The send package, designed as a streaming static file server with support for Range requests and conditional-GET, saw a notable update between versions 0.0.4 and 0.1.0. While both versions share core dependencies like mime for content type detection, debug for logging, fresh for HTTP cache freshness, and range-parser for handling byte range requests, the primary difference lies in the version number itself, indicating incremental improvements and bug fixes.
For developers relying on send to efficiently serve static assets, upgrading to version 0.1.0 would signify leveraging a more refined and potentially more stable iteration of the library. While specific code-level changes aren't detailed in the provided data, the updated release date of September 19, 2012, relative to the August 16, 2012 release of version 0.0.4, points to a concentrated period of development and refinement. Both versions rely on testing frameworks like mocha and should, and integration testing with connect and supertest, suggesting a commitment to quality assurance. The continued authorship of TJ Holowaychuk also indicates consistent design principles across both versions. Developers can expect similar behavior and API usage between the two, with version 0.1.0 offering the benefits of more recent maintenance and potential performance enhancements. The tarball URLs provided in the dist section provide clear locations for package retrieval from the npm registry.
All the vulnerabilities related to the version 0.1.0 of the package
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
