1# Unreleased Changes23## 🚀 Improvements45* Improve HTML structure in `res.redirect()` responses when HTML format is accepted by adding `<!DOCTYPE html>`, `<title>`, and `<body>` tags for better browser compatibility - by [@Bernice55231](https://github.com/Bernice55231) in [#5167](https://github.com/expressjs/express/pull/5167)67* When calling `app.render` with options set to null, the locals object is handled correctly, preventing unexpected errors and making the method behave the same as when options is omitted or an empty object is passed - by [AkaHarshit](https://github.com/AkaHarshit) in [#6903](https://github.com/expressjs/express/pull/6903)89 ```js10 app.render('index', null, callback); // now works as expected11 ```1213## ⚡ Performance1415* Avoid duplicate Content-Type header processing in `res.send()` when sending string responses without an explicit Content-Type header - by [@bjohansebas](https://github.com/bjohansebas) in [#6991](https://github.com/expressjs/express/pull/6991)16175.2.1 / 2025-12-0118=======================1920* Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))21 * The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.22235.2.0 / 2025-12-0124========================2526* Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))27* deps: `body-parser@^2.2.1`28* A deprecation warning was added when using `res.redirect` with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.29305.1.0 / 2025-03-3131========================3233* Add support for `Uint8Array` in `res.send()`34* Add support for ETag option in `res.sendFile()`35* Add support for multiple links with the same rel in `res.links()`36* Add funding field to package.json37* perf: use loop for acceptParams38* refactor: prefix built-in node module imports39* deps: remove `setprototypeof`40* deps: remove `safe-buffer`41* deps: remove `utils-merge`42* deps: remove `methods`43* deps: remove `depd`44* deps: `debug@^4.4.0`45* deps: `body-parser@^2.2.0`46* deps: `router@^2.2.0`47* deps: `content-type@^1.0.5`48* deps: `finalhandler@^2.1.0`49* deps: `qs@^6.14.0`50* deps: `server-static@2.2.0`51* deps: `type-is@2.0.1`52535.0.1 / 2024-10-0854==========5556* Update `cookie` semver lock to address [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764)57585.0.0 / 2024-09-1059=========================60* remove:61 - `path-is-absolute` dependency - use `path.isAbsolute` instead62* breaking:63 * `res.status()` accepts only integers, and input must be greater than 99 and less than 100064 * will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range65 * will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs66 * deps: send@1.0.067 * `res.redirect('back')` and `res.location('back')` is no longer a supported magic string, explicitly use `req.get('Referrer') || '/'`.68* change:69 - `res.clearCookie` will ignore user provided `maxAge` and `expires` options70* deps: cookie-signature@^1.2.171* deps: debug@4.3.672* deps: merge-descriptors@^2.0.073* deps: serve-static@^2.1.074* deps: qs@6.13.075* deps: accepts@^2.0.076* deps: mime-types@^3.0.077 - `application/javascript` => `text/javascript`78* deps: type-is@^2.0.079* deps: content-disposition@^1.0.080* deps: finalhandler@^2.0.081* deps: fresh@^2.0.082* deps: body-parser@^2.0.183* deps: send@^1.1.084855.0.0-beta.3 / 2024-03-2586=========================8788This incorporates all changes after 4.19.1 up to 4.19.2.89905.0.0-beta.2 / 2024-03-2091=========================9293This incorporates all changes after 4.17.2 up to 4.19.1.94955.0.0-beta.1 / 2022-02-1496=========================9798This is the first Express 5.0 beta release, based off 4.17.2 and includes99changes from 5.0.0-alpha.8.100101 * change:102 - Default "query parser" setting to `'simple'`103 - Requires Node.js 4+104 - Use `mime-types` for file to content type mapping105 * deps: array-flatten@3.0.0106 * deps: body-parser@2.0.0-beta.1107 - `req.body` is no longer always initialized to `{}`108 - `urlencoded` parser now defaults `extended` to `false`109 - Use `on-finished` to determine when body read110 * deps: router@2.0.0-beta.1111 - Add new `?`, `*`, and `+` parameter modifiers112 - Internalize private `router.process_params` method113 - Matching group expressions are only RegExp syntax114 - Named matching groups no longer available by position in `req.params`115 - Regular expressions can only be used in a matching group116 - Remove `debug` dependency117 - Special `*` path segment behavior removed118 - deps: array-flatten@3.0.0119 - deps: parseurl@~1.3.3120 - deps: path-to-regexp@3.2.0121 - deps: setprototypeof@1.2.0122 * deps: send@1.0.0-beta.1123 - Change `dotfiles` option default to `'ignore'`124 - Remove `hidden` option; use `dotfiles` option instead125 - Use `mime-types` for file to content type mapping126 - deps: debug@3.1.0127 * deps: serve-static@2.0.0-beta.1128 - Change `dotfiles` option default to `'ignore'`129 - Remove `hidden` option; use `dotfiles` option instead130 - Use `mime-types` for file to content type mapping131 - Remove `express.static.mime` export; use `mime-types` package instead132 - deps: send@1.0.0-beta.11331345.0.0-alpha.8 / 2020-03-25135==========================136137This is the eighth Express 5.0 alpha release, based off 4.17.1 and includes138changes from 5.0.0-alpha.7.1391405.0.0-alpha.7 / 2018-10-26141==========================142143This is the seventh Express 5.0 alpha release, based off 4.16.4 and includes144changes from 5.0.0-alpha.6.145146The major change with this alpha is the basic support for returned, rejected147Promises in the router.148149 * remove:150 - `path-to-regexp` dependency151 * deps: debug@3.1.0152 - Add `DEBUG_HIDE_DATE` environment variable153 - Change timer to per-namespace instead of global154 - Change non-TTY date format155 - Remove `DEBUG_FD` environment variable support156 - Support 256 namespace colors157 * deps: router@2.0.0-alpha.1158 - Add basic support for returned, rejected Promises159 - Fix JSDoc for `Router` constructor160 - deps: debug@3.1.0161 - deps: parseurl@~1.3.2162 - deps: setprototypeof@1.1.0163 - deps: utils-merge@1.0.11641655.0.0-alpha.6 / 2017-09-24166==========================167168This is the sixth Express 5.0 alpha release, based off 4.15.5 and includes169changes from 5.0.0-alpha.5.170171 * remove:172 - `res.redirect(url, status)` signature - use `res.redirect(status, url)`173 - `res.send(status, body)` signature - use `res.status(status).send(body)`174 * deps: router@~1.3.1175 - deps: debug@2.6.81761775.0.0-alpha.5 / 2017-03-06178==========================179180This is the fifth Express 5.0 alpha release, based off 4.15.2 and includes181changes from 5.0.0-alpha.4.1821835.0.0-alpha.4 / 2017-03-01184==========================185186This is the fourth Express 5.0 alpha release, based off 4.15.0 and includes187changes from 5.0.0-alpha.3.188189 * remove:190 - Remove Express 3.x middleware error stubs191 * deps: router@~1.3.0192 - Add `next("router")` to exit from router193 - Fix case where `router.use` skipped requests routes did not194 - Skip routing when `req.url` is not set195 - Use `%o` in path debug to tell types apart196 - deps: debug@2.6.1197 - deps: setprototypeof@1.0.3198 - perf: add fast match path for `*` route1992005.0.0-alpha.3 / 2017-01-28201==========================202203This is the third Express 5.0 alpha release, based off 4.14.1 and includes204changes from 5.0.0-alpha.2.205206 * remove:207 - `res.json(status, obj)` signature - use `res.status(status).json(obj)`208 - `res.jsonp(status, obj)` signature - use `res.status(status).jsonp(obj)`209 - `res.vary()` (no arguments) -- provide a field name as an argument210 * deps: array-flatten@2.1.1211 * deps: path-is-absolute@1.0.1212 * deps: router@~1.1.5213 - deps: array-flatten@2.0.1214 - deps: methods@~1.1.2215 - deps: parseurl@~1.3.1216 - deps: setprototypeof@1.0.22172185.0.0-alpha.2 / 2015-07-06219==========================220221This is the second Express 5.0 alpha release, based off 4.13.1 and includes222changes from 5.0.0-alpha.1.223224 * remove:225 - `app.param(fn)`226 - `req.param()` -- use `req.params`, `req.body`, or `req.query` instead227 * change:228 - `res.render` callback is always async, even for sync view engines229 - The leading `:` character in `name` for `app.param(name, fn)` is no longer removed230 - Use `router` module for routing231 - Use `path-is-absolute` module for absolute path detection2322335.0.0-alpha.1 / 2014-11-06234==========================235236This is the first Express 5.0 alpha release, based off 4.10.1.237238 * remove:239 - `app.del` - use `app.delete`240 - `req.acceptsCharset` - use `req.acceptsCharsets`241 - `req.acceptsEncoding` - use `req.acceptsEncodings`242 - `req.acceptsLanguage` - use `req.acceptsLanguages`243 - `res.json(obj, status)` signature - use `res.json(status, obj)`244 - `res.jsonp(obj, status)` signature - use `res.jsonp(status, obj)`245 - `res.send(body, status)` signature - use `res.send(status, body)`246 - `res.send(status)` signature - use `res.sendStatus(status)`247 - `res.sendfile` - use `res.sendFile` instead248 - `express.query` middleware249 * change:250 - `req.host` now returns host (`hostname:port`) - use `req.hostname` for only hostname251 - `req.query` is now a getter instead of a plain property252 * add:253 - `app.router` is a reference to the base router2542554.20.0 / 2024-09-10256==========257 * deps: serve-static@0.16.0258 * Remove link renderization in html while redirecting259 * deps: send@0.19.0260 * Remove link renderization in html while redirecting261 * deps: body-parser@0.6.0262 * add `depth` option to customize the depth level in the parser263 * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)264 * Remove link renderization in html while using `res.redirect`265 * deps: path-to-regexp@0.1.10266 - Adds support for named matching groups in the routes using a regex267 - Adds backtracking protection to parameters without regexes defined268 * deps: encodeurl@~2.0.0269 - Removes encoding of `\`, `|`, and `^` to align better with URL spec270 * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie`271 - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie2722734.19.2 / 2024-03-25274==========275276 * Improved fix for open redirect allow list bypass2772784.19.1 / 2024-03-20279==========280281 * Allow passing non-strings to res.location with new encoding handling checks2822834.19.0 / 2024-03-20284==========285286 * Prevent open redirect allow list bypass due to encodeurl287 * deps: cookie@0.6.02882894.18.3 / 2024-02-29290==========291292 * Fix routing requests without method293 * deps: body-parser@1.20.2294 - Fix strict json error message on Node.js 19+295 - deps: content-type@~1.0.5296 - deps: raw-body@2.5.2297 * deps: cookie@0.6.0298 - Add `partitioned` option2993004.18.2 / 2022-10-08301===================302303 * Fix regression routing a large stack in a single route304 * deps: body-parser@1.20.1305 - deps: qs@6.11.0306 - perf: remove unnecessary object clone307 * deps: qs@6.11.03083094.18.1 / 2022-04-29310===================311312 * Fix hanging on large stack of sync routes3133144.18.0 / 2022-04-25315===================316317 * Add "root" option to `res.download`318 * Allow `options` without `filename` in `res.download`319 * Deprecate string and non-integer arguments to `res.status`320 * Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie`321 * Fix handling very large stacks of sync middleware322 * Ignore `Object.prototype` values in settings through `app.set`/`app.get`323 * Invoke `default` with same arguments as types in `res.format`324 * Support proper 205 responses using `res.send`325 * Use `http-errors` for `res.format` error326 * deps: body-parser@1.20.0327 - Fix error message for json parse whitespace in `strict`328 - Fix internal error when inflated body exceeds limit329 - Prevent loss of async hooks context330 - Prevent hanging when request already read331 - deps: depd@2.0.0332 - deps: http-errors@2.0.0333 - deps: on-finished@2.4.1334 - deps: qs@6.10.3335 - deps: raw-body@2.5.1336 * deps: cookie@0.5.0337 - Add `priority` option338 - Fix `expires` option to reject invalid dates339 * deps: depd@2.0.0340 - Replace internal `eval` usage with `Function` constructor341 - Use instance methods on `process` to check for listeners342 * deps: finalhandler@1.2.0343 - Remove set content headers that break response344 - deps: on-finished@2.4.1345 - deps: statuses@2.0.1346 * deps: on-finished@2.4.1347 - Prevent loss of async hooks context348 * deps: qs@6.10.3349 * deps: send@0.18.0350 - Fix emitted 416 error missing headers property351 - Limit the headers removed for 304 response352 - deps: depd@2.0.0353 - deps: destroy@1.2.0354 - deps: http-errors@2.0.0355 - deps: on-finished@2.4.1356 - deps: statuses@2.0.1357 * deps: serve-static@1.15.0358 - deps: send@0.18.0359 * deps: statuses@2.0.1360 - Remove code 306361 - Rename `425 Unordered Collection` to standard `425 Too Early`3623634.17.3 / 2022-02-16364===================365366 * deps: accepts@~1.3.8367 - deps: mime-types@~2.1.34368 - deps: negotiator@0.6.3369 * deps: body-parser@1.19.2370 - deps: bytes@3.1.2371 - deps: qs@6.9.7372 - deps: raw-body@2.4.3373 * deps: cookie@0.4.2374 * deps: qs@6.9.7375 * Fix handling of `__proto__` keys376 * pref: remove unnecessary regexp for trust proxy3773784.17.2 / 2021-12-16379===================380381 * Fix handling of `undefined` in `res.jsonp`382 * Fix handling of `undefined` when `"json escape"` is enabled383 * Fix incorrect middleware execution with unanchored `RegExp`s384 * Fix `res.jsonp(obj, status)` deprecation message385 * Fix typo in `res.is` JSDoc386 * deps: body-parser@1.19.1387 - deps: bytes@3.1.1388 - deps: http-errors@1.8.1389 - deps: qs@6.9.6390 - deps: raw-body@2.4.2391 - deps: safe-buffer@5.2.1392 - deps: type-is@~1.6.18393 * deps: content-disposition@0.5.4394 - deps: safe-buffer@5.2.1395 * deps: cookie@0.4.1396 - Fix `maxAge` option to reject invalid values397 * deps: proxy-addr@~2.0.7398 - Use `req.socket` over deprecated `req.connection`399 - deps: forwarded@0.2.0400 - deps: ipaddr.js@1.9.1401 * deps: qs@6.9.6402 * deps: safe-buffer@5.2.1403 * deps: send@0.17.2404 - deps: http-errors@1.8.1405 - deps: ms@2.1.3406 - pref: ignore empty http tokens407 * deps: serve-static@1.14.2408 - deps: send@0.17.2409 * deps: setprototypeof@1.2.04104114.17.1 / 2019-05-25412===================413414 * Revert "Improve error message for `null`/`undefined` to `res.status`"4154164.17.0 / 2019-05-16417===================418419 * Add `express.raw` to parse bodies into `Buffer`420 * Add `express.text` to parse bodies into string421 * Improve error message for non-strings to `res.sendFile`422 * Improve error message for `null`/`undefined` to `res.status`423 * Support multiple hosts in `X-Forwarded-Host`424 * deps: accepts@~1.3.7425 * deps: body-parser@1.19.0426 - Add encoding MIK427 - Add petabyte (`pb`) support428 - Fix parsing array brackets after index429 - deps: bytes@3.1.0430 - deps: http-errors@1.7.2431 - deps: iconv-lite@0.4.24432 - deps: qs@6.7.0433 - deps: raw-body@2.4.0434 - deps: type-is@~1.6.17435 * deps: content-disposition@0.5.3436 * deps: cookie@0.4.0437 - Add `SameSite=None` support438 * deps: finalhandler@~1.1.2439 - Set stricter `Content-Security-Policy` header440 - deps: parseurl@~1.3.3441 - deps: statuses@~1.5.0442 * deps: parseurl@~1.3.3443 * deps: proxy-addr@~2.0.5444 - deps: ipaddr.js@1.9.0445 * deps: qs@6.7.0446 - Fix parsing array brackets after index447 * deps: range-parser@~1.2.1448 * deps: send@0.17.1449 - Set stricter CSP header in redirect & error responses450 - deps: http-errors@~1.7.2451 - deps: mime@1.6.0452 - deps: ms@2.1.1453 - deps: range-parser@~1.2.1454 - deps: statuses@~1.5.0455 - perf: remove redundant `path.normalize` call456 * deps: serve-static@1.14.1457 - Set stricter CSP header in redirect response458 - deps: parseurl@~1.3.3459 - deps: send@0.17.1460 * deps: setprototypeof@1.1.1461 * deps: statuses@~1.5.0462 - Add `103 Early Hints`463 * deps: type-is@~1.6.18464 - deps: mime-types@~2.1.24465 - perf: prevent internal `throw` on invalid type4664674.16.4 / 2018-10-10468===================469470 * Fix issue where `"Request aborted"` may be logged in `res.sendfile`471 * Fix JSDoc for `Router` constructor472 * deps: body-parser@1.18.3473 - Fix deprecation warnings on Node.js 10+474 - Fix stack trace for strict json parse error475 - deps: depd@~1.1.2476 - deps: http-errors@~1.6.3477 - deps: iconv-lite@0.4.23478 - deps: qs@6.5.2479 - deps: raw-body@2.3.3480 - deps: type-is@~1.6.16481 * deps: proxy-addr@~2.0.4482 - deps: ipaddr.js@1.8.0483 * deps: qs@6.5.2484 * deps: safe-buffer@5.1.24854864.16.3 / 2018-03-12487===================488489 * deps: accepts@~1.3.5490 - deps: mime-types@~2.1.18491 * deps: depd@~1.1.2492 - perf: remove argument reassignment493 * deps: encodeurl@~1.0.2494 - Fix encoding `%` as last character495 * deps: finalhandler@1.1.1496 - Fix 404 output for bad / missing pathnames497 - deps: encodeurl@~1.0.2498 - deps: statuses@~1.4.0499 * deps: proxy-addr@~2.0.3500 - deps: ipaddr.js@1.6.0501 * deps: send@0.16.2502 - Fix incorrect end tag in default error & redirects503 - deps: depd@~1.1.2504 - deps: encodeurl@~1.0.2505 - deps: statuses@~1.4.0506 * deps: serve-static@1.13.2507 - Fix incorrect end tag in redirects508 - deps: encodeurl@~1.0.2509 - deps: send@0.16.2510 * deps: statuses@~1.4.0511 * deps: type-is@~1.6.16512 - deps: mime-types@~2.1.185135144.16.2 / 2017-10-09515===================516517 * Fix `TypeError` in `res.send` when given `Buffer` and `ETag` header set518 * perf: skip parsing of entire `X-Forwarded-Proto` header5195204.16.1 / 2017-09-29521===================522523 * deps: send@0.16.1524 * deps: serve-static@1.13.1525 - Fix regression when `root` is incorrectly set to a file526 - deps: send@0.16.15275284.16.0 / 2017-09-28529===================530531 * Add `"json escape"` setting for `res.json` and `res.jsonp`532 * Add `express.json` and `express.urlencoded` to parse bodies533 * Add `options` argument to `res.download`534 * Improve error message when autoloading invalid view engine535 * Improve error messages when non-function provided as middleware536 * Skip `Buffer` encoding when not generating ETag for small response537 * Use `safe-buffer` for improved Buffer API538 * deps: accepts@~1.3.4539 - deps: mime-types@~2.1.16540 * deps: content-type@~1.0.4541 - perf: remove argument reassignment542 - perf: skip parameter parsing when no parameters543 * deps: etag@~1.8.1544 - perf: replace regular expression with substring545 * deps: finalhandler@1.1.0546 - Use `res.headersSent` when available547 * deps: parseurl@~1.3.2548 - perf: reduce overhead for full URLs549 - perf: unroll the "fast-path" `RegExp`550 * deps: proxy-addr@~2.0.2551 - Fix trimming leading / trailing OWS in `X-Forwarded-For`552 - deps: forwarded@~0.1.2553 - deps: ipaddr.js@1.5.2554 - perf: reduce overhead when no `X-Forwarded-For` header555 * deps: qs@6.5.1556 - Fix parsing & compacting very deep objects557 * deps: send@0.16.0558 - Add 70 new types for file extensions559 - Add `immutable` option560 - Fix missing `</html>` in default error & redirects561 - Set charset as "UTF-8" for .js and .json562 - Use instance methods on steam to check for listeners563 - deps: mime@1.4.1564 - perf: improve path validation speed565 * deps: serve-static@1.13.0566 - Add 70 new types for file extensions567 - Add `immutable` option568 - Set charset as "UTF-8" for .js and .json569 - deps: send@0.16.0570 * deps: setprototypeof@1.1.0571 * deps: utils-merge@1.0.1572 * deps: vary@~1.1.2573 - perf: improve header token parsing speed574 * perf: reuse options object when generating ETags575 * perf: remove dead `.charset` set in `res.jsonp`5765774.15.5 / 2017-09-24578===================579580 * deps: debug@2.6.9581 * deps: finalhandler@~1.0.6582 - deps: debug@2.6.9583 - deps: parseurl@~1.3.2584 * deps: fresh@0.5.2585 - Fix handling of modified headers with invalid dates586 - perf: improve ETag match loop587 - perf: improve `If-None-Match` token parsing588 * deps: send@0.15.6589 - Fix handling of modified headers with invalid dates590 - deps: debug@2.6.9591 - deps: etag@~1.8.1592 - deps: fresh@0.5.2593 - perf: improve `If-Match` token parsing594 * deps: serve-static@1.12.6595 - deps: parseurl@~1.3.2596 - deps: send@0.15.6597 - perf: improve slash collapsing5985994.15.4 / 2017-08-06600===================601602 * deps: debug@2.6.8603 * deps: depd@~1.1.1604 - Remove unnecessary `Buffer` loading605 * deps: finalhandler@~1.0.4606 - deps: debug@2.6.8607 * deps: proxy-addr@~1.1.5608 - Fix array argument being altered609 - deps: ipaddr.js@1.4.0610 * deps: qs@6.5.0611 * deps: send@0.15.4612 - deps: debug@2.6.8613 - deps: depd@~1.1.1614 - deps: http-errors@~1.6.2615 * deps: serve-static@1.12.4616 - deps: send@0.15.46176184.15.3 / 2017-05-16619===================620621 * Fix error when `res.set` cannot add charset to `Content-Type`622 * deps: debug@2.6.7623 - Fix `DEBUG_MAX_ARRAY_LENGTH`624 - deps: ms@2.0.0625 * deps: finalhandler@~1.0.3626 - Fix missing `</html>` in HTML document627 - deps: debug@2.6.7628 * deps: proxy-addr@~1.1.4629 - deps: ipaddr.js@1.3.0630 * deps: send@0.15.3631 - deps: debug@2.6.7632 - deps: ms@2.0.0633 * deps: serve-static@1.12.3634 - deps: send@0.15.3635 * deps: type-is@~1.6.15636 - deps: mime-types@~2.1.15637 * deps: vary@~1.1.1638 - perf: hoist regular expression6396404.15.2 / 2017-03-06641===================642643 * deps: qs@6.4.0644 - Fix regression parsing keys starting with `[`6456464.15.1 / 2017-03-05647===================648649 * deps: send@0.15.1650 - Fix issue when `Date.parse` does not return `NaN` on invalid date651 - Fix strict violation in broken environments652 * deps: serve-static@1.12.1653 - Fix issue when `Date.parse` does not return `NaN` on invalid date654 - deps: send@0.15.16556564.15.0 / 2017-03-01657===================658659 * Add debug message when loading view engine660 * Add `next("router")` to exit from router661 * Fix case where `router.use` skipped requests routes did not662 * Remove usage of `res._headers` private field663 - Improves compatibility with Node.js 8 nightly664 * Skip routing when `req.url` is not set665 * Use `%o` in path debug to tell types apart666 * Use `Object.create` to setup request & response prototypes667 * Use `setprototypeof` module to replace `__proto__` setting668 * Use `statuses` instead of `http` module for status messages669 * deps: debug@2.6.1670 - Allow colors in workers671 - Deprecated `DEBUG_FD` environment variable set to `3` or higher672 - Fix error when running under React Native673 - Use same color for same namespace674 - deps: ms@0.7.2675 * deps: etag@~1.8.0676 - Use SHA1 instead of MD5 for ETag hashing677 - Works with FIPS 140-2 OpenSSL configuration678 * deps: finalhandler@~1.0.0679 - Fix exception when `err` cannot be converted to a string680 - Fully URL-encode the pathname in the 404681 - Only include the pathname in the 404 message682 - Send complete HTML document683 - Set `Content-Security-Policy: default-src 'self'` header684 - deps: debug@2.6.1685 * deps: fresh@0.5.0686 - Fix false detection of `no-cache` request directive687 - Fix incorrect result when `If-None-Match` has both `*` and ETags688 - Fix weak `ETag` matching to match spec689 - perf: delay reading header values until needed690 - perf: enable strict mode691 - perf: hoist regular expressions692 - perf: remove duplicate conditional693 - perf: remove unnecessary boolean coercions694 - perf: skip checking modified time if ETag check failed695 - perf: skip parsing `If-None-Match` when no `ETag` header696 - perf: use `Date.parse` instead of `new Date`697 * deps: qs@6.3.1698 - Fix array parsing from skipping empty values699 - Fix compacting nested arrays700 * deps: send@0.15.0701 - Fix false detection of `no-cache` request directive702 - Fix incorrect result when `If-None-Match` has both `*` and ETags703 - Fix weak `ETag` matching to match spec704 - Remove usage of `res._headers` private field705 - Support `If-Match` and `If-Unmodified-Since` headers706 - Use `res.getHeaderNames()` when available707 - Use `res.headersSent` when available708 - deps: debug@2.6.1709 - deps: etag@~1.8.0710 - deps: fresh@0.5.0711 - deps: http-errors@~1.6.1712 * deps: serve-static@1.12.0713 - Fix false detection of `no-cache` request directive714 - Fix incorrect result when `If-None-Match` has both `*` and ETags715 - Fix weak `ETag` matching to match spec716 - Remove usage of `res._headers` private field717 - Send complete HTML document in redirect response718 - Set default CSP header in redirect response719 - Support `If-Match` and `If-Unmodified-Since` headers720 - Use `res.getHeaderNames()` when available721 - Use `res.headersSent` when available722 - deps: send@0.15.0723 * perf: add fast match path for `*` route724 * perf: improve `req.ips` performance7257264.14.1 / 2017-01-28727===================728729 * deps: content-disposition@0.5.2730 * deps: finalhandler@0.5.1731 - Fix exception when `err.headers` is not an object732 - deps: statuses@~1.3.1733 - perf: hoist regular expressions734 - perf: remove duplicate validation path735 * deps: proxy-addr@~1.1.3736 - deps: ipaddr.js@1.2.0737 * deps: send@0.14.2738 - deps: http-errors@~1.5.1739 - deps: ms@0.7.2740 - deps: statuses@~1.3.1741 * deps: serve-static@~1.11.2742 - deps: send@0.14.2743 * deps: type-is@~1.6.14744 - deps: mime-types@~2.1.137457464.14.0 / 2016-06-16747===================748749 * Add `acceptRanges` option to `res.sendFile`/`res.sendfile`750 * Add `cacheControl` option to `res.sendFile`/`res.sendfile`751 * Add `options` argument to `req.range`752 - Includes the `combine` option753 * Encode URL in `res.location`/`res.redirect` if not already encoded754 * Fix some redirect handling in `res.sendFile`/`res.sendfile`755 * Fix Windows absolute path check using forward slashes756 * Improve error with invalid arguments to `req.get()`757 * Improve performance for `res.json`/`res.jsonp` in most cases758 * Improve `Range` header handling in `res.sendFile`/`res.sendfile`759 * deps: accepts@~1.3.3760 - Fix including type extensions in parameters in `Accept` parsing761 - Fix parsing `Accept` parameters with quoted equals762 - Fix parsing `Accept` parameters with quoted semicolons763 - Many performance improvements764 - deps: mime-types@~2.1.11765 - deps: negotiator@0.6.1766 * deps: content-type@~1.0.2767 - perf: enable strict mode768 * deps: cookie@0.3.1769 - Add `sameSite` option770 - Fix cookie `Max-Age` to never be a floating point number771 - Improve error message when `encode` is not a function772 - Improve error message when `expires` is not a `Date`773 - Throw better error for invalid argument to parse774 - Throw on invalid values provided to `serialize`775 - perf: enable strict mode776 - perf: hoist regular expression777 - perf: use for loop in parse778 - perf: use string concatenation for serialization779 * deps: finalhandler@0.5.0780 - Change invalid or non-numeric status code to 500781 - Overwrite status message to match set status code782 - Prefer `err.statusCode` if `err.status` is invalid783 - Set response headers from `err.headers` object784 - Use `statuses` instead of `http` module for status messages785 * deps: proxy-addr@~1.1.2786 - Fix accepting various invalid netmasks787 - Fix IPv6-mapped IPv4 validation edge cases788 - IPv4 netmasks must be contiguous789 - IPv6 addresses cannot be used as a netmask790 - deps: ipaddr.js@1.1.1791 * deps: qs@6.2.0792 - Add `decoder` option in `parse` function793 * deps: range-parser@~1.2.0794 - Add `combine` option to combine overlapping ranges795 - Fix incorrectly returning -1 when there is at least one valid range796 - perf: remove internal function797 * deps: send@0.14.1798 - Add `acceptRanges` option799 - Add `cacheControl` option800 - Attempt to combine multiple ranges into single range801 - Correctly inherit from `Stream` class802 - Fix `Content-Range` header in 416 responses when using `start`/`end` options803 - Fix `Content-Range` header missing from default 416 responses804 - Fix redirect error when `path` contains raw non-URL characters805 - Fix redirect when `path` starts with multiple forward slashes806 - Ignore non-byte `Range` headers807 - deps: http-errors@~1.5.0808 - deps: range-parser@~1.2.0809 - deps: statuses@~1.3.0810 - perf: remove argument reassignment811 * deps: serve-static@~1.11.1812 - Add `acceptRanges` option813 - Add `cacheControl` option814 - Attempt to combine multiple ranges into single range815 - Fix redirect error when `req.url` contains raw non-URL characters816 - Ignore non-byte `Range` headers817 - Use status code 301 for redirects818 - deps: send@0.14.1819 * deps: type-is@~1.6.13820 - Fix type error when given invalid type to match against821 - deps: mime-types@~2.1.11822 * deps: vary@~1.1.0823 - Only accept valid field names in the `field` argument824 * perf: use strict equality when possible8258264.13.4 / 2016-01-21827===================828829 * deps: content-disposition@0.5.1830 - perf: enable strict mode831 * deps: cookie@0.1.5832 - Throw on invalid values provided to `serialize`833 * deps: depd@~1.1.0834 - Support web browser loading835 - perf: enable strict mode836 * deps: escape-html@~1.0.3837 - perf: enable strict mode838 - perf: optimize string replacement839 - perf: use faster string coercion840 * deps: finalhandler@0.4.1841 - deps: escape-html@~1.0.3842 * deps: merge-descriptors@1.0.1843 - perf: enable strict mode844 * deps: methods@~1.1.2845 - perf: enable strict mode846 * deps: parseurl@~1.3.1847 - perf: enable strict mode848 * deps: proxy-addr@~1.0.10849 - deps: ipaddr.js@1.0.5850 - perf: enable strict mode851 * deps: range-parser@~1.0.3852 - perf: enable strict mode853 * deps: send@0.13.1854 - deps: depd@~1.1.0855 - deps: destroy@~1.0.4856 - deps: escape-html@~1.0.3857 - deps: range-parser@~1.0.3858 * deps: serve-static@~1.10.2859 - deps: escape-html@~1.0.3860 - deps: parseurl@~1.3.0861 - deps: send@0.13.18628634.13.3 / 2015-08-02864===================865866 * Fix infinite loop condition using `mergeParams: true`867 * Fix inner numeric indices incorrectly altering parent `req.params`8688694.13.2 / 2015-07-31870===================871872 * deps: accepts@~1.2.12873 - deps: mime-types@~2.1.4874 * deps: array-flatten@1.1.1875 - perf: enable strict mode876 * deps: path-to-regexp@0.1.7877 - Fix regression with escaped round brackets and matching groups878 * deps: type-is@~1.6.6879 - deps: mime-types@~2.1.48808814.13.1 / 2015-07-05882===================883884 * deps: accepts@~1.2.10885 - deps: mime-types@~2.1.2886 * deps: qs@4.0.0887 - Fix dropping parameters like `hasOwnProperty`888 - Fix various parsing edge cases889 * deps: type-is@~1.6.4890 - deps: mime-types@~2.1.2891 - perf: enable strict mode892 - perf: remove argument reassignment8938944.13.0 / 2015-06-20895===================896897 * Add settings to debug output898 * Fix `res.format` error when only `default` provided899 * Fix issue where `next('route')` in `app.param` would incorrectly skip values900 * Fix hiding platform issues with `decodeURIComponent`901 - Only `URIError`s are a 400902 * Fix using `*` before params in routes903 * Fix using capture groups before params in routes904 * Simplify `res.cookie` to call `res.append`905 * Use `array-flatten` module for flattening arrays906 * deps: accepts@~1.2.9907 - deps: mime-types@~2.1.1908 - perf: avoid argument reassignment & argument slice909 - perf: avoid negotiator recursive construction910 - perf: enable strict mode911 - perf: remove unnecessary bitwise operator912 * deps: cookie@0.1.3913 - perf: deduce the scope of try-catch deopt914 - perf: remove argument reassignments915 * deps: escape-html@1.0.2916 * deps: etag@~1.7.0917 - Always include entity length in ETags for hash length extensions918 - Generate non-Stats ETags using MD5 only (no longer CRC32)919 - Improve stat performance by removing hashing920 - Improve support for JXcore921 - Remove base64 padding in ETags to shorten922 - Support "fake" stats objects in environments without fs923 - Use MD5 instead of MD4 in weak ETags over 1KB924 * deps: finalhandler@0.4.0925 - Fix a false-positive when unpiping in Node.js 0.8926 - Support `statusCode` property on `Error` objects927 - Use `unpipe` module for unpiping requests928 - deps: escape-html@1.0.2929 - deps: on-finished@~2.3.0930 - perf: enable strict mode931 - perf: remove argument reassignment932 * deps: fresh@0.3.0933 - Add weak `ETag` matching support934 * deps: on-finished@~2.3.0935 - Add defined behavior for HTTP `CONNECT` requests936 - Add defined behavior for HTTP `Upgrade` requests937 - deps: ee-first@1.1.1938 * deps: path-to-regexp@0.1.6939 * deps: send@0.13.0940 - Allow Node.js HTTP server to set `Date` response header941 - Fix incorrectly removing `Content-Location` on 304 response942 - Improve the default redirect response headers943 - Send appropriate headers on default error response944 - Use `http-errors` for standard emitted errors945 - Use `statuses` instead of `http` module for status messages946 - deps: escape-html@1.0.2947 - deps: etag@~1.7.0948 - deps: fresh@0.3.0949 - deps: on-finished@~2.3.0950 - perf: enable strict mode951 - perf: remove unnecessary array allocations952 * deps: