-
-
Notifications
You must be signed in to change notification settings - Fork 16.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release: 4.21.2 #6094
Release: 4.21.2 #6094
Conversation
Same comment as here: expressjs/discussions#228 (comment) I think we need more eyes on the funding field before we publish. Ideally a change like this would be reviewed by a few members of the TC before landing since it is often considered a sensitive issue. |
Just release it. It is Oct 31st. The funding field is only some metadata npm adds on the package-lock.json for people who install this version. |
52c49b8
to
937366b
Compare
This comment was marked as off-topic.
This comment was marked as off-topic.
We plan to include a security patch too so this release is on hold now |
Can you please disclose how serious (low, medium, high) it is? Does it impact a dependency or express code itself? Can it be sorted by npm overrides? We are kind of aggressive with user input and never pass untrusted/unfiltered parameters to express functions. |
I believe we are undecided if it is really a security issue after investigation. And even if we were we would not disclose information about it until we had a patch. |
937366b
to
009a03b
Compare
Plan to release it on Nov 06
What's included in the
HISTORY.md
What's Changed
Full Changelog: 4.21.1...4.x