1# Unreleased Changes23## 🐞 Bug fixes45- Fixed HTTP header conflict between Content-Length and Transfer-Encoding in res.send - by [@YuryShkoda](https://github.com/YuryShkoda) in [#4893](https://github.com/expressjs/express/pull/4893)678 Fixed the behavior of `res.send()` to prevent conflicts between `Content-Length` and `Transfer-Encoding` HTTP headers in responses. The `Content-Length` header in `res.send()` is now only added when a `Transfer-Encoding` header is not present, complying with the HTTP specification that states both headers should not coexist in the same response910## 🚀 Improvements1112* Improve HTML structure in `res.redirect()` responses when HTML format is accepted by adding `<!DOCTYPE html>`, `<title>`, and `<body>` tags for better browser compatibility - by [@Bernice55231](https://github.com/Bernice55231) in [#5167](https://github.com/expressjs/express/pull/5167)1314* When calling `app.render` with options set to null, the locals object is handled correctly, preventing unexpected errors and making the method behave the same as when options is omitted or an empty object is passed - by [AkaHarshit](https://github.com/AkaHarshit) in [#6903](https://github.com/expressjs/express/pull/6903)1516 ```js17 app.render('index', null, callback); // now works as expected18 ```1920* Upgrade `content-type` to `^2.0.0`, bringing a faster parser (~1.5x quicker `Content-Type` parsing/formatting in `res.send()`) along with a behavior change: `res.send()` now keeps any existing parameters when adding the charset and no longer throws on a `Content-Type` that fails to parse - by [@blakeembrey](https://github.com/blakeembrey) in [#7234](https://github.com/expressjs/express/pull/7234)2122 ```js23 res.set('Content-Type', 'text/plain; foo=bar').send('hey');24 // -> Content-Type: text/plain; foo=bar; charset=utf-825 ```2627* The default error handler now logs the full error object instead of only its stack trace, so nested details such as `Error.cause` and library-specific properties (e.g. Sequelize's `parent`/`original`) are no longer swallowed - by [@Nitin-Mohapatra](https://github.com/Nitin-Mohapatra) in [#6464](https://github.com/expressjs/express/pull/6464)2829* Upgrade `content-disposition` to `^2.0.0`, which changes the `Content-Disposition` header emitted by `res.download()`, `res.attachment()`, and `res.sendFile()`: file names that are valid HTTP tokens are no longer wrapped in quotes. This is equivalent per RFC 6266, but applications asserting on the exact header bytes should update their expectations - by [@blakeembrey](https://github.com/blakeembrey) in [#7233](https://github.com/expressjs/express/pull/7233)3031 ```js32 res.attachment('user.html');33 // before -> Content-Disposition: attachment; filename="user.html"34 // after -> Content-Disposition: attachment; filename=user.html35 ```3637## ⚡ Performance3839* Avoid duplicate Content-Type header processing in `res.send()` when sending string responses without an explicit Content-Type header - by [@bjohansebas](https://github.com/bjohansebas) in [#6991](https://github.com/expressjs/express/pull/6991)40415.2.1 / 2025-12-0142=======================4344* Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))45 * The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.46475.2.0 / 2025-12-0148========================4950* Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))51* deps: `body-parser@^2.2.1`52* A deprecation warning was added when using `res.redirect` with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.53545.1.0 / 2025-03-3155========================5657* Add support for `Uint8Array` in `res.send()`58* Add support for ETag option in `res.sendFile()`59* Add support for multiple links with the same rel in `res.links()`60* Add funding field to package.json61* perf: use loop for acceptParams62* refactor: prefix built-in node module imports63* deps: remove `setprototypeof`64* deps: remove `safe-buffer`65* deps: remove `utils-merge`66* deps: remove `methods`67* deps: remove `depd`68* deps: `debug@^4.4.0`69* deps: `body-parser@^2.2.0`70* deps: `router@^2.2.0`71* deps: `content-type@^1.0.5`72* deps: `finalhandler@^2.1.0`73* deps: `qs@^6.14.0`74* deps: `server-static@2.2.0`75* deps: `type-is@2.0.1`76775.0.1 / 2024-10-0878==========7980* Update `cookie` semver lock to address [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764)81825.0.0 / 2024-09-1083=========================84* remove:85 - `path-is-absolute` dependency - use `path.isAbsolute` instead86* breaking:87 * `res.status()` accepts only integers, and input must be greater than 99 and less than 100088 * will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range89 * will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs90 * deps: send@1.0.091 * `res.redirect('back')` and `res.location('back')` is no longer a supported magic string, explicitly use `req.get('Referrer') || '/'`.92* change:93 - `res.clearCookie` will ignore user provided `maxAge` and `expires` options94* deps: cookie-signature@^1.2.195* deps: debug@4.3.696* deps: merge-descriptors@^2.0.097* deps: serve-static@^2.1.098* deps: qs@6.13.099* deps: accepts@^2.0.0100* deps: mime-types@^3.0.0101 - `application/javascript` => `text/javascript`102* deps: type-is@^2.0.0103* deps: content-disposition@^1.0.0104* deps: finalhandler@^2.0.0105* deps: fresh@^2.0.0106* deps: body-parser@^2.0.1107* deps: send@^1.1.01081095.0.0-beta.3 / 2024-03-25110=========================111112This incorporates all changes after 4.19.1 up to 4.19.2.1131145.0.0-beta.2 / 2024-03-20115=========================116117This incorporates all changes after 4.17.2 up to 4.19.1.1181195.0.0-beta.1 / 2022-02-14120=========================121122This is the first Express 5.0 beta release, based off 4.17.2 and includes123changes from 5.0.0-alpha.8.124125 * change:126 - Default "query parser" setting to `'simple'`127 - Requires Node.js 4+128 - Use `mime-types` for file to content type mapping129 * deps: array-flatten@3.0.0130 * deps: body-parser@2.0.0-beta.1131 - `req.body` is no longer always initialized to `{}`132 - `urlencoded` parser now defaults `extended` to `false`133 - Use `on-finished` to determine when body read134 * deps: router@2.0.0-beta.1135 - Add new `?`, `*`, and `+` parameter modifiers136 - Internalize private `router.process_params` method137 - Matching group expressions are only RegExp syntax138 - Named matching groups no longer available by position in `req.params`139 - Regular expressions can only be used in a matching group140 - Remove `debug` dependency141 - Special `*` path segment behavior removed142 - deps: array-flatten@3.0.0143 - deps: parseurl@~1.3.3144 - deps: path-to-regexp@3.2.0145 - deps: setprototypeof@1.2.0146 * deps: send@1.0.0-beta.1147 - Change `dotfiles` option default to `'ignore'`148 - Remove `hidden` option; use `dotfiles` option instead149 - Use `mime-types` for file to content type mapping150 - deps: debug@3.1.0151 * deps: serve-static@2.0.0-beta.1152 - Change `dotfiles` option default to `'ignore'`153 - Remove `hidden` option; use `dotfiles` option instead154 - Use `mime-types` for file to content type mapping155 - Remove `express.static.mime` export; use `mime-types` package instead156 - deps: send@1.0.0-beta.11571585.0.0-alpha.8 / 2020-03-25159==========================160161This is the eighth Express 5.0 alpha release, based off 4.17.1 and includes162changes from 5.0.0-alpha.7.1631645.0.0-alpha.7 / 2018-10-26165==========================166167This is the seventh Express 5.0 alpha release, based off 4.16.4 and includes168changes from 5.0.0-alpha.6.169170The major change with this alpha is the basic support for returned, rejected171Promises in the router.172173 * remove:174 - `path-to-regexp` dependency175 * deps: debug@3.1.0176 - Add `DEBUG_HIDE_DATE` environment variable177 - Change timer to per-namespace instead of global178 - Change non-TTY date format179 - Remove `DEBUG_FD` environment variable support180 - Support 256 namespace colors181 * deps: router@2.0.0-alpha.1182 - Add basic support for returned, rejected Promises183 - Fix JSDoc for `Router` constructor184 - deps: debug@3.1.0185 - deps: parseurl@~1.3.2186 - deps: setprototypeof@1.1.0187 - deps: utils-merge@1.0.11881895.0.0-alpha.6 / 2017-09-24190==========================191192This is the sixth Express 5.0 alpha release, based off 4.15.5 and includes193changes from 5.0.0-alpha.5.194195 * remove:196 - `res.redirect(url, status)` signature - use `res.redirect(status, url)`197 - `res.send(status, body)` signature - use `res.status(status).send(body)`198 * deps: router@~1.3.1199 - deps: debug@2.6.82002015.0.0-alpha.5 / 2017-03-06202==========================203204This is the fifth Express 5.0 alpha release, based off 4.15.2 and includes205changes from 5.0.0-alpha.4.2062075.0.0-alpha.4 / 2017-03-01208==========================209210This is the fourth Express 5.0 alpha release, based off 4.15.0 and includes211changes from 5.0.0-alpha.3.212213 * remove:214 - Remove Express 3.x middleware error stubs215 * deps: router@~1.3.0216 - Add `next("router")` to exit from router217 - Fix case where `router.use` skipped requests routes did not218 - Skip routing when `req.url` is not set219 - Use `%o` in path debug to tell types apart220 - deps: debug@2.6.1221 - deps: setprototypeof@1.0.3222 - perf: add fast match path for `*` route2232245.0.0-alpha.3 / 2017-01-28225==========================226227This is the third Express 5.0 alpha release, based off 4.14.1 and includes228changes from 5.0.0-alpha.2.229230 * remove:231 - `res.json(status, obj)` signature - use `res.status(status).json(obj)`232 - `res.jsonp(status, obj)` signature - use `res.status(status).jsonp(obj)`233 - `res.vary()` (no arguments) -- provide a field name as an argument234 * deps: array-flatten@2.1.1235 * deps: path-is-absolute@1.0.1236 * deps: router@~1.1.5237 - deps: array-flatten@2.0.1238 - deps: methods@~1.1.2239 - deps: parseurl@~1.3.1240 - deps: setprototypeof@1.0.22412425.0.0-alpha.2 / 2015-07-06243==========================244245This is the second Express 5.0 alpha release, based off 4.13.1 and includes246changes from 5.0.0-alpha.1.247248 * remove:249 - `app.param(fn)`250 - `req.param()` -- use `req.params`, `req.body`, or `req.query` instead251 * change:252 - `res.render` callback is always async, even for sync view engines253 - The leading `:` character in `name` for `app.param(name, fn)` is no longer removed254 - Use `router` module for routing255 - Use `path-is-absolute` module for absolute path detection2562575.0.0-alpha.1 / 2014-11-06258==========================259260This is the first Express 5.0 alpha release, based off 4.10.1.261262 * remove:263 - `app.del` - use `app.delete`264 - `req.acceptsCharset` - use `req.acceptsCharsets`265 - `req.acceptsEncoding` - use `req.acceptsEncodings`266 - `req.acceptsLanguage` - use `req.acceptsLanguages`267 - `res.json(obj, status)` signature - use `res.json(status, obj)`268 - `res.jsonp(obj, status)` signature - use `res.jsonp(status, obj)`269 - `res.send(body, status)` signature - use `res.send(status, body)`270 - `res.send(status)` signature - use `res.sendStatus(status)`271 - `res.sendfile` - use `res.sendFile` instead272 - `express.query` middleware273 * change:274 - `req.host` now returns host (`hostname:port`) - use `req.hostname` for only hostname275 - `req.query` is now a getter instead of a plain property276 * add:277 - `app.router` is a reference to the base router2782794.20.0 / 2024-09-10280==========281 * deps: serve-static@0.16.0282 * Remove link renderization in html while redirecting283 * deps: send@0.19.0284 * Remove link renderization in html while redirecting285 * deps: body-parser@0.6.0286 * add `depth` option to customize the depth level in the parser287 * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)288 * Remove link renderization in html while using `res.redirect`289 * deps: path-to-regexp@0.1.10290 - Adds support for named matching groups in the routes using a regex291 - Adds backtracking protection to parameters without regexes defined292 * deps: encodeurl@~2.0.0293 - Removes encoding of `\`, `|`, and `^` to align better with URL spec294 * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie`295 - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie2962974.19.2 / 2024-03-25298==========299300 * Improved fix for open redirect allow list bypass3013024.19.1 / 2024-03-20303==========304305 * Allow passing non-strings to res.location with new encoding handling checks3063074.19.0 / 2024-03-20308==========309310 * Prevent open redirect allow list bypass due to encodeurl311 * deps: cookie@0.6.03123134.18.3 / 2024-02-29314==========315316 * Fix routing requests without method317 * deps: body-parser@1.20.2318 - Fix strict json error message on Node.js 19+319 - deps: content-type@~1.0.5320 - deps: raw-body@2.5.2321 * deps: cookie@0.6.0322 - Add `partitioned` option3233244.18.2 / 2022-10-08325===================326327 * Fix regression routing a large stack in a single route328 * deps: body-parser@1.20.1329 - deps: qs@6.11.0330 - perf: remove unnecessary object clone331 * deps: qs@6.11.03323334.18.1 / 2022-04-29334===================335336 * Fix hanging on large stack of sync routes3373384.18.0 / 2022-04-25339===================340341 * Add "root" option to `res.download`342 * Allow `options` without `filename` in `res.download`343 * Deprecate string and non-integer arguments to `res.status`344 * Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie`345 * Fix handling very large stacks of sync middleware346 * Ignore `Object.prototype` values in settings through `app.set`/`app.get`347 * Invoke `default` with same arguments as types in `res.format`348 * Support proper 205 responses using `res.send`349 * Use `http-errors` for `res.format` error350 * deps: body-parser@1.20.0351 - Fix error message for json parse whitespace in `strict`352 - Fix internal error when inflated body exceeds limit353 - Prevent loss of async hooks context354 - Prevent hanging when request already read355 - deps: depd@2.0.0356 - deps: http-errors@2.0.0357 - deps: on-finished@2.4.1358 - deps: qs@6.10.3359 - deps: raw-body@2.5.1360 * deps: cookie@0.5.0361 - Add `priority` option362 - Fix `expires` option to reject invalid dates363 * deps: depd@2.0.0364 - Replace internal `eval` usage with `Function` constructor365 - Use instance methods on `process` to check for listeners366 * deps: finalhandler@1.2.0367 - Remove set content headers that break response368 - deps: on-finished@2.4.1369 - deps: statuses@2.0.1370 * deps: on-finished@2.4.1371 - Prevent loss of async hooks context372 * deps: qs@6.10.3373 * deps: send@0.18.0374 - Fix emitted 416 error missing headers property375 - Limit the headers removed for 304 response376 - deps: depd@2.0.0377 - deps: destroy@1.2.0378 - deps: http-errors@2.0.0379 - deps: on-finished@2.4.1380 - deps: statuses@2.0.1381 * deps: serve-static@1.15.0382 - deps: send@0.18.0383 * deps: statuses@2.0.1384 - Remove code 306385 - Rename `425 Unordered Collection` to standard `425 Too Early`3863874.17.3 / 2022-02-16388===================389390 * deps: accepts@~1.3.8391 - deps: mime-types@~2.1.34392 - deps: negotiator@0.6.3393 * deps: body-parser@1.19.2394 - deps: bytes@3.1.2395 - deps: qs@6.9.7396 - deps: raw-body@2.4.3397 * deps: cookie@0.4.2398 * deps: qs@6.9.7399 * Fix handling of `__proto__` keys400 * pref: remove unnecessary regexp for trust proxy4014024.17.2 / 2021-12-16403===================404405 * Fix handling of `undefined` in `res.jsonp`406 * Fix handling of `undefined` when `"json escape"` is enabled407 * Fix incorrect middleware execution with unanchored `RegExp`s408 * Fix `res.jsonp(obj, status)` deprecation message409 * Fix typo in `res.is` JSDoc410 * deps: body-parser@1.19.1411 - deps: bytes@3.1.1412 - deps: http-errors@1.8.1413 - deps: qs@6.9.6414 - deps: raw-body@2.4.2415 - deps: safe-buffer@5.2.1416 - deps: type-is@~1.6.18417 * deps: content-disposition@0.5.4418 - deps: safe-buffer@5.2.1419 * deps: cookie@0.4.1420 - Fix `maxAge` option to reject invalid values421 * deps: proxy-addr@~2.0.7422 - Use `req.socket` over deprecated `req.connection`423 - deps: forwarded@0.2.0424 - deps: ipaddr.js@1.9.1425 * deps: qs@6.9.6426 * deps: safe-buffer@5.2.1427 * deps: send@0.17.2428 - deps: http-errors@1.8.1429 - deps: ms@2.1.3430 - pref: ignore empty http tokens431 * deps: serve-static@1.14.2432 - deps: send@0.17.2433 * deps: setprototypeof@1.2.04344354.17.1 / 2019-05-25436===================437438 * Revert "Improve error message for `null`/`undefined` to `res.status`"4394404.17.0 / 2019-05-16441===================442443 * Add `express.raw` to parse bodies into `Buffer`444 * Add `express.text` to parse bodies into string445 * Improve error message for non-strings to `res.sendFile`446 * Improve error message for `null`/`undefined` to `res.status`447 * Support multiple hosts in `X-Forwarded-Host`448 * deps: accepts@~1.3.7449 * deps: body-parser@1.19.0450 - Add encoding MIK451 - Add petabyte (`pb`) support452 - Fix parsing array brackets after index453 - deps: bytes@3.1.0454 - deps: http-errors@1.7.2455 - deps: iconv-lite@0.4.24456 - deps: qs@6.7.0457 - deps: raw-body@2.4.0458 - deps: type-is@~1.6.17459 * deps: content-disposition@0.5.3460 * deps: cookie@0.4.0461 - Add `SameSite=None` support462 * deps: finalhandler@~1.1.2463 - Set stricter `Content-Security-Policy` header464 - deps: parseurl@~1.3.3465 - deps: statuses@~1.5.0466 * deps: parseurl@~1.3.3467 * deps: proxy-addr@~2.0.5468 - deps: ipaddr.js@1.9.0469 * deps: qs@6.7.0470 - Fix parsing array brackets after index471 * deps: range-parser@~1.2.1472 * deps: send@0.17.1473 - Set stricter CSP header in redirect & error responses474 - deps: http-errors@~1.7.2475 - deps: mime@1.6.0476 - deps: ms@2.1.1477 - deps: range-parser@~1.2.1478 - deps: statuses@~1.5.0479 - perf: remove redundant `path.normalize` call480 * deps: serve-static@1.14.1481 - Set stricter CSP header in redirect response482 - deps: parseurl@~1.3.3483 - deps: send@0.17.1484 * deps: setprototypeof@1.1.1485 * deps: statuses@~1.5.0486 - Add `103 Early Hints`487 * deps: type-is@~1.6.18488 - deps: mime-types@~2.1.24489 - perf: prevent internal `throw` on invalid type4904914.16.4 / 2018-10-10492===================493494 * Fix issue where `"Request aborted"` may be logged in `res.sendfile`495 * Fix JSDoc for `Router` constructor496 * deps: body-parser@1.18.3497 - Fix deprecation warnings on Node.js 10+498 - Fix stack trace for strict json parse error499 - deps: depd@~1.1.2500 - deps: http-errors@~1.6.3501 - deps: iconv-lite@0.4.23502 - deps: qs@6.5.2503 - deps: raw-body@2.3.3504 - deps: type-is@~1.6.16505 * deps: proxy-addr@~2.0.4506 - deps: ipaddr.js@1.8.0507 * deps: qs@6.5.2508 * deps: safe-buffer@5.1.25095104.16.3 / 2018-03-12511===================512513 * deps: accepts@~1.3.5514 - deps: mime-types@~2.1.18515 * deps: depd@~1.1.2516 - perf: remove argument reassignment517 * deps: encodeurl@~1.0.2518 - Fix encoding `%` as last character519 * deps: finalhandler@1.1.1520 - Fix 404 output for bad / missing pathnames521 - deps: encodeurl@~1.0.2522 - deps: statuses@~1.4.0523 * deps: proxy-addr@~2.0.3524 - deps: ipaddr.js@1.6.0525 * deps: send@0.16.2526 - Fix incorrect end tag in default error & redirects527 - deps: depd@~1.1.2528 - deps: encodeurl@~1.0.2529 - deps: statuses@~1.4.0530 * deps: serve-static@1.13.2531 - Fix incorrect end tag in redirects532 - deps: encodeurl@~1.0.2533 - deps: send@0.16.2534 * deps: statuses@~1.4.0535 * deps: type-is@~1.6.16536 - deps: mime-types@~2.1.185375384.16.2 / 2017-10-09539===================540541 * Fix `TypeError` in `res.send` when given `Buffer` and `ETag` header set542 * perf: skip parsing of entire `X-Forwarded-Proto` header5435444.16.1 / 2017-09-29545===================546547 * deps: send@0.16.1548 * deps: serve-static@1.13.1549 - Fix regression when `root` is incorrectly set to a file550 - deps: send@0.16.15515524.16.0 / 2017-09-28553===================554555 * Add `"json escape"` setting for `res.json` and `res.jsonp`556 * Add `express.json` and `express.urlencoded` to parse bodies557 * Add `options` argument to `res.download`558 * Improve error message when autoloading invalid view engine559 * Improve error messages when non-function provided as middleware560 * Skip `Buffer` encoding when not generating ETag for small response561 * Use `safe-buffer` for improved Buffer API562 * deps: accepts@~1.3.4563 - deps: mime-types@~2.1.16564 * deps: content-type@~1.0.4565 - perf: remove argument reassignment566 - perf: skip parameter parsing when no parameters567 * deps: etag@~1.8.1568 - perf: replace regular expression with substring569 * deps: finalhandler@1.1.0570 - Use `res.headersSent` when available571 * deps: parseurl@~1.3.2572 - perf: reduce overhead for full URLs573 - perf: unroll the "fast-path" `RegExp`574 * deps: proxy-addr@~2.0.2575 - Fix trimming leading / trailing OWS in `X-Forwarded-For`576 - deps: forwarded@~0.1.2577 - deps: ipaddr.js@1.5.2578 - perf: reduce overhead when no `X-Forwarded-For` header579 * deps: qs@6.5.1580 - Fix parsing & compacting very deep objects581 * deps: send@0.16.0582 - Add 70 new types for file extensions583 - Add `immutable` option584 - Fix missing `</html>` in default error & redirects585 - Set charset as "UTF-8" for .js and .json586 - Use instance methods on steam to check for listeners587 - deps: mime@1.4.1588 - perf: improve path validation speed589 * deps: serve-static@1.13.0590 - Add 70 new types for file extensions591 - Add `immutable` option592 - Set charset as "UTF-8" for .js and .json593 - deps: send@0.16.0594 * deps: setprototypeof@1.1.0595 * deps: utils-merge@1.0.1596 * deps: vary@~1.1.2597 - perf: improve header token parsing speed598 * perf: reuse options object when generating ETags599 * perf: remove dead `.charset` set in `res.jsonp`6006014.15.5 / 2017-09-24602===================603604 * deps: debug@2.6.9605 * deps: finalhandler@~1.0.6606 - deps: debug@2.6.9607 - deps: parseurl@~1.3.2608 * deps: fresh@0.5.2609 - Fix handling of modified headers with invalid dates610 - perf: improve ETag match loop611 - perf: improve `If-None-Match` token parsing612 * deps: send@0.15.6613 - Fix handling of modified headers with invalid dates614 - deps: debug@2.6.9615 - deps: etag@~1.8.1616 - deps: fresh@0.5.2617 - perf: improve `If-Match` token parsing618 * deps: serve-static@1.12.6619 - deps: parseurl@~1.3.2620 - deps: send@0.15.6621 - perf: improve slash collapsing6226234.15.4 / 2017-08-06624===================625626 * deps: debug@2.6.8627 * deps: depd@~1.1.1628 - Remove unnecessary `Buffer` loading629 * deps: finalhandler@~1.0.4630 - deps: debug@2.6.8631 * deps: proxy-addr@~1.1.5632 - Fix array argument being altered633 - deps: ipaddr.js@1.4.0634 * deps: qs@6.5.0635 * deps: send@0.15.4636 - deps: debug@2.6.8637 - deps: depd@~1.1.1638 - deps: http-errors@~1.6.2639 * deps: serve-static@1.12.4640 - deps: send@0.15.46416424.15.3 / 2017-05-16643===================644645 * Fix error when `res.set` cannot add charset to `Content-Type`646 * deps: debug@2.6.7647 - Fix `DEBUG_MAX_ARRAY_LENGTH`648 - deps: ms@2.0.0649 * deps: finalhandler@~1.0.3650 - Fix missing `</html>` in HTML document651 - deps: debug@2.6.7652 * deps: proxy-addr@~1.1.4653 - deps: ipaddr.js@1.3.0654 * deps: send@0.15.3655 - deps: debug@2.6.7656 - deps: ms@2.0.0657 * deps: serve-static@1.12.3658 - deps: send@0.15.3659 * deps: type-is@~1.6.15660 - deps: mime-types@~2.1.15661 * deps: vary@~1.1.1662 - perf: hoist regular expression6636644.15.2 / 2017-03-06665===================666667 * deps: qs@6.4.0668 - Fix regression parsing keys starting with `[`6696704.15.1 / 2017-03-05671===================672673 * deps: send@0.15.1674 - Fix issue when `Date.parse` does not return `NaN` on invalid date675 - Fix strict violation in broken environments676 * deps: serve-static@1.12.1677 - Fix issue when `Date.parse` does not return `NaN` on invalid date678 - deps: send@0.15.16796804.15.0 / 2017-03-01681===================682683 * Add debug message when loading view engine684 * Add `next("router")` to exit from router685 * Fix case where `router.use` skipped requests routes did not686 * Remove usage of `res._headers` private field687 - Improves compatibility with Node.js 8 nightly688 * Skip routing when `req.url` is not set689 * Use `%o` in path debug to tell types apart690 * Use `Object.create` to setup request & response prototypes691 * Use `setprototypeof` module to replace `__proto__` setting692 * Use `statuses` instead of `http` module for status messages693 * deps: debug@2.6.1694 - Allow colors in workers695 - Deprecated `DEBUG_FD` environment variable set to `3` or higher696 - Fix error when running under React Native697 - Use same color for same namespace698 - deps: ms@0.7.2699 * deps: etag@~1.8.0700 - Use SHA1 instead of MD5 for ETag hashing701 - Works with FIPS 140-2 OpenSSL configuration702 * deps: finalhandler@~1.0.0703 - Fix exception when `err` cannot be converted to a string704 - Fully URL-encode the pathname in the 404705 - Only include the pathname in the 404 message706 - Send complete HTML document707 - Set `Content-Security-Policy: default-src 'self'` header708 - deps: debug@2.6.1709 * deps: fresh@0.5.0710 - Fix false detection of `no-cache` request directive711 - Fix incorrect result when `If-None-Match` has both `*` and ETags712 - Fix weak `ETag` matching to match spec713 - perf: delay reading header values until needed714 - perf: enable strict mode715 - perf: hoist regular expressions716 - perf: remove duplicate conditional717 - perf: remove unnecessary boolean coercions718 - perf: skip checking modified time if ETag check failed719 - perf: skip parsing `If-None-Match` when no `ETag` header720 - perf: use `Date.parse` instead of `new Date`721 * deps: qs@6.3.1722 - Fix array parsing from skipping empty values723 - Fix compacting nested arrays724 * deps: send@0.15.0725 - Fix false detection of `no-cache` request directive726 - Fix incorrect result when `If-None-Match` has both `*` and ETags727 - Fix weak `ETag` matching to match spec728 - Remove usage of `res._headers` private field729 - Support `If-Match` and `If-Unmodified-Since` headers730 - Use `res.getHeaderNames()` when available731 - Use `res.headersSent` when available732 - deps: debug@2.6.1733 - deps: etag@~1.8.0734 - deps: fresh@0.5.0735 - deps: http-errors@~1.6.1736 * deps: serve-static@1.12.0737 - Fix false detection of `no-cache` request directive738 - Fix incorrect result when `If-None-Match` has both `*` and ETags739 - Fix weak `ETag` matching to match spec740 - Remove usage of `res._headers` private field741 - Send complete HTML document in redirect response742 - Set default CSP header in redirect response743 - Support `If-Match` and `If-Unmodified-Since` headers744 - Use `res.getHeaderNames()` when available745 - Use `res.headersSent` when available746 - deps: send@0.15.0747 * perf: add fast match path for `*` route748 * perf: improve `req.ips` performance7497504.14.1 / 2017-01-28751===================752753 * deps: content-disposition@0.5.2754 * deps: finalhandler@0.5.1755 - Fix exception when `err.headers` is not an object756 - deps: statuses@~1.3.1757 - perf: hoist regular expressions758 - perf: remove duplicate validation path759 * deps: proxy-addr@~1.1.3760 - deps: ipaddr.js@1.2.0761 * deps: send@0.14.2762 - deps: http-errors@~1.5.1763 - deps: ms@0.7.2764 - deps: statuses@~1.3.1765 * deps: serve-static@~1.11.2766 - deps: send@0.14.2767 * deps: type-is@~1.6.14768 - deps: mime-types@~2.1.137697704.14.0 / 2016-06-16771===================772773 * Add `acceptRanges` option to `res.sendFile`/`res.sendfile`774 * Add `cacheControl` option to `res.sendFile`/`res.sendfile`775 * Add `options` argument to `req.range`776 - Includes the `combine` option777 * Encode URL in `res.location`/`res.redirect` if not already encoded778 * Fix some redirect handling in `res.sendFile`/`res.sendfile`779 * Fix Windows absolute path check using forward slashes780 * Improve error with invalid arguments to `req.get()`781 * Improve performance for `res.json`/`res.jsonp` in most cases782 * Improve `Range` header handling in `res.sendFile`/`res.sendfile`783 * deps: accepts@~1.3.3784 - Fix including type extensions in parameters in `Accept` parsing785 - Fix parsing `Accept` parameters with quoted equals786 - Fix parsing `Accept` parameters with quoted semicolons787 - Many performance improvements788 - deps: mime-types@~2.1.11789 - deps: negotiator@0.6.1790 * deps: content-type@~1.0.2791 - perf: enable strict mode792 * deps: cookie@0.3.1793 - Add `sameSite` option794 - Fix cookie `Max-Age` to never be a floating point number795 - Improve error message when `encode` is not a function796 - Improve error message when `expires` is not a `Date`797 - Throw better error for invalid argument to parse798 - Throw on invalid values provided to `serialize`799 - perf: enable strict mode800 - perf: hoist regular expression801 - perf: use for loop in parse802 - perf: use string concatenation for serialization803 * deps: finalhandler@0.5.0804 - Change invalid or non-numeric status code to 500805 - Overwrite status message to match set status code806 - Prefer `err.statusCode` if `err.status` is invalid807 - Set response headers from `err.headers` object808 - Use `statuses` instead of `http` module for status messages809 * deps: proxy-addr@~1.1.2810 - Fix accepting various invalid netmasks811 - Fix IPv6-mapped IPv4 validation edge cases812 - IPv4 netmasks must be contiguous813 - IPv6 addresses cannot be used as a netmask814 - deps: ipaddr.js@1.1.1815 * deps: qs@6.2.0816 - Add `decoder` option in `parse` function817 * deps: range-parser@~1.2.0818 - Add `combine` option to combine overlapping ranges819 - Fix incorrectly returning -1 when there is at least one valid range820 - perf: remove internal function821 * deps: send@0.14.1822 - Add `acceptRanges` option823 - Add `cacheControl` option824 - Attempt to combine multiple ranges into single range825 - Correctly inherit from `Stream` class826 - Fix `Content-Range` header in 416 responses when using `start`/`end` options827 - Fix `Content-Range` header missing from default 416 responses828 - Fix redirect error when `path` contains raw non-URL characters829 - Fix redirect when `path` starts with multiple forward slashes830 - Ignore non-byte `Range` headers831 - deps: http-errors@~1.5.0832 - deps: range-parser@~1.2.0833 - deps: statuses@~1.3.0834 - perf: remove argument reassignment835 * deps: serve-static@~1.11.1836 - Add `acceptRanges` option837 - Add `cacheControl` option838 - Attempt to combine multiple ranges into single range839 - Fix redirect error when `req.url` contains raw non-URL characters840 - Ignore non-byte `Range` headers841 - Use status code 301 for redirects842 - deps: send@0.14.1843 * deps: type-is@~1.6.13844 - Fix type error when given invalid type to match against845 - deps: mime-types@~2.1.11846 * deps: vary@~1.1.0847 - Only accept valid field names in the `field` argument848 * perf: use strict equality when possible8498504.13.4 / 2016-01-21851===================852853 * deps: content-disposition@0.5.1854 - perf: enable strict mode855 * deps: cookie@0.1.5856 - Throw on invalid values provided to `serialize`857 * deps: depd@~1.1.0858 - Support web browser loading859 - perf: enable strict mode860 * deps: escape-html@~1.0.3861 - perf: enable strict mode862 - perf: optimize string replacement863 - perf: use faster string coercion864 * deps: finalhandler@0.4.1865 - deps: escape-html@~1.0.3866 * deps: merge-descriptors@1.0.1867 - perf: enable strict mode868 * deps: methods@~1.1.2869 - perf: enable strict mode870 * deps: parseurl@~1.3.1871 - perf: enable strict mode872 * deps: proxy-addr@~1.0.10873 - deps: ipaddr.js@1.0.5874 - perf: enable strict mode875 * deps: range-parser@~1.0.3876 - perf: enable strict mode877 * deps: send@0.13.1878 - deps: depd@~1.1.0879 - deps: destroy@~1.0.4880 - deps: escape-html@~1.0.3881 - deps: range-parser@~1.0.3882 * deps: serve-static@~1.10.2883 - deps: escape-html@~1.0.3884 - deps: parseurl@~1.3.0885 - deps: send@0.13.18868874.13.3 / 2015-08-02888===================889890 * Fix infinite loop condition using `mergeParams: true`891 * Fix inner numeric indices incorrectly altering parent `req.params`8928934.13.2 / 2015-07-31894===================895896 * deps: accepts@~1.2.12897 - deps: mime-types@~2.1.4898 * deps: array-flatten@1.1.1899 - perf: enable strict mode900 * deps: path-to-regexp@0.1.7901 - Fix regression with escaped round brackets and matching groups902 * deps: type-is@~1.6.6903 - deps: mime-types@~2.1.49049054.13.1 / 2015-07-05906===================907908 * deps: accepts@~1.2.10909 - deps: mime-types@~2.1.2910 * deps: qs@4.0.0911 - Fix dropping parameters like `hasOwnProperty`912 - Fix various parsing edge cases913 * deps: type-is@~1.6.4914 - deps: mime-types@~2.1.2915 - perf: enable strict mode916 - perf: remove argument reassignment9179184.13.0 / 2015-06-20919===================920921 * Add settings to debug output922 * Fix `res.format` error when only `default` provided923 * Fix issue where `next('route')` in `app.param` would incorrectly skip values924 * Fix hiding platform issues with `decodeURIComponent`925 - Only `URIError`s are a 400926 * Fix using `*` before params in routes927 * Fix using capture groups before params in routes928 * Simplify `res.cookie` to call `res.append`929 * Use `array-flatten` module for flattening arrays930 * deps: accepts@~1.2.9931 - deps: mime-types@~2.1.1932 - perf: avoid argument reassignment & argument slice933 - perf: avoid negotiator recursive construction934 - perf: enable strict mode935 - perf: remove unnecessary bitwise operator936 * deps: cookie@0.1.3937 - perf: deduce the scope of try-catch deopt938 - perf: remove argument reassignments939 * deps: escape-html@1.0.2940 * deps: etag@~1.7.0941 - Always include entity length in ETags for hash length extensions942 - Generate non-Stats ETags using MD5 only (no longer CRC32)943 - Improve stat performance by removing