Update express and entities by depshub-app[bot] · Pull Request #3 · browser-vm/min

depshub-app · 2025-02-07T12:09:37Z

This PR includes 2 dependency updates, including 🔴 1 vulnerability, 🟠 1 major updates.

package.json

📦 Package	⬅️ Previous Version	➡️ New Version	📅 Released	⚠️ Vulnerability
express	`4.18.2`	`🔴 5.0.0`	5 months ago	GHSA-jj78-5fmv-mv28
entities	`4.5.0`	`🟠 5.0.0`	7 months ago

express 4.18.2 -> 🔴 5.0.0 - Changelog

## 5.0.0

Express v5.0.0
🎉 Express v5 is finally here! 🎉
After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.
For detailed information, please check out the official Express v5 release blog post.
Most relevant details
Major Changes in v5
- Node.js version support: Dropped support for Node.js versions before v18.
- Routing changes: Updated to path-to-regexp8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
- Promise support: Middleware can now return rejected promises, caught by the router as errors.
- body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
- Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.
For a complete list of breaking changes and API deprecations, see the migration guide.
Security Updates
This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.
Migration
Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.
Security Guidance
For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.
What's Changed
- 4.19.2 Staging by wesleytodd in 4.19.2 Staging expressjs/express#5561
- remove duplicate location test for data uri by wesleytodd in remove duplicate location test for data uri expressjs/express#5562
- feat: document beta releases expectations by marco-ippolito in feat: document beta releases expectations expressjs/express#5565
- Cut down on duplicated CI runs by jonchurch in Cut down on duplicated CI runs expressjs/express#5564
- Add a Threat Model by UlisesGascon in Add a Threat Model expressjs/express#5526
- Assign captain of encodeurl by blakeembrey in Assign captain of encodeurl expressjs/express#5579
- Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by jonchurch in Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser expressjs/express#5587
- docs: update Security.md by inigomarquinez in docs: update Security.md expressjs/express#5590
- docs: update triage nomination policy by UlisesGascon in docs: update triage nomination policy expressjs/express#5600
- Add CodeQL (SAST) by UlisesGascon in Add CodeQL (SAST) expressjs/express#5433
- docs: add UlisesGascon as triage initiative captain by UlisesGascon in docs: add UlisesGascon as triage initiative captain expressjs/express#5605
- Use object with null prototype for various app properties by EvanHahn in Use object with null prototype for various app properties expressjs/express#4861
- deps: encodeurl~2.0.0 by blakeembrey in deps: encodeurl@~2.0.0 expressjs/express#5569
- skip QUERY method test by jonchurch in skip QUERY method test expressjs/express#5628
- ignore ETAG query test on 21 and 22, reuse skip util by jonchurch in ignore ETAG query test on 21 and 22, reuse skip util expressjs/express#5639
- add support Node.js22 in the CI by mertcanaltin in add support Node.js@22 in the CI expressjs/express#5627
- doc: add table of contents, tc/triager lists to readme by mertcanaltin in doc: add table of contents, tc/triager lists to readme expressjs/express#5619
- List and sort all projects, add captains by blakeembrey in List and sort all projects, add captains expressjs/express#5653
- Call callback once on listen error by wesleytodd in Call callback once on listen error expressjs/express#3216
- docs: add UlisesGascon as captain for cookie-parser by UlisesGascon in docs: add @UlisesGascon as captain for cookie-parser expressjs/express#5666
- ✨ bring back query tests for node 21 by ctcpip in ✨ bring back query tests for node 21 expressjs/express#5690
- [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by jonchurch in [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires expressjs/express#5672
- skip QUERY tests for Node 21 only, still not supported by jonchurch in skip QUERY tests for Node 21 only, still not supported expressjs/express#5695
- 📝 update people, add ctcpip to TC by ctcpip in 📝 update people, add ctcpip to TC expressjs/express#5683
- remove minor version pinning from ci by jonchurch in remove minor version pinning from ci expressjs/express#5722
