Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: 4.21.2 #6094

Merged
merged 1 commit into from
Dec 5, 2024
Merged

Release: 4.21.2 #6094

merged 1 commit into from
Dec 5, 2024

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Oct 29, 2024
edited by jonchurch
Loading

Plan to release it on Nov 06

What's included in the HISTORY.md

  • deps: path-to-regexp@0.1.12
    • fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

What's Changed

Full Changelog: 4.21.1...4.x

@UlisesGascon UlisesGascon self-assigned this Oct 29, 2024
@wesleytodd
Copy link
Member

Same comment as here: expressjs/discussions#228 (comment)

I think we need more eyes on the funding field before we publish. Ideally a change like this would be reviewed by a few members of the TC before landing since it is often considered a sensitive issue.

@NewEraCracker
Copy link

Just release it. It is Oct 31st.

The funding field is only some metadata npm adds on the package-lock.json for people who install this version.

@UlisesGascon UlisesGascon requested a review from a team November 6, 2024 11:10
@UlisesGascon

This comment was marked as off-topic.

Sign in to view
@UlisesGascon
Copy link
Member Author

We plan to include a security patch too so this release is on hold now

@UlisesGascon UlisesGascon marked this pull request as draft November 7, 2024 10:05
@NewEraCracker
Copy link

@UlisesGascon

We plan to include a security patch too so this release is on hold now

Can you please disclose how serious (low, medium, high) it is? Does it impact a dependency or express code itself? Can it be sorted by npm overrides?

We are kind of aggressive with user input and never pass untrusted/unfiltered parameters to express functions.

@wesleytodd
Copy link
Member

wesleytodd commented Nov 8, 2024
edited
Loading

I believe we are undecided if it is really a security issue after investigation. And even if we were we would not disclose information about it until we had a patch.

@UlisesGascon @jonchurch
4.21.2
009a03b 
Signed-off-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
@jonchurch jonchurch marked this pull request as ready for review December 5, 2024 22:21
@jonchurch jonchurch merged commit 1faf228 into 4.x Dec 5, 2024
47 checks passed
@MilkaChucky MilkaChucky mentioned this pull request Dec 5, 2024
Merged
@holkeri holkeri mentioned this pull request Dec 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeembrey blakeembrey blakeembrey approved these changes

Assignees

@UlisesGascon UlisesGascon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@UlisesGascon @wesleytodd @NewEraCracker @blakeembrey @jonchurch