hashing944 - Improve support for JXcore945 - Remove base64 padding in ETags to shorten946 - Support "fake" stats objects in environments without fs947 - Use MD5 instead of MD4 in weak ETags over 1KB948 * deps: finalhandler@0.4.0949 - Fix a false-positive when unpiping in Node.js 0.8950 - Support `statusCode` property on `Error` objects951 - Use `unpipe` module for unpiping requests952 - deps: escape-html@1.0.2953 - deps: on-finished@~2.3.0954 - perf: enable strict mode955 - perf: remove argument reassignment956 * deps: fresh@0.3.0957 - Add weak `ETag` matching support958 * deps: on-finished@~2.3.0959 - Add defined behavior for HTTP `CONNECT` requests960 - Add defined behavior for HTTP `Upgrade` requests961 - deps: ee-first@1.1.1962 * deps: path-to-regexp@0.1.6963 * deps: send@0.13.0964 - Allow Node.js HTTP server to set `Date` response header965 - Fix incorrectly removing `Content-Location` on 304 response966 - Improve the default redirect response headers967 - Send appropriate headers on default error response968 - Use `http-errors` for standard emitted errors969 - Use `statuses` instead of `http` module for status messages970 - deps: escape-html@1.0.2971 - deps: etag@~1.7.0972 - deps: fresh@0.3.0973 - deps: on-finished@~2.3.0974 - perf: enable strict mode975 - perf: remove unnecessary array allocations976 * deps: serve-static@~1.10.0977 - Add `fallthrough` option978 - Fix reading options from options prototype979 - Improve the default redirect response headers980 - Malformed URLs now `next()` instead of 400981 - deps: escape-html@1.0.2982 - deps: send@0.13.0983 - perf: enable strict mode984 - perf: remove argument reassignment985 * deps: type-is@~1.6.3986 - deps: mime-types@~2.1.1987 - perf: reduce try block size988 - perf: remove bitwise operations989 * perf: enable strict mode990 * perf: isolate `app.render` try block991 * perf: remove argument reassignments in application992 * perf: remove argument reassignments in request prototype993 * perf: remove argument reassignments in response prototype994 * perf: remove argument reassignments in routing995 * perf: remove argument reassignments in `View`996 * perf: skip attempting to decode zero length string997 * perf: use saved reference to `http.STATUS_CODES`9989994.12.4 / 2015-05-171000===================10011002 * deps: accepts@~1.2.71003 - deps: mime-types@~2.0.111004 - deps: negotiator@0.5.31005 * deps: debug@~2.2.01006 - deps: ms@0.7.11007 * deps: depd@~1.0.11008 * deps: etag@~1.6.01009 - Improve support for JXcore1010 - Support "fake" stats objects in environments without `fs`1011 * deps: finalhandler@0.3.61012 - deps: debug@~2.2.01013 - deps: on-finished@~2.2.11014 * deps: on-finished@~2.2.11015 - Fix `isFinished(req)` when data buffered1016 * deps: proxy-addr@~1.0.81017 - deps: ipaddr.js@1.0.11018 * deps: qs@2.4.21019 - Fix allowing parameters like `constructor`1020 * deps: send@0.12.31021 - deps: debug@~2.2.01022 - deps: depd@~1.0.11023 - deps: etag@~1.6.01024 - deps: ms@0.7.11025 - deps: on-finished@~2.2.11026 * deps: serve-static@~1.9.31027 - deps: send@0.12.31028 * deps: type-is@~1.6.21029 - deps: mime-types@~2.0.11103010314.12.3 / 2015-03-171032===================10331034 * deps: accepts@~1.2.51035 - deps: mime-types@~2.0.101036 * deps: debug@~2.1.31037 - Fix high intensity foreground color for bold1038 - deps: ms@0.7.01039 * deps: finalhandler@0.3.41040 - deps: debug@~2.1.31041 * deps: proxy-addr@~1.0.71042 - deps: ipaddr.js@0.1.91043 * deps: qs@2.4.11044 - Fix error when parameter `hasOwnProperty` is present1045 * deps: send@0.12.21046 - Throw errors early for invalid `extensions` or `index` options1047 - deps: debug@~2.1.31048 * deps: serve-static@~1.9.21049 - deps: send@0.12.21050 * deps: type-is@~1.6.11051 - deps: mime-types@~2.0.10105210534.12.2 / 2015-03-021054===================10551056 * Fix regression where `"Request aborted"` is logged using `res.sendFile`105710584.12.1 / 2015-03-011059===================10601061 * Fix constructing application with non-configurable prototype properties1062 * Fix `ECONNRESET` errors from `res.sendFile` usage1063 * Fix `req.host` when using "trust proxy" hops count1064 * Fix `req.protocol`/`req.secure` when using "trust proxy" hops count1065 * Fix wrong `code` on aborted connections from `res.sendFile`1066 * deps: merge-descriptors@1.0.0106710684.12.0 / 2015-02-231069===================10701071 * Fix `"trust proxy"` setting to inherit when app is mounted1072 * Generate `ETag`s for all request responses1073 - No longer restricted to only responses for `GET` and `HEAD` requests1074 * Use `content-type` to parse `Content-Type` headers1075 * deps: accepts@~1.2.41076 - Fix preference sorting to be stable for long acceptable lists1077 - deps: mime-types@~2.0.91078 - deps: negotiator@0.5.11079 * deps: cookie-signature@1.0.61080 * deps: send@0.12.11081 - Always read the stat size from the file1082 - Fix mutating passed-in `options`1083 - deps: mime@1.3.41084 * deps: serve-static@~1.9.11085 - deps: send@0.12.11086 * deps: type-is@~1.6.01087 - fix argument reassignment1088 - fix false-positives in `hasBody` `Transfer-Encoding` check1089 - support wildcard for both type and subtype (`*/*`)1090 - deps: mime-types@~2.0.9109110924.11.2 / 2015-02-011093===================10941095 * Fix `res.redirect` double-calling `res.end` for `HEAD` requests1096 * deps: accepts@~1.2.31097 - deps: mime-types@~2.0.81098 * deps: proxy-addr@~1.0.61099 - deps: ipaddr.js@0.1.81100 * deps: type-is@~1.5.61101 - deps: mime-types@~2.0.8110211034.11.1 / 2015-01-201104===================11051106 * deps: send@0.11.11107 - Fix root path disclosure1108 * deps: serve-static@~1.8.11109 - Fix redirect loop in Node.js 0.11.141110 - Fix root path disclosure1111 - deps: send@0.11.1111211134.11.0 / 2015-01-131114===================11151116 * Add `res.append(field, val)` to append headers1117 * Deprecate leading `:` in `name` for `app.param(name, fn)`1118 * Deprecate `req.param()` -- use `req.params`, `req.body`, or `req.query` instead1119 * Deprecate `app.param(fn)`1120 * Fix `OPTIONS` responses to include the `HEAD` method properly1121 * Fix `res.sendFile` not always detecting aborted connection1122 * Match routes iteratively to prevent stack overflows1123 * deps: accepts@~1.2.21124 - deps: mime-types@~2.0.71125 - deps: negotiator@0.5.01126 * deps: send@0.11.01127 - deps: debug@~2.1.11128 - deps: etag@~1.5.11129 - deps: ms@0.7.01130 - deps: on-finished@~2.2.01131 * deps: serve-static@~1.8.01132 - deps: send@0.11.0113311344.10.8 / 2015-01-131135===================11361137 * Fix crash from error within `OPTIONS` response handler1138 * deps: proxy-addr@~1.0.51139 - deps: ipaddr.js@0.1.6114011414.10.7 / 2015-01-041142===================11431144 * Fix `Allow` header for `OPTIONS` to not contain duplicate methods1145 * Fix incorrect "Request aborted" for `res.sendFile` when `HEAD` or 3041146 * deps: debug@~2.1.11147 * deps: finalhandler@0.3.31148 - deps: debug@~2.1.11149 - deps: on-finished@~2.2.01150 * deps: methods@~1.1.11151 * deps: on-finished@~2.2.01152 * deps: serve-static@~1.7.21153 - Fix potential open redirect when mounted at root1154 * deps: type-is@~1.5.51155 - deps: mime-types@~2.0.7115611574.10.6 / 2014-12-121158===================11591160 * Fix exception in `req.fresh`/`req.stale` without response headers116111624.10.5 / 2014-12-101163===================11641165 * Fix `res.send` double-calling `res.end` for `HEAD` requests1166 * deps: accepts@~1.1.41167 - deps: mime-types@~2.0.41168 * deps: type-is@~1.5.41169 - deps: mime-types@~2.0.4117011714.10.4 / 2014-11-241172===================11731174 * Fix `res.sendfile` logging standard write errors117511764.10.3 / 2014-11-231177===================11781179 * Fix `res.sendFile` logging standard write errors1180 * deps: etag@~1.5.11181 * deps: proxy-addr@~1.0.41182 - deps: ipaddr.js@0.1.51183 * deps: qs@2.3.31184 - Fix `arrayLimit` behavior118511864.10.2 / 2014-11-091187===================11881189 * Correctly invoke async router callback asynchronously1190 * deps: accepts@~1.1.31191 - deps: mime-types@~2.0.31192 * deps: type-is@~1.5.31193 - deps: mime-types@~2.0.3119411954.10.1 / 2014-10-281196===================11971198 * Fix handling of URLs containing `://` in the path1199 * deps: qs@2.3.21200 - Fix parsing of mixed objects and values120112024.10.0 / 2014-10-231203===================12041205 * Add support for `app.set('views', array)`1206 - Views are looked up in sequence in array of directories1207 * Fix `res.send(status)` to