- Fix link variable use in attribution section of CODE OF CONDUCT by IamLizu in Fix link variable use in attribution section of CODE OF CONDUCT expressjs/express#5762
- Replace Appveyor windows testing with GHA by jonchurch in Replace Appveyor windows testing with GHA expressjs/express#5599
- Add OSSF Scorecard badge by UlisesGascon in Add OSSF Scorecard badge expressjs/express#5436
- Throw on invalid status codes by jonchurch in Throw on invalid status codes expressjs/express#4212
- Use Array.flat instead of array-flatten by almic in Use Array.flat instead of array-flatten expressjs/express#5677
- Adopt Node18 as the minimum supported version by UlisesGascon in Adopt Node@18 as the minimum supported version expressjs/express#5803
- Ignore expires and maxAge in res.clearCookie() by jonchurch in Ignore expires and maxAge in res.clearCookie() expressjs/express#5792
- send1.0.0 by wesleytodd in send@1.0.0 expressjs/express#5786
- chore: upgrade debug dep from 3.10 to 4.3.6 by carpasse in chore: upgrade debug dep from 3.10 to 4.3.6 expressjs/express#5829
- refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by carpasse in refactor: replace 'path-is-absolute' dep with node:path isAbsolute method expressjs/express#5830
- update scorecard link by bjohansebas in update scorecard link expressjs/express#5814
- Nominate IamLizu to the triage team by UlisesGascon in Nominate @IamLizu to the triage team expressjs/express#5836
- deps: path-to-regexp0.1.8 by blakeembrey in deps: path-to-regexp@0.1.8 expressjs/express#5603
- docs: specify new instructions for question and discuss by IamLizu in docs: specify new instructions for question and discuss expressjs/express#5835
- 5.x: Upgrading merge-descriptors with allowing minors by RobinTail in 5.x: Upgrading merge-descriptors with allowing minors expressjs/express#5782
- 4.x: Upgrade merge-descriptors dependency by RobinTail in 4.x: Upgrade merge-descriptors dependency expressjs/express#5781
- WIP: serve-static2 by wesleytodd in WIP: serve-static@2 expressjs/express#5790
- chore: upgrade qs dp from 6.11.0 to 6.13.0 by carpasse in chore: upgrade qs dp from 6.11.0 to 6.13.0 expressjs/express#5847
- Upgrade cookie signature by IamLizu in Upgrade cookie signature expressjs/express#5833
- accepts2 by wesleytodd in accepts@2 expressjs/express#5881
- mime-types3 by wesleytodd in mime-types@3 expressjs/express#5882
- type-is^2.0.0 by wesleytodd in type-is@^2.0.0 expressjs/express#5883
- content-disposition^1.0.0 by wesleytodd in content-disposition@^1.0.0 expressjs/express#5884
- fix(deps): finalhandler^2.0.0 by wesleytodd in fix(deps): finalhandler@^2.0.0 expressjs/express#5899
- path-to-regexp0.1.10 by blakeembrey in path-to-regexp@0.1.10 expressjs/express#5902
- update to fresh^2.0.0 by jonchurch in update to fresh@^2.0.0 expressjs/express#5916
- router^2.0.0 by wesleytodd in router@^2.0.0 expressjs/express#5885
- Adopt Node18 as the minimum supported version by UlisesGascon in Adopt Node@18 as the minimum supported version expressjs/express#5595
- master -> 5.0 by ctcpip in master -> 5.0 expressjs/express#5785
- 🔧 update CI, remove unsupported versions, clean up by ctcpip in 🔧 update CI, remove unsupported versions, clean up expressjs/express#5931
- Delete back as a magic string by blakeembrey in Delete back as a magic string expressjs/express#5933
- Release 5.0 by dougwilson in Release 5.0 expressjs/express#2237
New Contributors
- marco-ippolito made their first contribution in feat: document beta releases expectations expressjs/express#5565
- inigomarquinez made their first contribution in docs: update Security.md expressjs/express#5590
- mertcanaltin made their first contribution in add support Node.js@22 in the CI expressjs/express#5627
- ctcpip made their first contribution in ✨ bring back query tests for node 21 expressjs/express#5690
- IamLizu made their first contribution in Fix link variable use in attribution section of CODE OF CONDUCT expressjs/express#5762
- almic made their first contribution in Use Array.flat instead of array-flatten expressjs/express#5677
- carpasse made their first contribution in chore: upgrade debug dep from 3.10 to 4.3.6 expressjs/express#5829
- bjohansebas made their first contribution in update scorecard link expressjs/express#5814
- RobinTail made their first contribution in 5.x: Upgrading merge-descriptors with allowing minors expressjs/express#5782
Full Changelog: expressjs/express@v5.0.0-beta.3...v5.0.0