serve-static@~1.10.0953 - Add `fallthrough` option954 - Fix reading options from options prototype955 - Improve the default redirect response headers956 - Malformed URLs now `next()` instead of 400957 - deps: escape-html@1.0.2958 - deps: send@0.13.0959 - perf: enable strict mode960 - perf: remove argument reassignment961 * deps: type-is@~1.6.3962 - deps: mime-types@~2.1.1963 - perf: reduce try block size964 - perf: remove bitwise operations965 * perf: enable strict mode966 * perf: isolate `app.render` try block967 * perf: remove argument reassignments in application968 * perf: remove argument reassignments in request prototype969 * perf: remove argument reassignments in response prototype970 * perf: remove argument reassignments in routing971 * perf: remove argument reassignments in `View`972 * perf: skip attempting to decode zero length string973 * perf: use saved reference to `http.STATUS_CODES`9749754.12.4 / 2015-05-17976===================977978 * deps: accepts@~1.2.7979 - deps: mime-types@~2.0.11980 - deps: negotiator@0.5.3981 * deps: debug@~2.2.0982 - deps: ms@0.7.1983 * deps: depd@~1.0.1984 * deps: etag@~1.6.0985 - Improve support for JXcore986 - Support "fake" stats objects in environments without `fs`987 * deps: finalhandler@0.3.6988 - deps: debug@~2.2.0989 - deps: on-finished@~2.2.1990 * deps: on-finished@~2.2.1991 - Fix `isFinished(req)` when data buffered992 * deps: proxy-addr@~1.0.8993 - deps: ipaddr.js@1.0.1994 * deps: qs@2.4.2995 - Fix allowing parameters like `constructor`996 * deps: send@0.12.3997 - deps: debug@~2.2.0998 - deps: depd@~1.0.1999 - deps: etag@~1.6.01000 - deps: ms@0.7.11001 - deps: on-finished@~2.2.11002 * deps: serve-static@~1.9.31003 - deps: send@0.12.31004 * deps: type-is@~1.6.21005 - deps: mime-types@~2.0.11100610074.12.3 / 2015-03-171008===================10091010 * deps: accepts@~1.2.51011 - deps: mime-types@~2.0.101012 * deps: debug@~2.1.31013 - Fix high intensity foreground color for bold1014 - deps: ms@0.7.01015 * deps: finalhandler@0.3.41016 - deps: debug@~2.1.31017 * deps: proxy-addr@~1.0.71018 - deps: ipaddr.js@0.1.91019 * deps: qs@2.4.11020 - Fix error when parameter `hasOwnProperty` is present1021 * deps: send@0.12.21022 - Throw errors early for invalid `extensions` or `index` options1023 - deps: debug@~2.1.31024 * deps: serve-static@~1.9.21025 - deps: send@0.12.21026 * deps: type-is@~1.6.11027 - deps: mime-types@~2.0.10102810294.12.2 / 2015-03-021030===================10311032 * Fix regression where `"Request aborted"` is logged using `res.sendFile`103310344.12.1 / 2015-03-011035===================10361037 * Fix constructing application with non-configurable prototype properties1038 * Fix `ECONNRESET` errors from `res.sendFile` usage1039 * Fix `req.host` when using "trust proxy" hops count1040 * Fix `req.protocol`/`req.secure` when using "trust proxy" hops count1041 * Fix wrong `code` on aborted connections from `res.sendFile`1042 * deps: merge-descriptors@1.0.0104310444.12.0 / 2015-02-231045===================10461047 * Fix `"trust proxy"` setting to inherit when app is mounted1048 * Generate `ETag`s for all request responses1049 - No longer restricted to only responses for `GET` and `HEAD` requests1050 * Use `content-type` to parse `Content-Type` headers1051 * deps: accepts@~1.2.41052 - Fix preference sorting to be stable for long acceptable lists1053 - deps: mime-types@~2.0.91054 - deps: negotiator@0.5.11055 * deps: cookie-signature@1.0.61056 * deps: send@0.12.11057 - Always read the stat size from the file1058 - Fix mutating passed-in `options`1059 - deps: mime@1.3.41060 * deps: serve-static@~1.9.11061 - deps: send@0.12.11062 * deps: type-is@~1.6.01063 - fix argument reassignment1064 - fix false-positives in `hasBody` `Transfer-Encoding` check1065 - support wildcard for both type and subtype (`*/*`)1066 - deps: mime-types@~2.0.9106710684.11.2 / 2015-02-011069===================10701071 * Fix `res.redirect` double-calling `res.end` for `HEAD` requests1072 * deps: accepts@~1.2.31073 - deps: mime-types@~2.0.81074 * deps: proxy-addr@~1.0.61075 - deps: ipaddr.js@0.1.81076 * deps: type-is@~1.5.61077 - deps: mime-types@~2.0.8107810794.11.1 / 2015-01-201080===================10811082 * deps: send@0.11.11083 - Fix root path disclosure1084 * deps: serve-static@~1.8.11085 - Fix redirect loop in Node.js 0.11.141086 - Fix root path disclosure1087 - deps: send@0.11.1108810894.11.0 / 2015-01-131090===================10911092 * Add `res.append(field, val)` to append headers1093 * Deprecate leading `:` in `name` for `app.param(name, fn)`1094 * Deprecate `req.param()` -- use `req.params`, `req.body`, or `req.query` instead1095 * Deprecate `app.param(fn)`1096 * Fix `OPTIONS` responses to include the `HEAD` method properly1097 * Fix `res.sendFile` not always detecting aborted connection1098 * Match routes iteratively to prevent stack overflows1099 * deps: accepts@~1.2.21100 - deps: mime-types@~2.0.71101 - deps: negotiator@0.5.01102 * deps: send@0.11.01103 - deps: debug@~2.1.11104 - deps: etag@~1.5.11105 - deps: ms@0.7.01106 - deps: on-finished@~2.2.01107 * deps: serve-static@~1.8.01108 - deps: send@0.11.0110911104.10.8 / 2015-01-131111===================11121113 * Fix crash from error within `OPTIONS` response handler1114 * deps: proxy-addr@~1.0.51115 - deps: ipaddr.js@0.1.6111611174.10.7 / 2015-01-041118===================11191120 * Fix `Allow` header for `OPTIONS` to not contain duplicate methods1121 * Fix incorrect "Request aborted" for `res.sendFile` when `HEAD` or 3041122 * deps: debug@~2.1.11123 * deps: finalhandler@0.3.31124 - deps: debug@~2.1.11125 - deps: on-finished@~2.2.01126 * deps: methods@~1.1.11127 * deps: on-finished@~2.2.01128 * deps: serve-static@~1.7.21129 - Fix potential open redirect when mounted at root1130 * deps: type-is@~1.5.51131 - deps: mime-types@~2.0.7113211334.10.6 / 2014-12-121134===================11351136 * Fix exception in `req.fresh`/`req.stale` without response headers113711384.10.5 / 2014-12-101139===================11401141 * Fix `res.send` double-calling `res.end` for `HEAD` requests1142 * deps: accepts@~1.1.41143 - deps: mime-types@~2.0.41144 * deps: type-is@~1.5.41145 - deps: mime-types@~2.0.4114611474.10.4 / 2014-11-241148===================11491150 * Fix `res.sendfile` logging standard write errors115111524.10.3 / 2014-11-231153===================11541155 * Fix `res.sendFile` logging standard write errors1156 * deps: etag@~1.5.11157 * deps: proxy-addr@~1.0.41158 - deps: ipaddr.js@0.1.51159 * deps: qs@2.3.31160 - Fix `arrayLimit` behavior116111624.10.2 / 2014-11-091163===================11641165 * Correctly invoke async router callback asynchronously1166 * deps: accepts@~1.1.31167 - deps: mime-types@~2.0.31168 * deps: type-is@~1.5.31169 - deps: mime-types@~2.0.3117011714.10.1 / 2014-10-281172===================11731174 * Fix handling of URLs containing `://` in the path1175 * deps: qs@2.3.21176 - Fix parsing of mixed objects and values117711784.10.0 / 2014-10-231179===================11801181 * Add support for `app.set('views', array)`1182 - Views are looked up in sequence in array of directories1183 * Fix `res.send(status)` to mention `res.sendStatus(status)`1184 * Fix handling of invalid empty URLs1185 * Use `content-disposition` module for `res.attachment`/`res.download`1186 - Sends standards-compliant `Content-Disposition` header1187 - Full Unicode support1188 * Use `path.resolve` in view lookup1189 * deps: debug@~2.1.01190 - Implement `DEBUG_FD` env variable support1191 * deps: depd@~1.0.01192 * deps: etag@~1.5.01193 - Improve string performance1194 - Slightly improve speed for weak ETags over 1KB1195 * deps: finalhandler@0.3.21196 - Terminate in progress response only on error1197 - Use `on-finished` to determine request status1198 - deps: debug@~2.1.01199 - deps: on-finished@~2.1.11200 * deps: on-finished@~2.1.11201 - Fix handling of pipelined requests1202 * deps: qs@2.3.01203 - Fix parsing of mixed implicit and explicit arrays1204 * deps: send@0.10.11205 - deps: debug@~2.1.01206 - deps: depd@~1.0.01207 - deps: etag@~1.5.01208 - deps: on-finished@~2.1.11209 * deps: serve-static@~1.7.11210 - deps: send@0.10.1121112124.9.8 / 2014-10-171213==================12141215 * Fix `res.redirect` body when redirect status specified1216 * deps: accepts@~1.1.21217 - Fix error when media type