mention `res.sendStatus(status)`1208 * Fix handling of invalid empty URLs1209 * Use `content-disposition` module for `res.attachment`/`res.download`1210 - Sends standards-compliant `Content-Disposition` header1211 - Full Unicode support1212 * Use `path.resolve` in view lookup1213 * deps: debug@~2.1.01214 - Implement `DEBUG_FD` env variable support1215 * deps: depd@~1.0.01216 * deps: etag@~1.5.01217 - Improve string performance1218 - Slightly improve speed for weak ETags over 1KB1219 * deps: finalhandler@0.3.21220 - Terminate in progress response only on error1221 - Use `on-finished` to determine request status1222 - deps: debug@~2.1.01223 - deps: on-finished@~2.1.11224 * deps: on-finished@~2.1.11225 - Fix handling of pipelined requests1226 * deps: qs@2.3.01227 - Fix parsing of mixed implicit and explicit arrays1228 * deps: send@0.10.11229 - deps: debug@~2.1.01230 - deps: depd@~1.0.01231 - deps: etag@~1.5.01232 - deps: on-finished@~2.1.11233 * deps: serve-static@~1.7.11234 - deps: send@0.10.1123512364.9.8 / 2014-10-171237==================12381239 * Fix `res.redirect` body when redirect status specified1240 * deps: accepts@~1.1.21241 - Fix error when media type has invalid parameter1242 - deps: negotiator@0.4.9124312444.9.7 / 2014-10-101245==================12461247 * Fix using same param name in array of paths124812494.9.6 / 2014-10-081250==================12511252 * deps: accepts@~1.1.11253 - deps: mime-types@~2.0.21254 - deps: negotiator@0.4.81255 * deps: serve-static@~1.6.41256 - Fix redirect loop when index file serving disabled1257 * deps: type-is@~1.5.21258 - deps: mime-types@~2.0.2125912604.9.5 / 2014-09-241261==================12621263 * deps: etag@~1.4.01264 * deps: proxy-addr@~1.0.31265 - Use `forwarded` npm module1266 * deps: send@0.9.31267 - deps: etag@~1.4.01268 * deps: serve-static@~1.6.31269 - deps: send@0.9.3127012714.9.4 / 2014-09-191272==================12731274 * deps: qs@2.2.41275 - Fix issue with object keys starting with numbers truncated127612774.9.3 / 2014-09-181278==================12791280 * deps: proxy-addr@~1.0.21281 - Fix a global leak when multiple subnets are trusted1282 - deps: ipaddr.js@0.1.3128312844.9.2 / 2014-09-171285==================12861287 * Fix regression for empty string `path` in `app.use`1288 * Fix `router.use` to accept array of middleware without path1289 * Improve error message for bad `app.use` arguments129012914.9.1 / 2014-09-161292==================12931294 * Fix `app.use` to accept array of middleware without path1295 * deps: depd@0.4.51296 * deps: etag@~1.3.11297 * deps: send@0.9.21298 - deps: depd@0.4.51299 - deps: etag@~1.3.11300 - deps: range-parser@~1.0.21301 * deps: serve-static@~1.6.21302 - deps: send@0.9.2130313044.9.0 / 2014-09-081305==================13061307 * Add `res.sendStatus`1308 * Invoke callback for sendfile when client aborts1309 - Applies to `res.sendFile`, `res.sendfile`, and `res.download`1310 - `err` will be populated with request aborted error1311 * Support IP address host in `req.subdomains`1312 * Use `etag` to generate `ETag` headers1313 * deps: accepts@~1.1.01314 - update `mime-types`1315 * deps: cookie-signature@1.0.51316 * deps: debug@~2.0.01317 * deps: finalhandler@0.2.01318 - Set `X-Content-Type-Options: nosniff` header1319 - deps: debug@~2.0.01320 * deps: fresh@0.2.41321 * deps: media-typer@0.3.01322 - Throw error when parameter format invalid on parse1323 * deps: qs@2.2.31324 - Fix issue where first empty value in array is discarded1325 * deps: range-parser@~1.0.21326 * deps: send@0.9.11327 - Add `lastModified` option1328 - Use `etag` to generate `ETag` header1329 - deps: debug@~2.0.01330 - deps: fresh@0.2.41331 * deps: serve-static@~1.6.11332 - Add `lastModified` option1333 - deps: send@0.9.11334 * deps: type-is@~1.5.11335 - fix `hasbody` to be true for `content-length: 0`1336 - deps: media-typer@0.3.01337 - deps: mime-types@~2.0.11338 * deps: vary@~1.0.01339 - Accept valid `Vary` header string as `field`134013414.8.8 / 2014-09-041342==================13431344 * deps: send@0.8.51345 - Fix a path traversal issue when using `root`1346 - Fix malicious path detection for empty string path1347 * deps: serve-static@~1.5.41348 - deps: send@0.8.5134913504.8.7 / 2014-08-291351==================13521353 * deps: qs@2.2.21354 - Remove unnecessary cloning135513564.8.6 / 2014-08-271357==================13581359 * deps: qs@2.2.01360 - Array parsing fix1361 - Performance improvements136213634.8.5 / 2014-08-181364==================13651366 * deps: send@0.8.31367 - deps: destroy@1.0.31368 - deps: on-finished@2.1.01369 * deps: serve-static@~1.5.31370 - deps: send@0.8.3137113724.8.4 / 2014-08-141373==================13741375 * deps: qs@1.2.21376 * deps: send@0.8.21377 - Work around `fd` leak in Node.js 0.10 for `fs.ReadStream`1378 * deps: serve-static@~1.5.21379 - deps: send@0.8.2138013814.8.3 / 2014-08-101382==================13831384 * deps: parseurl@~1.3.01385 * deps: qs@1.2.11386 * deps: serve-static@~1.5.11387 - Fix parsing of weird `req.originalUrl` values1388 - deps: parseurl@~1.3.01389 - deps: utils-merge@1.0.0139013914.8.2 / 2014-08-071392==================13931394 * deps: qs@1.2.01395 - Fix parsing array of objects139613974.8.1 / 2014-08-061398==================13991400 * fix incorrect deprecation warnings on `res.download`1401 * deps: qs@1.1.01402 - Accept urlencoded square brackets1403 - Accept empty values in implicit array notation140414054.8.0 / 2014-08-051406==================14071408 * add `res.sendFile`1409 - accepts a file system path instead of a URL1410 - requires an absolute path or `root` option specified1411 * deprecate `res.sendfile` -- use `res.sendFile` instead1412 * support mounted app as any argument to `app.use()`1413 * deps: qs@1.0.21414 - Complete rewrite1415 - Limits array length to 201416 - Limits object depth to 51417 - Limits parameters to 1,0001418 * deps: send@0.8.11419 - Add `extensions` option1420 * deps: serve-static@~1.5.01421 - Add `extensions` option1422 - deps: send@0.8.1142314244.7.4 / 2014-08-041425==================14261427 * fix `res.sendfile` regression for serving directory index files1428 * deps: send@0.7.41429 - Fix incorrect 403 on Windows and Node.js 0.111430 - Fix serving index files without root dir1431 * deps: serve-static@~1.4.41432 - deps: send@0.7.4143314344.7.3 / 2014-08-041435==================14361437 * deps: send@0.7.31438 - Fix incorrect 403 on Windows and Node.js 0.111439 * deps: serve-static@~1.4.31440 - Fix incorrect 403 on Windows and Node.js 0.111441 - deps: send@0.7.3144214434.7.2 / 2014-07-271444==================14451446 * deps: depd@0.4.41447 - Work-around v8 generating empty stack traces1448 * deps: send@0.7.21449 - deps: depd@0.4.41450 * deps: serve-static@~1.4.2145114524.7.1 / 2014-07-261453==================14541455 * deps: depd@0.4.31456 - Fix exception when global `Error.stackTraceLimit` is too low1457 * deps: send@0.7.11458 - deps: depd@0.4.31459 * deps: serve-static@~1.4.1146014614.7.0 / 2014-07-251462==================14631464 * fix `req.protocol` for proxy-direct connections1465 * configurable query parser with `app.set('query parser', parser)`1466 - `app.set('query parser', 'extended')` parse with "qs" module1467 - `app.set('query parser', 'simple')` parse with "querystring" core module1468 - `app.set('query parser', false)` disable query string parsing1469 - `app.set('query parser', true)` enable simple parsing1470 * deprecate `res.json(status, obj)` -- use `res.status(status).json(obj)` instead1471 * deprecate `res.jsonp(status, obj)` -- use `res.status(status).jsonp(obj)` instead1472 * deprecate `res.send(status, body)` -- use `res.status(status).send(body)` instead1473 * deps: debug@1.0.41474 * deps: depd@0.4.21475 - Add `TRACE_DEPRECATION` environment variable1476 - Remove non-standard grey color from color output1477 - Support `--no-deprecation` argument1478 - Support `--trace-deprecation` argument1479 * deps: finalhandler@0.1.01480 - Respond after request fully read1481 - deps: debug@1.0.41482 * deps: parseurl@~1.2.01483 - Cache URLs based on original value1484 - Remove no-longer-needed URL mis-parse work-around1485 - Simplify the "fast-path" `RegExp`1486 * deps: send@0.7.01487 - Add `dotfiles` option1488 - Cap `maxAge` value to 1 year1489 - deps: debug@1.0.41490 - deps: depd@0.4.21491 * deps: serve-static@~1.4.01492 - deps: parseurl@~1.2.01493 - deps: send@0.7.01494 * perf: prevent multiple `Buffer` creation in `res.send`149514964.6.1 / 2014-07-121497==================14981499 * fix `subapp.mountpath` regression for `app.use(subapp)`150015014.6.0 / 2014-07-111502==================15031504 * accept multiple callbacks to `app.use()`1505 * add explicit "Rosetta Flash JSONP abuse" protection1506 - previous versions are not vulnerable; this is just explicit protection1507 * catch errors in multiple `req.param(name, fn)` handlers1508 * deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead1509 * fix `res.send(status, num)` to send `num` as json (not error)1510 * remove unnecessary escaping when `res.jsonp` returns JSON response1511 * support non-string `path` in `app.use(path, fn)`1512 - supports array of paths1513 - supports `RegExp`1514 * router: fix optimization on router exit1515 * router: refactor location of `try` blocks1516 * router: speed up standard `app.use(fn)`1517 * deps: debug@1.0.31518 - Add support for multiple wildcards in namespaces1519 * deps: finalhandler@0.0.31520 - deps: debug@1.0.31521 * deps: methods@1.1.01522 - add `CONNECT`1523 * deps: parseurl@~1.1.31524 - faster parsing of href-only URLs1525 * deps: path-to-regexp@0.1.31526 * deps: send@0.6.01527 - deps: debug@1.0.31528 * deps: serve-static@~1.3.21529 - deps: parseurl@~1.1.31530 - deps: send@0.6.01531 * perf: fix arguments reassign deopt in some `res` methods153215334.5.1 / 2014-07-061534==================15351536 * fix routing regression when altering `req.method`153715384.5.0 / 2014-07-041539==================15401541 * add deprecation message to non-plural `req.accepts*`1542 * add deprecation message to `res.send(body, status)`1543 * add deprecation message to `res.vary()`1544 * add `headers` option to `res.sendfile`1545 - use to set headers on successful file transfer1546 * add `mergeParams` option to `Router`1547 - merges `req.params` from parent routes1548 * add `req.hostname` -- correct name for what `req.host` returns1549 * deprecate things with `depd` module1550 * deprecate `req.host` -- use `req.hostname` instead1551 * fix behavior when handling request without routes1552 * fix handling when `route.all` is only route1553 * invoke `router.param()` only when route matches1554 * restore `req.params` after invoking router1555 * use `finalhandler` for final response handling1556 * use `media-typer` to alter content-type charset1557 * deps: accepts@~1.0.71558 * deps: send@0.5.01559 - Accept string for `maxage` (converted by `ms`)1560 - Include link in default redirect response1561 * deps: serve-static@~1.3.01562 - Accept string for `maxAge` (converted by `ms`)1563 - Add `setHeaders` option1564 - Include HTML link in redirect response1565 - deps: send@0.5.01566 * deps: type-is@~1.3.2156715684.4.5 / 2014-06-261569==================15701571 * deps: cookie-signature@1.0.41572 - fix for timing attacks157315744.4.4 / 2014-06-201575==================15761577 * fix `res.attachment` Unicode filenames in Safari1578 * fix "trim prefix" debug message in `express:router`1579 * deps: accepts@~1.0.51580 * deps: buffer-crc32@0.2.3158115824.4.3 / 2014-06-111583==================15841585 * fix persistence of modified `req.params[name]` from `app.param()`1586 * deps: accepts@1.0.31587 - deps: negotiator@0.4.61588 * deps: debug@1.0.21589 * deps: send@0.4.31590 - Do not throw uncatchable error on file open race condition1591 - Use `escape-html` for HTML escaping1592 - deps: debug@1.0.21593 - deps: finished@1.2.21594 - deps: fresh@0.2.21595 * deps: serve-static@1.2.31596 - Do not throw uncatchable error on file open race condition1597 - deps: send@0.4.3159815994.4.2 / 2014-06-091600==================16011602 * fix catching errors from top-level handlers1603 * use `vary` module for `res.vary`1604 * deps: debug@1.0.11605 * deps: proxy-addr@1.0.11606 * deps: send@0.4.21607 - fix "event emitter leak" warnings1608 - deps: debug@1.0.11609 - deps: finished@1.2.11610 * deps: serve-static@1.2.21611 - fix "event emitter leak" warnings1612 - deps: send@0.4.21613 * deps: type-is@1.2.1161416154.4.1 / 2014-06-021616==================16171618 * deps: methods@1.0.11619 * deps: send@0.4.11620 - Send `max-age` in `Cache-Control` in correct format1621 * deps: serve-static@1.2.11622 - use `escape-html` for escaping1623 - deps: send@0.4.1162416254.4.0 / 2014-05-301626==================16271628 * custom etag control with `app.set('etag', val)`1629 - `app.set('etag', function(body, encoding){ return '"etag"' })` custom etag generation1630 - `app.set('etag', 'weak')` weak tag1631 - `app.set('etag', 'strong')` strong etag1632 - `app.set('etag', false)` turn off1633 - `app.set('etag', true)` standard etag1634 * mark `res.send` ETag as weak and reduce collisions1635 * update accepts to 1.0.21636 - Fix interpretation when header not in request1637 * update send to 0.4.01638 - Calculate ETag with md5 for reduced collisions1639 - Ignore stream errors after request ends1640 - deps: debug@0.8.11641 * update serve-static to 1.2.01642 - Calculate ETag with md5 for reduced collisions1643 - Ignore stream errors after request ends1644 - deps: send@0.4.0164516464.3.2 / 2014-05-281647==================16481649 * fix handling of errors from `router.param()` callbacks165016514.3.1 / 2014-05-231652==================16531654 * revert "fix behavior of multiple `app.VERB` for the same path"1655 - this caused a regression in the order of route execution165616574.3.0 / 2014-05-211658==================16591660 * add `req.baseUrl` to access the path stripped from `req.url` in routes1661 * fix behavior of multiple `app.VERB` for the same path1662 * fix issue routing requests among sub routers1663 * invoke `router.param()` only when necessary instead of every match1664 * proper proxy trust with `app.set('trust proxy', trust)`1665 - `app.set('trust proxy', 1)` trust first hop1666 - `app.set('trust proxy', 'loopback')` trust loopback addresses1667 - `app.set('trust proxy', '10.0.0.1')` trust single IP1668 - `app.set('trust proxy', '10.0.0.1/16')` trust subnet1669 - `app.set('trust proxy', '10.0.0.1, 10.0.0.2')` trust list1670 - `app.set('trust proxy', false)` turn off1671 - `app.set('trust proxy', true)` trust everything1672 * set proper `charset` in `Content-Type` for `res.send`1673 * update type-is to 1.2.01674 - support suffix matching167516764.2.0 / 2014-05-111677==================16781679 * deprecate `app.del()` -- use `app.delete()` instead1680 * deprecate `res.json(obj, status)` -- use `res.json(status, obj)` instead1681 - the edge-case `res.json(status, num)` requires `res.status(status).json(num)`1682 * deprecate `res.jsonp(obj, status)` -- use `res.jsonp(status, obj)` instead1683 - the edge-case `res.jsonp(status, num)` requires `res.status(status).jsonp(num)`1684 * fix `req.next` when inside router instance1685 * include `ETag` header in `HEAD` requests1686 * keep previous `Content-Type` for `res.jsonp`1687 * support PURGE method1688 - add `app.purge`1689 - add `router.purge`1690 - include PURGE in `app.all`1691 * update debug to 0.8.01692 - add `enable()` method1693 - change from stderr to stdout1694 * update methods to 1.0.01695 - add PURGE169616974.1.2 / 2014-05-081698==================16991700 * fix `req.host` for IPv6 literals1701 * fix `res.jsonp` error if callback param is object170217034.1.1 / 2014-04-271704==================17051706 * fix package.json to reflect supported node version170717084.1.0 / 2014-04-241709==================17101711 * pass options from `res.sendfile` to `send`1712 * preserve casing of headers in `res.header` and `res.set`1713 * support unicode file names in `res.attachment` and `res.download`1714 * update accepts to 1.0.11715 - deps: negotiator@0.4.01716 * update cookie to 0.1.21717 - Fix for maxAge == 01718 - made compat with expires field1719 * update send to 0.3.01720 - Accept API options in options object1721 - Coerce option types1722 - Control whether to generate etags1723 - Default directory access to 403 when index disabled1724 - Fix sending files with dots without root set1725 - Include file path in etag1726 - Make "Can't set headers after they are sent." catchable1727 - Send full entity-body for multi range requests1728 - Set etags to "weak"1729 - Support "If-Range" header1730 - Support multiple index paths1731 - deps: mime@1.2.111732 * update serve-static to 1.1.01733 - Accept options directly to `send` module1734 - Resolve relative paths at middleware setup1735 - Use parseurl to parse the URL from request1736 - deps: send@0.3.01737 * update type-is to 1.1.01738 - add non-array values support1739 - add `multipart` as a shorthand174017414.0.0 / 