[Snyk] Upgrade express from 4.7.2 to 4.17.1

[snyk-bot]

Snyk has created this PR to upgrade express from 4.7.2 to 4.17.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 57 versions ahead of your current version.
• The recommended version was released 2 years ago, on 2019-05-26.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:negotiator:20160616	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Root Path Disclosure npm:send:20151103	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Directory Traversal npm:send:20140912	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Root Path Disclosure npm:send:20151103	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Directory Traversal npm:send:20140912	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit
	Open Redirect npm:serve-static:20150113	589/1000 Why? Has a fix available, CVSS 7.5	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: express

• 4.17.1 - 2019-05-26
  
  • Revert "Improve error message for null/undefined to res.status"
• 4.17.0 - 2019-05-17
  
  • Add express.raw to parse bodies into Buffer
  • Add express.text to parse bodies into string
  • Improve error message for non-strings to res.sendFile
  • Improve error message for null/undefined to res.status
  • Support multiple hosts in X-Forwarded-Host
  • deps: accepts@~1.3.7
  • deps: body-parser@1.19.0
    • Add encoding MIK
    • Add petabyte (pb) support
    • Fix parsing array brackets after index
    • deps: bytes@3.1.0
    • deps: http-errors@1.7.2
    • deps: iconv-lite@0.4.24
    • deps: qs@6.7.0
    • deps: raw-body@2.4.0
    • deps: type-is@~1.6.17
  • deps: content-disposition@0.5.3
  • deps: cookie@0.4.0
    • Add SameSite=None support
  • deps: finalhandler@~1.1.2
    • Set stricter Content-Security-Policy header
    • deps: parseurl@~1.3.3
    • deps: statuses@~1.5.0
  • deps: parseurl@~1.3.3
  • deps: proxy-addr@~2.0.5
    • deps: ipaddr.js@1.9.0
  • deps: qs@6.7.0
    • Fix parsing array brackets after index
  • deps: range-parser@~1.2.1
  • deps: send@0.17.1
    • Set stricter CSP header in redirect & error responses
    • deps: http-errors@~1.7.2
    • deps: mime@1.6.0
    • deps: ms@2.1.1
    • deps: range-parser@~1.2.1
    • deps: statuses@~1.5.0
    • perf: remove redundant path.normalize call
  • deps: serve-static@1.14.1
    • Set stricter CSP header in redirect response
    • deps: parseurl@~1.3.3
    • deps: send@0.17.1
  • deps: setprototypeof@1.1.1
  • deps: statuses@~1.5.0
    • Add 103 Early Hints
  • deps: type-is@~1.6.18
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type
• 4.16.4 - 2018-10-11
  
  • Fix issue where "Request aborted" may be logged in res.sendfile
  • Fix JSDoc for Router constructor
  • deps: body-parser@1.18.3
    • Fix deprecation warnings on Node.js 10+
    • Fix stack trace for strict json parse error
    • deps: depd@~1.1.2
    • deps: http-errors@~1.6.3
    • deps: iconv-lite@0.4.23
    • deps: qs@6.5.2
    • deps: raw-body@2.3.3
    • deps: type-is@~1.6.16
  • deps: proxy-addr@~2.0.4
    • deps: ipaddr.js@1.8.0
  • deps: qs@6.5.2
  • deps: safe-buffer@5.1.2
• 4.16.3 - 2018-03-12
  
  • deps: accepts@~1.3.5
    • deps: mime-types@~2.1.18
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
  • deps: encodeurl@~1.0.2
    • Fix encoding % as last character
  • deps: finalhandler@1.1.1
    • Fix 404 output for bad / missing pathnames
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: proxy-addr@~2.0.3
    • deps: ipaddr.js@1.6.0
  • deps: send@0.16.2
    • Fix incorrect end tag in default error & redirects
    • deps: depd@~1.1.2
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: serve-static@1.13.2
    • Fix incorrect end tag in redirects
    • deps: encodeurl@~1.0.2
    • deps: send@0.16.2
  • deps: statuses@~1.4.0
  • deps: type-is@~1.6.16
    • deps: mime-types@~2.1.18
• 4.16.2 - 2017-10-10
  
  • Fix TypeError in res.send when given Buffer and ETag header set
  • perf: skip parsing of entire X-Forwarded-Proto header
• 4.16.1 - 2017-09-29
  
