The 4.18.3 patch release includes the following bug fix:
Fix routing requests without method. (commit)
For a complete list of changes in this release, see History.md
The 4.18.2 patch release includes the following bug fix:
Fix regression routing a large stack in a single route. (commit)
For a complete list of changes in this release, see History.md
The 4.18.1 patch release includes the following bug fix:
Fix the condition where if an Express application is created with a very large stack of routes, and all of those routes are sync (call next()
synchronously), then the request processing may hang.
For a complete list of changes in this release, see History.md.
The 4.18.0 minor release includes bug fixes and some new features, including:
The app.get()
method and the app.set()
method now ignores properties directly on Object.prototype
when getting a setting value.
The res.cookie()
method now accepts a “priority” option to set the Priority attribute on the Set-Cookie response header.
The res.cookie()
method now rejects an Invalid Date object provided as the “expires” option.
The res.cookie()
method now works when null
or undefined
is explicitly provided as the “maxAge” argument.
Starting with this version, Express supports Node.js 18.x.
The res.download()
method now accepts a “root” option to match res.sendFile()
.
The res.download()
method can be supplied with an options
object without providing a filename
argument, simplifying calls when the default filename
is desired.
The res.format()
method now invokes the provided “default” handler with the same arguments as the type handlers (req
, res
, and next
).
The res.send()
method will not attempt to send a response body when the response code is set to 205.
The default error handler will now remove certain response headers that will break the error response rendering, if they were set previously.
The status code 425 is now represented as the standard “Too Early” instead of “Unordered Collection”.
For a complete list of changes in this release, see History.md.
The 4.17.3 patch release includes one bug fix:
Update to qs module for a fix around parsing __proto__
properties.
For a complete list of changes in this release, see History.md.
The 4.17.2 patch release includes the following bug fixes:
Fix handling of undefined
in res.jsonp
when a callback is provided.
Fix handling of undefined
in res.json
and res.jsonp
when "json escape"
is enabled.
Fix handling of invalid values to the maxAge
option of res.cookie()
.
Update to jshttp/proxy-addr module to use req.socket
over deprecated req.connection
.
Starting with this version, Express supports Node.js 14.x.
For a complete list of changes in this release, see History.md.
The 4.17.1 patch release includes one bug fix:
The change to the res.status()
API has been reverted due to causing regressions in existing Express 4 applications.
For a complete list of changes in this release, see History.md.
The 4.17.0 minor release includes bug fixes and some new features, including:
The express.raw()
and express.text()
middleware have been added to provide request body parsing for more raw request payloads. This uses the expressjs/body-parser module module underneath, so apps that are currently requiring the module separately can switch to the built-in parsers.
The res.cookie()
API now supports the "none"
value for the sameSite
option.
When the "trust proxy"
setting is enabled, the req.hostname
now supports multiple X-Forwarded-For
headers in a request.
Starting with this version, Express supports Node.js 10.x and 12.x.
The res.sendFile()
API now provides and more immediate and easier to understand error when a non-string is passed as the path
argument.
The res.status()
API now provides and more immediate and easier to understand error when null
or undefined
is passed as the argument.
For a complete list of changes in this release, see History.md.
The 4.16.4 patch release includes various bug fixes:
Fix issue where "Request aborted"
may be logged in res.sendfile
.
For a complete list of changes in this release, see History.md.
The 4.16.3 patch release includes various bug fixes:
Fix issue where a plain %
at the end of the url in the res.location
method or the res.redirect
method would not get encoded as %25
.
Fix issue where a blank req.url
value can result in a thrown error within the default 404 handling.
Fix the generated HTML document for express.static
redirect responses to properly include </html>
.
For a complete list of changes in this release, see History.md.
The 4.16.2 patch release includes a regression bug fix:
Fix a TypeError
that can occur in the res.send
method when a Buffer
is passed to res.send
and the ETag
header is already set on the response.
For a complete list of changes in this release, see History.md.
The 4.16.1 patch release includes a regression bug fix:
Update to pillarjs/send module to fix an edge case scenario regression that affected certain users of express.static
.
For a complete list of changes in this release, see History.md.
The 4.16.0 minor release includes security updates, bug fixes, performance enhancements, and some new features, including:
Update to jshttp/forwarded module to address a vulnerability. This may affect your application if the following APIs are used: req.host
, req.hostname
, req.ip
, req.ips
, req.protocol
.
Update a dependency of the pillarjs/send module to address a vulnerability in the mime
dependency. This may affect your application if untrusted string input is passed to the following APIs: res.type()
.
The pillarjs/send module has implemented a protection against the Node.js 8.5.0 vulnerability. Using any prior version of Express with Node.js 8.5.0 (that specific Node.js version) will make the following APIs vulnerable: express.static
, res.sendfile
, and res.sendFile
.
Starting with this version, Express supports Node.js 8.x.