2014-04-091742==================17431744 * remove:1745 - node 0.8 support1746 - connect and connect's patches except for charset handling1747 - express(1) - moved to [express-generator](https://github.com/expressjs/generator)1748 - `express.createServer()` - it has been deprecated for a long time. Use `express()`1749 - `app.configure` - use logic in your own app code1750 - `app.router` - is removed1751 - `req.auth` - use `basic-auth` instead1752 - `req.accepted*` - use `req.accepts*()` instead1753 - `res.location` - relative URL resolution is removed1754 - `res.charset` - include the charset in the content type when using `res.set()`1755 - all bundled middleware except `static`1756 * change:1757 - `app.route` -> `app.mountpath` when mounting an express app in another express app1758 - `json spaces` no longer enabled by default in development1759 - `req.accepts*` -> `req.accepts*s` - i.e. `req.acceptsEncoding` -> `req.acceptsEncodings`1760 - `req.params` is now an object instead of an array1761 - `res.locals` is no longer a function. It is a plain js object. Treat it as such.1762 - `res.headerSent` -> `res.headersSent` to match node.js ServerResponse object1763 * refactor:1764 - `req.accepts*` with [accepts](https://github.com/expressjs/accepts)1765 - `req.is` with [type-is](https://github.com/expressjs/type-is)1766 - [path-to-regexp](https://github.com/component/path-to-regexp)1767 * add:1768 - `app.router()` - returns the app Router instance1769 - `app.route()` - Proxy to the app's `Router#route()` method to create a new route1770 - Router & Route - public API177117723.21.2 / 2015-07-311773===================17741775 * deps: connect@2.30.21776 - deps: body-parser@~1.13.31777 - deps: compression@~1.5.21778 - deps: errorhandler@~1.4.21779 - deps: method-override@~2.3.51780 - deps: serve-index@~1.7.21781 - deps: type-is@~1.6.61782 - deps: vhost@~3.0.11783 * deps: vary@~1.0.11784 - Fix setting empty header from empty `field`1785 - perf: enable strict mode1786 - perf: remove argument reassignments178717883.21.1 / 2015-07-051789===================17901791 * deps: basic-auth@~1.0.31792 * deps: connect@2.30.11793 - deps: body-parser@~1.13.21794 - deps: compression@~1.5.11795 - deps: errorhandler@~1.4.11796 - deps: morgan@~1.6.11797 - deps: pause@0.1.01798 - deps: qs@4.0.01799 - deps: serve-index@~1.7.11800 - deps: type-is@~1.6.4180118023.21.0 / 2015-06-181803===================18041805 * deps: basic-auth@1.0.21806 - perf: enable strict mode1807 - perf: hoist regular expression1808 - perf: parse with regular expressions1809 - perf: remove argument reassignment1810 * deps: connect@2.30.01811 - deps: body-parser@~1.13.11812 - deps: bytes@2.1.01813 - deps: compression@~1.5.01814 - deps: cookie@0.1.31815 - deps: cookie-parser@~1.3.51816 - deps: csurf@~1.8.31817 - deps: errorhandler@~1.4.01818 - deps: express-session@~1.11.31819 - deps: finalhandler@0.4.01820 - deps: fresh@0.3.01821 - deps: morgan@~1.6.01822 - deps: serve-favicon@~2.3.01823 - deps: serve-index@~1.7.01824 - deps: serve-static@~1.10.01825 - deps: type-is@~1.6.31826 * deps: cookie@0.1.31827 - perf: deduce the scope of try-catch deopt1828 - perf: remove argument reassignments1829 * deps: escape-html@1.0.21830 * deps: etag@~1.7.01831 - Always include entity length in ETags for hash length extensions1832 - Generate non-Stats ETags using MD5 only (no longer CRC32)1833 - Improve stat performance by removing hashing1834 - Improve support for JXcore1835 - Remove base64 padding in ETags to shorten1836 - Support "fake" stats objects in environments without fs1837 - Use MD5 instead of MD4 in weak ETags over 1KB1838 * deps: fresh@0.3.01839 - Add weak `ETag` matching support1840 * deps: mkdirp@0.5.11841 - Work in global strict mode1842 * deps: send@0.13.01843 - Allow Node.js HTTP server to set `Date` response header1844 - Fix incorrectly removing `Content-Location` on 304 response1845 - Improve the default redirect response headers1846 - Send appropriate headers on default error response1847 - Use `http-errors` for standard emitted errors1848 - Use `statuses` instead of `http` module for status messages1849 - deps: escape-html@1.0.21850 - deps: etag@~1.7.01851 - deps: fresh@0.3.01852 - deps: on-finished@~2.3.01853 - perf: enable strict mode1854 - perf: remove unnecessary array allocations185518563.20.3 / 2015-05-171857===================18581859 * deps: connect@2.29.21860 - deps: body-parser@~1.12.41861 - deps: compression@~1.4.41862 - deps: connect-timeout@~1.6.21863 - deps: debug@~2.2.01864 - deps: depd@~1.0.11865 - deps: errorhandler@~1.3.61866 - deps: finalhandler@0.3.61867 - deps: method-override@~2.3.31868 - deps: morgan@~1.5.31869 - deps: qs@2.4.21870 - deps: response-time@~2.3.11871 - deps: serve-favicon@~2.2.11872 - deps: serve-index@~1.6.41873 - deps: serve-static@~1.9.31874 - deps: type-is@~1.6.21875 * deps: debug@~2.2.01876 - deps: ms@0.7.11877 * deps: depd@~1.0.11878 * deps: proxy-addr@~1.0.81879 - deps: ipaddr.js@1.0.11880 * deps: send@0.12.31881 - deps: debug@~2.2.01882 - deps: depd@~1.0.11883 - deps: etag@~1.6.01884 - deps: ms@0.7.11885 - deps: on-finished@~2.2.1188618873.20.2 / 2015-03-161888===================18891890 * deps: connect@2.29.11891 - deps: body-parser@~1.12.21892 - deps: compression@~1.4.31893 - deps: connect-timeout@~1.6.11894 - deps: debug@~2.1.31895 - deps: errorhandler@~1.3.51896 - deps: express-session@~1.10.41897 - deps: finalhandler@0.3.41898 - deps: method-override@~2.3.21899 - deps: morgan@~1.5.21900 - deps: qs@2.4.11901 - deps: serve-index@~1.6.31902 - deps: serve-static@~1.9.21903 - deps: type-is@~1.6.11904 * deps: debug@~2.1.31905 - Fix high intensity foreground color for bold1906 - deps: ms@0.7.01907 * deps: merge-descriptors@1.0.01908 * deps: proxy-addr@~1.0.71909 - deps: ipaddr.js@0.1.91910 * deps: send@0.12.21911 - Throw errors early for invalid `extensions` or `index` options1912 - deps: debug@~2.1.3191319143.20.1 / 2015-02-281915===================19161917 * Fix `req.host` when using "trust proxy" hops count1918 * Fix `req.protocol`/`req.secure` when using "trust proxy" hops count191919203.20.0 / 2015-02-181921===================19221923 * Fix `"trust proxy"` setting to inherit when app is mounted1924 * Generate `ETag`s for all request responses1925 - No longer restricted to only responses for `GET` and `HEAD` requests1926 * Use `content-type` to parse `Content-Type` headers1927 * deps: connect@2.29.01928 - Use `content-type` to parse `Content-Type` headers1929 - deps: body-parser@~1.12.01930 - deps: compression@~1.4.11931 - deps: connect-timeout@~1.6.01932 - deps: cookie-parser@~1.3.41933 - deps: cookie-signature@1.0.61934 - deps: csurf@~1.7.01935 - deps: errorhandler@~1.3.41936 - deps: express-session@~1.10.31937 - deps: http-errors@~1.3.11938 - deps: response-time@~2.3.01939 - deps: serve-index@~1.6.21940 - deps: serve-static@~1.9.11941 - deps: type-is@~1.6.01942 * deps: cookie-signature@1.0.61943 * deps: send@0.12.11944 - Always read the stat size from the file1945 - Fix mutating passed-in `options`1946 - deps: mime@1.3.4194719483.19.2 / 2015-02-011949===================19501951 * deps: connect@2.28.31952 - deps: compression@~1.3.11953 - deps: csurf@~1.6.61954 - deps: errorhandler@~1.3.31955 - deps: express-session@~1.10.21956 - deps: serve-index@~1.6.11957 - deps: type-is@~1.5.61958 * deps: proxy-addr@~1.0.61959 - deps: ipaddr.js@0.1.8196019613.19.1 / 2015-01-201962===================19631964 * deps: connect@2.28.21965 - deps: body-parser@~1.10.21966 - deps: serve-static@~1.8.11967 * deps: send@0.11.11968 - Fix root path disclosure196919703.19.0 / 2015-01-091971===================19721973 * Fix `OPTIONS` responses to include the `HEAD` method property1974 * Use `readline` for prompt in `express(1)`1975 * deps: commander@2.6.01976 * deps: connect@2.28.11977 - deps: body-parser@~1.10.11978 - deps: compression@~1.3.01979 - deps: connect-timeout@~1.5.01980 - deps: csurf@~1.6.41981 - deps: debug@~2.1.11982 - deps: errorhandler@~1.3.21983 - deps: express-session@~1.10.11984 - deps: finalhandler@0.3.31985 - deps: method-override@~2.3.11986 - deps: morgan@~1.5.11987 - deps: serve-favicon@~2.2.01988 - deps: serve-index@~1.6.01989 - deps: serve-static@~1.8.01990 - deps: type-is@~1.5.51991 * deps: debug@~2.1.11992 * deps: methods@~1.1.11993 * deps: proxy-addr@~1.0.51994 - deps: ipaddr.js@0.1.61995 * deps: send@0.11.01996 - deps: debug@~2.1.11997 - deps: etag@~1.5.11998 - deps: ms@0.7.01999 - deps: on-finished@~2.2.0
Findings
✓ No findings reported for this file.