Update dependency express to v4.21.1

[mend-for-github.1485827954.workers.dev]

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	4.17.1 -> 4.21.1

By merging this PR, the issue #3 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability
High	7.5	CVE-2022-24999
High	7.5	CVE-2024-45296
High	7.5	CVE-2024-52798
Medium	6.1	CVE-2024-29041
Medium	5.3	CVE-2024-47764
Medium	5.0	CVE-2024-43796

---

Release Notes

expressjs/express (express)

v4.21.1

Compare Source

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in https://github.com/expressjs/express/pull/6029
• Release: 4.21.1 by @​UlisesGascon in https://github.com/expressjs/express/pull/6031

Full Changelog: expressjs/express@4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in https://github.com/expressjs/express/pull/5935
• [email protected] by @​wesleytodd in https://github.com/expressjs/express/pull/5954
• fix(deps): [email protected] by @​wesleytodd in https://github.com/expressjs/express/pull/5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in https://github.com/expressjs/express/pull/5946

New Contributors

• @​agadzinski93 made their first contribution in https://github.com/expressjs/express/pull/5946

Full Changelog: expressjs/express@4.20.0...4.21.0

v4.20.0

Compare Source

==========

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

• Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

• Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

v4.18.3

Compare Source

==========

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]
• deps: [email protected]
  • Add partitioned option

v4.18.2

Compare Source

===================

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

v4.18.1

Compare Source

===================

• Fix hanging on large stack of sync routes

v4.18.0

Compare Source

===================

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: [email protected]
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • Remove set content headers that break response
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Prevent loss of async hooks context
• deps: [email protected]
• deps: [email protected]
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Remove code 306
  • Rename 425 Unordered Collection to standard 425 Too Early

v4.17.3

Compare Source

===================

• deps: accepts@~1.3.8
  • deps: mime-types@~2.1.34
  • deps: [email protected]
• deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
• deps: [email protected]
  • Fix handling of __proto__ keys
• pref: remove unnecessary regexp for trust proxy

v4.17.2

Compare Source

===================

• Fix handling of undefined in res.jsonp
• Fix handling of undefined when "json escape" is enabled
• Fix incorrect middleware execution with unanchored RegExps
• Fix res.jsonp(obj, status) deprecation message
• Fix typo in res.is JSDoc
• deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: type-is@~1.6.18
• deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Fix maxAge option to reject invalid values
• deps: proxy-addr@~2.0.7
  • Use req.socket over deprecated req.connection
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
• deps: [email protected]
• deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • pref: ignore empty http tokens
• deps: [email protected]
  • deps: [email protected]
• deps: [email protected]

---

• If you want to rebase/retry this PR, check this box

[mend-for-github.1485827954.workers.dev]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json