entities 4.5.0 -> 🟠 5.0.0 - Changelog

## 5.0.0

What's Changed
- Improved code style (based on eslint-plugin-unicorn) Improve code style with unicorn fb55/entities#1496
- Upgraded toolchain (to tshy, vitest, and tsx) Upgrade toolchain fb55/entities#1497
Breaking Changes
- ⚠️ BREAKING: The lib directory was renamed to dist in #1497. Deep imports will have to be updated.
Full Changelog: fb55/entities@v4.5.0...v5.0.0

🔒 Security updates available: 1 (changed by 1 since last month).
⚠️ Major updates available: 2 (changed by 2 since last month).

This pull request was created using DepsHub

Updated: - express from 4.18.2 to 5.0.0 - entities from 4.5.0 to 5.0.0 For issues or feature requests: <support@depshub.com>

depshub-app · 2025-02-07T12:09:39Z

server.js


 // Ultraviolet handler
-app.use('/service/', (req, res) => {
+app.use('/service/*', (req, res) => {


Package express version 5.0.0 has the following breaking changes:

Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).

depshub-app · 2025-02-07T12:09:40Z

server.js

 import express from 'express';
 import { createServer } from 'node:http';
-import { uvPath } from '@titaniumnetwork-dev/ultraviolet';
+import { uvPath } from '@titaniumnetwork-dev/ultraviolet/dist';


Package entities version 5.0.0 has the following breaking changes:

⚠️ BREAKING: The lib directory was renamed to dist in #1497. Deep imports will have to be updated.

depshub-app · 2025-02-07T12:09:41Z

uv.config.js

-    config: '/uv/uv.config.js',
-    sw: '/uv/uv.sw.js',
-};
+    handler: '/dist/uv.handler.js',


Package entities version 5.0.0 has the following breaking changes:

⚠️ BREAKING: The lib directory was renamed to dist in #1497. Deep imports will have to be updated.

sonarqubecloud · 2025-02-07T12:13:01Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Update express and entities

22e8c7f

Updated: - express from 4.18.2 to 5.0.0 - entities from 4.5.0 to 5.0.0 For issues or feature requests: <support@depshub.com>

depshub-app bot commented Feb 7, 2025

View reviewed changes

browser-vm approved these changes Feb 7, 2025

View reviewed changes

browser-vm merged commit e7f9b7c into main Feb 7, 2025
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update express and entities#3

Update express and entities#3
browser-vm merged 1 commit intomainfrom
depshub/updates/express-entities

depshub-app bot commented Feb 7, 2025

Uh oh!

depshub-app bot Feb 7, 2025

Uh oh!

depshub-app bot Feb 7, 2025

Uh oh!

depshub-app bot Feb 7, 2025

Uh oh!

sonarqubecloud bot commented Feb 7, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

depshub-app bot commented Feb 7, 2025

Express v5.0.0

Most relevant details

Major Changes in v5

Security Updates

Migration

Security Guidance

What's Changed

New Contributors

What's Changed

Breaking Changes

Uh oh!

depshub-app bot Feb 7, 2025

Choose a reason for hiding this comment

Uh oh!

depshub-app bot Feb 7, 2025

Choose a reason for hiding this comment

Uh oh!

depshub-app bot Feb 7, 2025

Choose a reason for hiding this comment

Uh oh!

sonarqubecloud bot commented Feb 7, 2025

Quality Gate passed

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant