Express 4.21.0 represents a minor version update over its predecessor, Express 4.20.0, within the popular Node.js web application framework. Both versions maintain the core philosophy of providing a fast, unopinionated, and minimalist foundation for building web applications and APIs.
Key differences between the two mainly reside in dependency updates and internal improvements. Notably, qs dependency was updated from version 6.11.0 to 6.13.0, and finalhandler from version 1.2.0 to 1.3.1, addressing potential bug fixes or security enhancements within those packages. Additionally, serve-static dependency was updated from version 1.16.0 to 1.16.2. These updates ensure compatibility with the latest standards and technologies, bolstering the overall stability and security of applications built upon them. The file unpackedSize for **4.21.0** is 220827, against the 220461 of **4.20.0**.
For developers, upgrading from Express 4.20.0 to 4.21.0 should be relatively straightforward, as the core API remains consistent. However, it's crucial to review the release notes and changelogs of the updated dependencies (qs, finalhandler,serve-static) and any potential modifications to ensure a smooth transition and to leverage any new features or performance improvements.
While both versions share similar development dependencies such as ejs, hbs, mocha, and eslint, indicating a consistent approach to testing and development, staying current with the latest minor version ensures access to the most recent bug fixes, performance enhancements, and security patches, contributing to a more robust and maintainable codebase. The release dates between each other are only one day apart.
All the vulnerabilities related to the version 4.21.0 of the package
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
path-to-regexp contains a ReDoS
The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296
Upgrade to 0.1.12.
Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.
