Send is a popular Node.js package designed for efficiently serving static files with advanced features like Range requests and conditional-GET support, making it ideal for streaming content. Comparing versions 0.16.0 and 0.15.6, developers will notice key updates primarily in dependency management and development tooling, enhancing overall stability and developer experience.
Specifically, version 0.16.0 upgrades the mime dependency from 1.3.4 to 1.4.1 along with the inclusion of eslint-plugin-node, eslint-plugin-import, and an upgrade to eslint-config-standard from version 7.1.0 to 10.2.1. This upgrade in the Mime version could provide advantages for new file types and improve MIME type resolution. More relevant to the development workflow, there are also updates to the ESLint plugins, including eslint-plugin-node and eslint-plugin-import, providing improved code linting and adherence to modern Javascript standards. These updates enhance code quality, maintainability, and integration with modern development workflows.
These refinements offer developers a more robust and streamlined experience when utilizing the send package, ensuring better compatibility and adherence to coding best practices. Choosing version 0.16.0 offers refinements in MIME type support and developer tooling that improves coding standards when using the library.
All the vulnerabilities related to the version 0.16.0 of the package
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