  • deps: send@0.16.1
  • deps: serve-static@1.13.1
    • Fix regression when root is incorrectly set to a file
    • deps: send@0.16.1
• 4.16.0 - 2017-09-28
  
  • Add "json escape" setting for res.json and res.jsonp
  • Add express.json and express.urlencoded to parse bodies
  • Add options argument to res.download
  • Improve error message when autoloading invalid view engine
  • Improve error messages when non-function provided as middleware
  • Skip Buffer encoding when not generating ETag for small response
  • Use safe-buffer for improved Buffer API
  • deps: accepts@~1.3.4
    • deps: mime-types@~2.1.16
  • deps: content-type@~1.0.4
    • perf: remove argument reassignment
    • perf: skip parameter parsing when no parameters
  • deps: etag@~1.8.1
    • perf: replace regular expression with substring
  • deps: finalhandler@1.1.0
    • Use res.headersSent when available
  • deps: parseurl@~1.3.2
    • perf: reduce overhead for full URLs
    • perf: unroll the "fast-path" RegExp
  • deps: proxy-addr@~2.0.2
    • Fix trimming leading / trailing OWS in X-Forwarded-For
    • deps: forwarded@~0.1.2
    • deps: ipaddr.js@1.5.2
    • perf: reduce overhead when no X-Forwarded-For header
  • deps: qs@6.5.1
    • Fix parsing & compacting very deep objects
  • deps: send@0.16.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Fix missing </html> in default error & redirects
    • Set charset as "UTF-8" for .js and .json
    • Use instance methods on steam to check for listeners
    • deps: mime@1.4.1
    • perf: improve path validation speed
  • deps: serve-static@1.13.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Set charset as "UTF-8" for .js and .json
    • deps: send@0.16.0
  • deps: setprototypeof@1.1.0
  • deps: utils-merge@1.0.1
  • deps: vary@~1.1.2
    • perf: improve header token parsing speed
  • perf: re-use options object when generating ETags
  • perf: remove dead .charset set in res.jsonp
• 4.15.5 - 2017-09-25
• 4.15.4 - 2017-08-07
• 4.15.3 - 2017-05-17
• 4.15.2 - 2017-03-06
• 4.15.1 - 2017-03-06
• 4.15.0 - 2017-03-01
• 4.14.1 - 2017-01-28
• 4.14.0 - 2016-06-16
• 4.13.4 - 2016-01-22
• 4.13.3 - 2015-08-03
• 4.13.2 - 2015-07-31
• 4.13.1 - 2015-07-06
• 4.13.0 - 2015-06-21
• 4.12.4 - 2015-05-18
• 4.12.3 - 2015-03-17
• 4.12.2 - 2015-03-03
• 4.12.1 - 2015-03-02
• 4.12.0 - 2015-02-23
• 4.11.2 - 2015-02-01
• 4.11.1 - 2015-01-21
• 4.11.0 - 2015-01-14
• 4.10.8 - 2015-01-13
• 4.10.7 - 2015-01-05
• 4.10.6 - 2014-12-13
• 4.10.5 - 2014-12-11
• 4.10.4 - 2014-11-25
• 4.10.3 - 2014-11-24
• 4.10.2 - 2014-11-10
• 4.10.1 - 2014-10-29
• 4.10.0 - 2014-10-24
• 4.9.8 - 2014-10-18
• 4.9.7 - 2014-10-10
• 4.9.6 - 2014-10-09
• 4.9.5 - 2014-09-25
• 4.9.4 - 2014-09-20
• 4.9.3 - 2014-09-18
• 4.9.2 - 2014-09-18
• 4.9.1 - 2014-09-17
• 4.9.0 - 2014-09-09
• 4.8.8 - 2014-09-05
• 4.8.7 - 2014-08-30
• 4.8.6 - 2014-08-28
• 4.8.5 - 2014-08-19
• 4.8.4 - 2014-08-15
• 4.8.3 - 2014-08-11
• 4.8.2 - 2014-08-07
• 4.8.1 - 2014-08-06
• 4.8.0 - 2014-08-06
• 4.7.4 - 2014-08-04
• 4.7.3 - 2014-08-04
• 4.7.2 - 2014-07-27

from express GitHub release notes

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs