhandler@1.3.1	2024-09-11 17:20:33 -05:00
Blake Embrey	77ada906db	Deprecate `"back"` magic string in redirects (#5935 )	2024-09-11 12:24:22 -07:00