Send is a Node.js library designed for efficiently serving static files with advanced features like Range and conditional-GET support. This makes it ideal for applications needing to deliver content quickly and optimize bandwidth usage. Comparing version 0.1.4 with the previous version 0.1.3, developers will primarily notice an update in the fresh dependency, moving from version 0.1.0 to 0.2.0. This seemingly small change likely incorporates improvements in cache validation and handling of conditional requests, potentially enhancing performance and reducing unnecessary data transfers.
Both versions share a common foundation: they utilize mime for content type detection, debug for logging, and range-parser for handling HTTP Range requests, enabling support for seeking within files. Developers familiar with previous versions will find the API largely consistent. New adopters will appreciate the library's ease of use and focus on delivering static content efficiently. The library also relies on connect and supertest for development and testing, providing a stable and well-tested software. Maintained by TJ Holowaychuk, Send benefits from a history of quality open-source contributions. Considering the small dependency update in v0.1.4, existing users should assess the fresh changelog for impacts relevant to their caching strategies. Release dates offer insights into the project's maintenance, with both versions released in 2013, suggesting a mature codebase.
All the vulnerabilities related to the version 0.1.4 of the package
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