The new setting "json escape"
can be enabled to escape characters in res.json()
, res.jsonp()
and res.send()
responses that can trigger clients to sniff the response as HTML instead of honoring the Content-Type
. This can help protect an Express app from a class of persistent XSS-based attacks.
The res.download()
method now accepts an optional options
object.
The express.json()
and express.urlencoded()
middleware have been added to provide request body parsing support out-of-the-box. This uses the expressjs/body-parser module module underneath, so apps that are currently requiring the module separately can switch to the built-in parsers.
The express.static()
middleware and res.sendFile()
method now support setting the immutable
directive on the Cache-Control
header. Setting this header with an appropriate maxAge
will prevent supporting web browsers from sending any request to the server when the file is still in their cache.
The pillarjs/send module has an updated list of MIME types to better set the Content-Type
of more files. There are 70 new types for file extensions.
For a complete list of changes in this release, see History.md.
The 4.15.5 patch release includes security updates, some minor performance enhancements, and a bug fix:
Update to debug module to address a vulnerability, but this issue does not impact Express.
Update to jshttp/fresh module to address a vulnerability. This will affect your application if the following APIs are used: express.static
, req.fresh
, res.json
, res.jsonp
, res.send
, res.sendfile
res.sendFile
, res.sendStatus
.
Update to jshttp/fresh module fixes handling of modified headers with invalid dates and makes parsing conditional headers (like If-None-Match
) faster.
For a complete list of changes in this release, see History.md.
The 4.15.4 patch release includes some minor bug fixes:
Fix array being set for "trust proxy"
value being manipulated in certain conditions.
For a complete list of changes in this release, see History.md.
The 4.15.3 patch release includes a security update and some minor bug fixes:
Update a dependency of the pillarjs/send module to address a vulnerability. This may affect your application if untrusted string input is passed to the maxAge
option in the following APIs: express.static
, res.sendfile
, and res.sendFile
.
Fix error when res.set
cannot add charset to Content-Type
.
Fix missing </html>
in HTML document.
For a complete list of changes in this release, see History.md.
The 4.15.2 patch release includes a minor bug fix:
Fix regression parsing keys starting with [
in the extended (default) query parser.
For a complete list of changes in this release, see History.md.
The 4.15.1 patch release includes a minor bug fix:
Fix compatibility issue when using the datejs 1.x library where the express.static()
middleware and res.sendFile()
method would incorrectly respond with 412 Precondition Failed.
For a complete list of changes in this release, see History.md.
The 4.15.0 minor release includes bug fixes, performance improvements, and other minor feature additions, including:
Starting with this version, Express supports Node.js 7.x.
The express.static()
middleware and res.sendFile()
method now support the If-Match
and If-Unmodified-Since
request headers.
Update to jshttp/etag module to generate the default ETags for responses which work when Node.js has FIPS-compliant crypto enabled.
Various auto-generated HTML responses like the default not found and error handlers will respond with complete HTML 5 documents and additional security headers.
For a complete list of changes in this release, see History.md.
The 4.14.1 patch release includes bug fixes and performance improvements, including:
Update to pillarjs/finalhandler module fixes an exception when Express handles an Error
object which has a headers
property that is not an object.
For a complete list of changes in this release, see History.md.
The 4.14.0 minor release includes bug fixes, security update, performance improvements, and other minor feature additions, including:
Starting with this version, Express supports Node.js 6.x.
Update to jshttp/negotiator module fixes a regular expression denial of service vulnerability.
The res.sendFile()
method now accepts two new options: acceptRanges
and cacheControl
.
acceptRanges
(defaut is true
), enables or disables accepting ranged requests. When disabled, the response does not send the Accept-Ranges
header and ignores the contents of the Range
request header.
cacheControl
, (default is true
), enables or disables the Cache-Control
response header. Disabling it will ignore the maxAge
option.
res.sendFile
has also been updated to handle Range
header and redirections better.
The res.location()
method and res.redirect()
method will now URL-encode the URL string, if it is not already encoded.
The performance of the res.json()
method and res.jsonp()
method have been improved in the common cases.
The jshttp/cookie module (in addition to a number of other improvements) has been updated and now the res.cookie()
method supports the sameSite
option to let you specify the SameSite cookie attribute. NOTE: This attribute has not yet been fully standardized, may change in the future, and many clients may ignore it.
The possible value for the sameSite
option are:
true
, which sets the SameSite
attribute to Strict
for strict same site enforcement.false
, which does not set the SameSite
attribute.'lax'
, which sets the SameSite
attribute to Lax
for lax same site enforcement.'strict'
, which sets the SameSite
attribute to Strict
for strict same site enforcement.Absolute path checking on Windows, which was incorrect for some cases, has been fixed.
IP address resolution with proxies has been greatly improved.
The req.range()
method options object now supports a combine
option (false
by default), which when true
, combines overlapping and adjacent ranges and returns them as if they were specified that way in the header.
For a complete list of changes in this release, see History.md.