Send is a Node.js package designed for efficiently serving static files with features like Range requests and conditional-GET support, enhancing website performance and user experience. Comparing version 0.16.1 to its predecessor, 0.16.0, reveals a minor update focusing on improvements and refinements. The core functionalities remain consistent, ensuring a seamless transition for developers already using the library.
The dependency list is identical between the two versions;however, one difference is found in the devDependencies, specifically, an update to eslint-plugin-node from version 5.1.1 to 5.2.0 in version 0.16.1. While these changes appear minimal, they often include critical bug fixes to existing code rules, performance tweaks, or minor feature enhancements, contributing to a more polished and reliable tool. Developers should consider upgrading to version 0.16.1 to benefit from these possible incremental improvements that ensure code quality.
The versions were released with a day difference. The fact that the most recent version is a patch version denotes that minimal changes were included focusing on improving existing features. It is advisable to consider this package for projects that require efficient static file serving, especially those dealing with larger files or high-traffic scenarios, as the underlying enhancements contribute to a more robust and optimized solution.
All the vulnerabilities related to the version 0.16.1 of the package
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