has invalid parameter1218 - deps: negotiator@0.4.9121912204.9.7 / 2014-10-101221==================12221223 * Fix using same param name in array of paths122412254.9.6 / 2014-10-081226==================12271228 * deps: accepts@~1.1.11229 - deps: mime-types@~2.0.21230 - deps: negotiator@0.4.81231 * deps: serve-static@~1.6.41232 - Fix redirect loop when index file serving disabled1233 * deps: type-is@~1.5.21234 - deps: mime-types@~2.0.2123512364.9.5 / 2014-09-241237==================12381239 * deps: etag@~1.4.01240 * deps: proxy-addr@~1.0.31241 - Use `forwarded` npm module1242 * deps: send@0.9.31243 - deps: etag@~1.4.01244 * deps: serve-static@~1.6.31245 - deps: send@0.9.3124612474.9.4 / 2014-09-191248==================12491250 * deps: qs@2.2.41251 - Fix issue with object keys starting with numbers truncated125212534.9.3 / 2014-09-181254==================12551256 * deps: proxy-addr@~1.0.21257 - Fix a global leak when multiple subnets are trusted1258 - deps: ipaddr.js@0.1.3125912604.9.2 / 2014-09-171261==================12621263 * Fix regression for empty string `path` in `app.use`1264 * Fix `router.use` to accept array of middleware without path1265 * Improve error message for bad `app.use` arguments126612674.9.1 / 2014-09-161268==================12691270 * Fix `app.use` to accept array of middleware without path1271 * deps: depd@0.4.51272 * deps: etag@~1.3.11273 * deps: send@0.9.21274 - deps: depd@0.4.51275 - deps: etag@~1.3.11276 - deps: range-parser@~1.0.21277 * deps: serve-static@~1.6.21278 - deps: send@0.9.2127912804.9.0 / 2014-09-081281==================12821283 * Add `res.sendStatus`1284 * Invoke callback for sendfile when client aborts1285 - Applies to `res.sendFile`, `res.sendfile`, and `res.download`1286 - `err` will be populated with request aborted error1287 * Support IP address host in `req.subdomains`1288 * Use `etag` to generate `ETag` headers1289 * deps: accepts@~1.1.01290 - update `mime-types`1291 * deps: cookie-signature@1.0.51292 * deps: debug@~2.0.01293 * deps: finalhandler@0.2.01294 - Set `X-Content-Type-Options: nosniff` header1295 - deps: debug@~2.0.01296 * deps: fresh@0.2.41297 * deps: media-typer@0.3.01298 - Throw error when parameter format invalid on parse1299 * deps: qs@2.2.31300 - Fix issue where first empty value in array is discarded1301 * deps: range-parser@~1.0.21302 * deps: send@0.9.11303 - Add `lastModified` option1304 - Use `etag` to generate `ETag` header1305 - deps: debug@~2.0.01306 - deps: fresh@0.2.41307 * deps: serve-static@~1.6.11308 - Add `lastModified` option1309 - deps: send@0.9.11310 * deps: type-is@~1.5.11311 - fix `hasbody` to be true for `content-length: 0`1312 - deps: media-typer@0.3.01313 - deps: mime-types@~2.0.11314 * deps: vary@~1.0.01315 - Accept valid `Vary` header string as `field`131613174.8.8 / 2014-09-041318==================13191320 * deps: send@0.8.51321 - Fix a path traversal issue when using `root`1322 - Fix malicious path detection for empty string path1323 * deps: serve-static@~1.5.41324 - deps: send@0.8.5132513264.8.7 / 2014-08-291327==================13281329 * deps: qs@2.2.21330 - Remove unnecessary cloning133113324.8.6 / 2014-08-271333==================13341335 * deps: qs@2.2.01336 - Array parsing fix1337 - Performance improvements133813394.8.5 / 2014-08-181340==================13411342 * deps: send@0.8.31343 - deps: destroy@1.0.31344 - deps: on-finished@2.1.01345 * deps: serve-static@~1.5.31346 - deps: send@0.8.3134713484.8.4 / 2014-08-141349==================13501351 * deps: qs@1.2.21352 * deps: send@0.8.21353 - Work around `fd` leak in Node.js 0.10 for `fs.ReadStream`1354 * deps: serve-static@~1.5.21355 - deps: send@0.8.2135613574.8.3 / 2014-08-101358==================13591360 * deps: parseurl@~1.3.01361 * deps: qs@1.2.11362 * deps: serve-static@~1.5.11363 - Fix parsing of weird `req.originalUrl` values1364 - deps: parseurl@~1.3.01365 - deps: utils-merge@1.0.0136613674.8.2 / 2014-08-071368==================13691370 * deps: qs@1.2.01371 - Fix parsing array of objects137213734.8.1 / 2014-08-061374==================13751376 * fix incorrect deprecation warnings on `res.download`1377 * deps: qs@1.1.01378 - Accept urlencoded square brackets1379 - Accept empty values in implicit array notation138013814.8.0 / 2014-08-051382==================13831384 * add `res.sendFile`1385 - accepts a file system path instead of a URL1386 - requires an absolute path or `root` option specified1387 * deprecate `res.sendfile` -- use `res.sendFile` instead1388 * support mounted app as any argument to `app.use()`1389 * deps: qs@1.0.21390 - Complete rewrite1391 - Limits array length to 201392 - Limits object depth to 51393 - Limits parameters to 1,0001394 * deps: send@0.8.11395 - Add `extensions` option1396 * deps: serve-static@~1.5.01397 - Add `extensions` option1398 - deps: send@0.8.1139914004.7.4 / 2014-08-041401==================14021403 * fix `res.sendfile` regression for serving directory index files1404 * deps: send@0.7.41405 - Fix incorrect 403 on Windows and Node.js 0.111406 - Fix serving index files without root dir1407 * deps: serve-static@~1.4.41408 - deps: send@0.7.4140914104.7.3 / 2014-08-041411==================14121413 * deps: send@0.7.31414 - Fix incorrect 403 on Windows and Node.js 0.111415 * deps: serve-static@~1.4.31416 - Fix incorrect 403 on Windows and Node.js 0.111417 - deps: send@0.7.3141814194.7.2 / 2014-07-271420==================14211422 * deps: depd@0.4.41423 - Work-around v8 generating empty stack traces1424 * deps: send@0.7.21425 - deps: depd@0.4.41426 * deps: serve-static@~1.4.2142714284.7.1 / 2014-07-261429==================14301431 * deps: depd@0.4.31432 - Fix exception when global `Error.stackTraceLimit` is too low1433 * deps: send@0.7.11434 - deps: depd@0.4.31435 * deps: serve-static@~1.4.1143614374.7.0 / 2014-07-251438==================14391440 * fix `req.protocol` for proxy-direct connections1441 * configurable query parser with `app.set('query parser', parser)`1442 - `app.set('query parser', 'extended')` parse with "qs" module1443 - `app.set('query parser', 'simple')` parse with "querystring" core module1444 - `app.set('query parser', false)` disable query string parsing1445 - `app.set('query parser', true)` enable simple parsing1446 * deprecate `res.json(status, obj)` -- use `res.status(status).json(obj)` instead1447 * deprecate `res.jsonp(status, obj)` -- use `res.status(status).jsonp(obj)` instead1448 * deprecate `res.send(status, body)` -- use `res.status(status).send(body)` instead1449 * deps: debug@1.0.41450 * deps: depd@0.4.21451 - Add `TRACE_DEPRECATION` environment variable1452 - Remove non-standard grey color from color output1453 - Support `--no-deprecation` argument1454 - Support `--trace-deprecation` argument1455 * deps: finalhandler@0.1.01456 - Respond after request fully read1457 - deps: debug@1.0.41458 * deps: parseurl@~1.2.01459 - Cache URLs based on original value1460 - Remove no-longer-needed URL mis-parse work-around1461 - Simplify the "fast-path" `RegExp`1462 * deps: send@0.7.01463 - Add `dotfiles` option1464 - Cap `maxAge` value to 1 year1465 - deps: debug@1.0.41466 - deps: depd@0.4.21467 * deps: serve-static@~1.4.01468 - deps: parseurl@~1.2.01469 - deps: send@0.7.01470 * perf: prevent multiple `Buffer` creation in `res.send`147114724.6.1 / 2014-07-121473==================14741475 * fix `subapp.mountpath` regression for `app.use(subapp)`147614774.6.0 / 2014-07-111478==================14791480 * accept multiple callbacks to `app.use()`1481 * add explicit "Rosetta Flash JSONP abuse" protection1482 - previous versions are not vulnerable; this is just explicit protection1483 * catch errors in multiple `req.param(name, fn)` handlers1484 * deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead1485 * fix `res.send(status, num)` to send `num` as json (not error)1486 * remove unnecessary escaping when `res.jsonp` returns JSON response1487 * support non-string `path` in `app.use(path, fn)`1488 - supports array of paths1489 - supports `RegExp`1490 * router: fix optimization on router exit1491 * router: refactor location of `try` blocks1492 * router: speed up standard `app.use(fn)`1493 * deps: debug@1.0.31494 - Add support for multiple wildcards in namespaces1495 * deps: finalhandler@0.0.31496 - deps: debug@1.0.31497 * deps: methods@1.1.01498 - add `CONNECT`1499 * deps: parseurl@~1.1.31500 - faster parsing of href-only URLs1501 * deps: path-to-regexp@0.1.31502 * deps: send@0.6.01503 - deps: debug@1.0.31504 * deps: serve-static@~1.3.21505 - deps: parseurl@~1.1.31506 - deps: send@0.6.01507 * perf: fix arguments reassign deopt in some `res` methods150815094.5.1 / 2014-07-061510==================15111512 * fix routing regression when altering `req.method`151315144.5.0 / 2014-07-041515==================15161517 * add deprecation message to non-plural `req.accepts*`1518 * add deprecation message to `res.send(body, status)`1519 * add deprecation message to `res.vary()`1520 * add `headers` option to `res.sendfile`1521 - use to set headers on successful file transfer1522 * add `mergeParams` option to `Router`1523 - merges `req.params` from parent routes1524 * add `req.hostname` -- correct name for what `req.host` returns1525 * deprecate things with `depd` module1526 * deprecate `req.host` -- use `req.hostname` instead1527 * fix behavior when handling request without routes1528 * fix handling when `route.all` is only route1529 * invoke `router.param()` only when route matches1530 * restore `req.params` after invoking router1531 * use `finalhandler` for final response handling1532 * use `media-typer` to alter content-type charset1533 * deps: accepts@~1.0.71534 * deps: send@0.5.01535 - Accept string for `maxage` (converted by `ms`)1536 - Include link in default redirect response1537 * deps: serve-static@~1.3.01538 - Accept string for `maxAge` (converted by `ms`)1539 - Add `setHeaders` option1540 - Include HTML link in redirect response1541 - deps: send@0.5.01542 * deps: type-is@~1.3.2154315444.4.5 / 2014-06-261545==================15461547 * deps: cookie-signature@1.0.41548 - fix for timing attacks154915504.4.4 / 2014-06-201551==================15521553 * fix `res.attachment` Unicode filenames in Safari1554 * fix "trim prefix" debug message in `express:router`1555 * deps: accepts@~1.0.51556 * deps: buffer-crc32@0.2.3155715584.4.3 / 2014-06-111559==================15601561 * fix persistence of modified `req.params[name]` from `app.param()`1562 * deps: accepts@1.0.31563 - deps: negotiator@0.4.61564 * deps: debug@1.0.21565 * deps: send@0.4.31566 - Do not throw uncatchable error on file open race condition1567 - Use `escape-html` for HTML escaping1568 - deps: debug@1.0.21569 - deps: finished@1.2.21570 - deps: fresh@0.2.21571 * deps: serve-static@1.2.31572 - Do not throw uncatchable error on file open race condition1573 - deps: send@0.4.3157415754.4.2 / 2014-06-091576==================15771578 * fix catching errors from top-level handlers1579 * use `vary` module for `res.vary`1580 * deps: debug@1.0.11581 * deps: proxy-addr@1.0.11582 * deps: send@0.4.21583 - fix "event emitter leak" warnings1584 - deps: debug@1.0.11585 - deps: finished@1.2.11586 * deps: serve-static@1.2.21587 - fix "event emitter leak" warnings1588 - deps: send@0.4.21589 * deps: type-is@1.2.1159015914.4.1 / 2014-06-021592==================15931594 * deps: methods@1.0.11595 * deps: send@0.4.11596 - Send `max-age` in `Cache-Control` in correct format1597 * deps: serve-static@1.2.11598 - use `escape-html` for escaping1599 - deps: send@0.4.1160016014.4.0 / 2014-05-301602==================16031604 * custom etag control with `app.set('etag', val)`1605 - `app.set('etag', function(body, encoding){ return '"etag"' })` custom etag generation1606 - `app.set('etag', 'weak')` weak tag1607 - `app.set('etag', 'strong')` strong etag1608 - `app.set('etag', false)` turn off1609 - `app.set('etag', true)` standard etag1610 * mark `res.send` ETag as weak and reduce collisions1611 * update accepts to 1.0.21612 - Fix interpretation when header not in request1613 * update send to 0.4.01614 - Calculate ETag with md5 for reduced collisions1615 - Ignore stream errors after request ends1616 - deps: debug@0.8.11617 * update serve-static to 1.2.01618 - Calculate ETag with md5 for reduced collisions1619 - Ignore stream errors after request ends1620 - deps: send@0.4.0162116224.3.2 / 2014-05-281623==================16241625 * fix handling of errors from `router.param()` callbacks162616274.3.1 / 2014-05-231628==================16291630 * revert "fix behavior of multiple `app.VERB` for the same path"1631 - this caused a regression in the order of route execution163216334.3.0 / 2014-05-211634==================16351636 * add `req.baseUrl` to access the path stripped from `req.url` in routes1637 * fix behavior of multiple `app.VERB` for the same path1638 * fix issue routing requests among sub routers1639 * invoke `router.param()` only when necessary instead of every match1640 * proper proxy trust with `app.set('trust proxy', trust)`1641 - `app.set('trust proxy', 1)` trust first hop1642 - `app.set('trust proxy', 'loopback')` trust loopback addresses1643 - `app.set('trust proxy', '10.0.0.1')` trust single IP1644 - `app.set('trust proxy', '10.0.0.1/16')` trust subnet1645 - `app.set('trust proxy', '10.0.0.1, 10.0.0.2')` trust list1646 - `app.set('trust proxy', false)` turn off1647 - `app.set('trust proxy', true)` trust everything1648 * set proper `charset` in `Content-Type` for `res.send`1649 * update type-is to 1.2.01650 - support suffix matching165116524.2.0 / 2014-05-111653==================16541655 * deprecate `app.del()` -- use `app.delete()` instead1656 * deprecate `res.json(obj, status)` -- use `res.json(status, obj)` instead1657 - the edge-case `res.json(status, num)` requires `res.status(status).json(num)`1658 * deprecate `res.jsonp(obj, status)` -- use `res.jsonp(status, obj)` instead1659 - the edge-case `res.jsonp(status, num)` requires `res.status(status).jsonp(num)`1660 * fix `req.next` when inside router instance1661 * include `ETag` header in `HEAD` requests1662 * keep previous `Content-Type` for `res.jsonp`1663 * support PURGE method1664 - add `app.purge`1665 - add `router.purge`1666 - include PURGE in `app.all`1667 * update debug to 0.8.01668 - add `enable()` method1669 - change from stderr to stdout1670 * update methods to 1.0.01671 - add PURGE167216734.1.2 / 2014-05-081674==================16751676 * fix `req.host` for IPv6 literals1677 * fix `res.jsonp` error if callback param is object167816794.1.1 / 2014-04-271680==================16811682 * fix package.json to reflect supported node version168316844.1.0 / 2014-04-241685==================16861687 * pass options from `res.sendfile` to `send`1688 * preserve casing of headers in `res.header` and `res.set`1689 * support unicode file names in `res.attachment` and `res.download`1690 * update accepts to 1.0.11691 - deps: negotiator@0.4.01692 * update cookie to 0.1.21693 - Fix for maxAge == 01694 - made compat with expires field1695 * update send to 0.3.01696 - Accept API options in options object1697 - Coerce option types1698 - Control whether to generate etags1699 - Default directory access to 403 when index disabled1700 - Fix sending files with dots without root set1701 - Include file path in etag1702 - Make "Can't set headers after they are sent." catchable1703 - Send full entity-body for multi range requests1704 - Set etags to "weak"1705 - Support "If-Range" header1706 - Support multiple index paths1707 - deps: mime@1.2.111708 * update serve-static to 1.1.01709 - Accept options directly to `send` module1710 - Resolve relative paths at middleware setup1711 - Use parseurl to parse the URL from request1712 - deps: send@0.3.01713 * update type-is to 1.1.01714 - add non-array values support1715 - add `multipart` as a shorthand171617174.0.0 / 2014-04-091718==================17191720 * remove:1721 - node 0.8 support1722 - connect and connect's patches except for charset handling1723 - express(1) - moved to [express-generator](https://github.com/expressjs/generator)1724 - `express.createServer()` - it has been deprecated for a long time. Use `express()`1725 - `app.configure` - use logic in your own app code1726 - `app.router` - is removed1727 - `req.auth` - use `basic-auth` instead1728 - `req.accepted*` - use `req.accepts*()` instead1729 - `res.location` - relative URL resolution is removed1730 - `res.charset` - include the charset in the content type when using `res.set()`1731 - all bundled middleware except `static`1732 * change:1733 - `app.route` -> `app.mountpath` when mounting an express app in another express app1734 - `json spaces` no longer enabled by default in development1735 - `req.accepts*` -> `req.accepts*s` - i.e. `req.acceptsEncoding` -> `req.acceptsEncodings`1736 - `req.params` is now an object instead of an array1737 - `res.locals` is no longer a function. It is a plain js object. Treat it as such.1738 - `res.headerSent` -> `res.headersSent` to match node.js ServerResponse object1739 * refactor:1740 - `req.accepts*` with [accepts](https://github.com/expressjs/accepts)1741 - `req.is` with [type-is](https://github.com/expressjs/type-is)1742 - [path-to-regexp](https://github.com/component/path-to-regexp)1743 * add:1744 - `app.router()` - returns the app Router instance1745 - `app.route()` - Proxy to the app's `Router#route()` method to create a new route1746 - Router & Route - public API174717483.21.2 / 2015-07-311749===================17501751 * deps: connect@2.30.21752 - deps: body-parser@~1.13.31753 - deps: compression@~1.5.21754 - deps: errorhandler@~1.4.21755 - deps: method-override@~2.3.51756 - deps: serve-index@~1.7.21757 - deps: type-is@~1.6.61758 - deps: vhost@~3.0.11759 * deps: vary@~1.0.11760 - Fix setting empty header from empty `field`1761 - perf: enable strict mode1762 - perf: remove argument reassignments176317643.21.1 / 2015-07-051765===================17661767 * deps: basic-auth@~1.0.31768 * deps: connect@2.30.11769 - deps: body-parser@~1.13.21770 - deps: compression@~1.5.11771 - deps: errorhandler@~1.4.11772 - deps: morgan@~1.6.11773 - deps: pause@0.1.01774 - deps: qs@4.0.01775 - deps: serve-index@~1.7.11776 - deps: type-is@~1.6.4177717783.21.0 / 2015-06-181779===================17801781 * deps: basic-auth@1.0.21782 - perf: enable strict mode1783 - perf: hoist regular expression1784 - perf: parse with regular expressions1785 - perf: remove argument reassignment1786 * deps: connect@2.30.01787 - deps: body-parser@~1.13.11788 - deps: bytes@2.1.01789 - deps: compression@~1.5.01790 - deps: cookie@0.1.31791 - deps: cookie-parser@~1.3.51792 - deps: csurf@~1.8.31793 - deps: errorhandler@~1.4.01794 - deps: express-session@~1.11.31795 - deps: finalhandler@0.4.01796 - deps: fresh@0.3.01797 - deps: morgan@~1.6.01798 - deps: serve-favicon@~2.3.01799 - deps: serve-index@~1.7.01800 - deps: serve-static@~1.10.01801 - deps: type-is@~1.6.31802 * deps: cookie@0.1.31803 - perf: deduce the scope of try-catch deopt1804 - perf: remove argument reassignments1805 * deps: escape-html@1.0.21806 * deps: etag@~1.7.01807 - Always include entity length in ETags for hash length extensions1808 - Generate non-Stats ETags using MD5 only (no longer CRC32)1809 - Improve stat performance by removing hashing1810 - Improve support for JXcore1811 - Remove base64 padding in ETags to shorten1812 - Support "fake" stats objects in environments without fs1813 - Use MD5 instead of MD4 in weak ETags over 1KB1814 * deps: fresh@0.3.01815 - Add weak `ETag` matching support1816 * deps: mkdirp@0.5.11817 - Work in global strict mode1818 * deps: send@0.13.01819 - Allow Node.js HTTP server to set `Date` response header1820 - Fix incorrectly removing `Content-Location` on 304 response1821 - Improve the default redirect response headers1822 - Send appropriate headers on default error response1823 - Use `http-errors` for standard emitted errors1824 - Use `statuses` instead of `http` module for status messages1825 - deps: escape-html@1.0.21826 - deps: etag@~1.7.01827 - deps: fresh@0.3.01828 - deps: on-finished@~2.3.01829 - perf: enable strict mode1830 - perf: remove unnecessary array allocations183118323.20.3 / 2015-05-171833===================18341835 * deps: connect@2.29.21836 - deps: body-parser@~1.12.41837 - deps: compression@~1.4.41838 - deps: connect-timeout@~1.6.21839 - deps: debug@~2.2.01840 - deps: depd@~1.0.11841 - deps: errorhandler@~1.3.61842 - deps: finalhandler@0.3.61843 - deps: method-override@~2.3.31844 - deps: morgan@~1.5.31845 - deps: qs@2.4.21846 - deps: response-time@~2.3.11847 - deps: serve-favicon@~2.2.11848 - deps: serve-index@~1.6.41849 - deps: serve-static@~1.9.31850 - deps: type-is@~1.6.21851 * deps: debug@~2.2.01852 - deps: ms@0.7.11853 * deps: depd@~1.0.11854 * deps: proxy-addr@~1.0.81855 - deps: ipaddr.js@1.0.11856 * deps: send@0.12.31857 - deps: debug@~2.2.01858 - deps: depd@~1.0.11859 - deps: etag@~1.6.01860 - deps: ms@0.7.11861 - deps: on-finished@~2.2.1186218633.20.2 / 2015-03-161864===================18651866 * deps: connect@2.29.11867 - deps: body-parser@~1.12.21868 - deps: compression@~1.4.31869 - deps: connect-timeout@~1.6.11870 - deps: debug@~2.1.31871 - deps: errorhandler@~1.3.51872 - deps: express-session@~1.10.41873 - deps: finalhandler@0.3.41874 - deps: method-override@~2.3.21875 - deps: morgan@~1.5.21876 - deps: qs@2.4.11877 - deps: serve-index@~1.6.31878 - deps: serve-static@~1.9.21879 - deps: type-is@~1.6.11880 * deps: debug@~2.1.31881 - Fix high intensity foreground color for bold1882 - deps: ms@0.7.01883 * deps: merge-descriptors@1.0.01884 * deps: proxy-addr@~1.0.71885 - deps: ipaddr.js@0.1.91886 * deps: send@0.12.21887 - Throw errors early for invalid `extensions` or `index` options1888 - deps: debug@~2.1.3188918903.20.1 / 2015-02-281891===================18921893 * Fix `req.host` when using "trust proxy" hops count1894 * Fix `req.protocol`/`req.secure` when using "trust proxy" hops count189518963.20.0 / 2015-02-181897===================18981899 * Fix `"trust proxy"` setting to inherit when app is mounted1900 * Generate `ETag`s for all request responses1901 - No longer restricted to only responses for `GET` and `HEAD` requests1902 * Use `content-type` to parse `Content-Type` headers1903 * deps: connect@2.29.01904 - Use `content-type` to parse `Content-Type` headers1905 - deps: body-parser@~1.12.01906 - deps: compression@~1.4.11907 - deps: connect-timeout@~1.6.01908 - deps: cookie-parser@~1.3.41909 - deps: cookie-signature@1.0.61910 - deps: csurf@~1.7.01911 - deps: errorhandler@~1.3.41912 - deps: express-session@~1.10.31913 - deps: http-errors@~1.3.11914 - deps: response-time@~2.3.01915 - deps: serve-index@~1.6.21916 - deps: serve-static@~1.9.11917 - deps: type-is@~1.6.01918 * deps: cookie-signature@1.0.61919 * deps: send@0.12.11920 - Always read the stat size from the file1921 - Fix mutating passed-in `options`1922 - deps: mime@1.3.4192319243.19.2 / 2015-02-011925===================19261927 * deps: connect@2.28.31928 - deps: compression@~1.3.11929 - deps: csurf@~1.6.61930 - deps: errorhandler@~1.3.31931 - deps: express-session@~1.10.21932 - deps: serve-index@~1.6.11933 - deps: type-is@~1.5.61934 * deps: proxy-addr@~1.0.61935 - deps: ipaddr.js@0.1.8193619373.19.1 / 2015-01-201938===================19391940 * deps: connect@2.28.21941 - deps: body-parser@~1.10.21942 - deps: serve-static@~1.8.11943 * deps: send@0.11.11944 - Fix root path disclosure194519463.19.0 / 2015-01-091947===================19481949 * Fix `OPTIONS` responses to include the `HEAD` method property1950 * Use `readline` for prompt in `express(1)`1951 * deps: commander@2.6.01952 * deps: connect@2.28.11953 - deps: body-parser@~1.10.11954 - deps: compression@~1.3.01955 - deps: connect-timeout@~1.5.01956 - deps: csurf@~1.6.41957 - deps: debug@~2.1.11958 - deps: errorhandler@~1.3.21959 - deps: express-session@~1.10.11960 - deps: finalhandler@0.3.31961 - deps: method-override@~2.3.11962 - deps: morgan@~1.5.11963 - deps: serve-favicon@~2.2.01964 - deps: serve-index@~1.6.01965 - deps: serve-static@~1.8.01966 - deps: type-is@~1.5.51967 * deps: debug@~2.1.11968 * deps: methods@~1.1.11969 * deps: proxy-addr@~1.0.51970 - deps: ipaddr.js@0.1.61971 * deps: send@0.11.01972 - deps: debug@~2.1.11973 - deps: etag@~1.5.11974 - deps: ms@0.7.01975 - deps: on-finished@~2.2.0197619773.18.6 / 2014-12-121978===================19791980 * Fix exception in `req.fresh`/`req.stale` without response headers198119823.18.5 / 2014-12-111983===================19841985 * deps: connect@2.27.61986 - deps: compression@~1.2.21987 - deps: express-session@~1.9.31988 - deps: http-errors@~1.2.81989 - deps: serve-index@~1.5.31990 - deps: type-is@~1.5.4199119923.18.4 / 2014-11-231993===================19941995 * deps: connect@2.27.41996 - deps: body-parser@~1.9.31997 - deps: compression@~1.2.11998 - deps: errorhandler@~1.2.31999 - deps: express-session@~1.9.22000 - deps: qs@2.3.3
Findings
✓ No findings reported for this file.