Send version 0.18.0 introduces notable updates, primarily focusing on dependency upgrades and internal improvements, impacting developers seeking a robust static file server. The core functionality of streaming static files with Range and conditional-GET support remains consistent, ensuring a seamless transition for existing users. Key dependency updates include moving from depd ~1.1.2 to depd 2.0.0, destroy ~1.0.4 to destroy 1.2.0, statuses ~1.5.0 to statuses 2.0.1, and http-errors 1.8.1 to http-errors 2.0.0, and on-finished ~2.3.0 to on-finished 2.4.1 which reflect a commitment to using current and secure versions of underlying libraries.
While the core API exposed to developers using send remains relatively stable, the upgrade to newer dependencies likely includes bug fixes, performance enhancements, and security patches within those modules. The larger unpackedSize in 0.18.0 (50148 bytes vs 48373 bytes) suggests potential increases in code footprint due to these dependency updates. These updates contribute to a more secure and potentially performant static file serving solution, which is advantageous for production deployments. For developers, this upgrade emphasizes the importance of staying current with dependencies for security and reliability, even if the direct API remains unchanged.
All the vulnerabilities related to the version 0.18.0 of the package
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
