Skip to content

Release: 4.21.2 #6094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jonchurch merged 1 commit into from
Dec 5, 2024
Merged

Release: 4.21.2 #6094

jonchurch merged 1 commit into from
Dec 5, 2024
+2 −2

Conversation

@UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Oct 29, 2024
edited by jonchurch
Loading

Plan to release it on Nov 06

What's included in the HISTORY.md

  • deps: path-to-regexp@0.1.12
    • fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

What's Changed

Full Changelog: 4.21.1...4.x
@UlisesGascon UlisesGascon self-assigned this Oct 29, 2024
@wesleytodd
Copy link
Member

wesleytodd commented Oct 29, 2024

Same comment as here: expressjs/discussions#228 (comment)

I think we need more eyes on the funding field before we publish. Ideally a change like this would be reviewed by a few members of the TC before landing since it is often considered a sensitive issue.
@NewEraCracker
Copy link

NewEraCracker commented Oct 31, 2024

Just release it. It is Oct 31st.

The funding field is only some metadata npm adds on the package-lock.json for people who install this version.
@UlisesGascon UlisesGascon requested a review from a team November 6, 2024 11:10
@UlisesGascon

This comment was marked as off-topic.

Sign in to view
@UlisesGascon
Copy link
Member Author

UlisesGascon commented Nov 7, 2024

We plan to include a security patch too so this release is on hold now
@UlisesGascon UlisesGascon marked this pull request as draft November 7, 2024 10:05
@NewEraCracker
Copy link

NewEraCracker commented Nov 8, 2024

@UlisesGascon

We plan to include a security patch too so this release is on hold now

Can you please disclose how serious (low, medium, high) it is? Does it impact a dependency or express code itself? Can it be sorted by npm overrides?

We are kind of aggressive with user input and never pass untrusted/unfiltered parameters to express functions.
@wesleytodd
Copy link
Member

wesleytodd commented Nov 8, 2024
edited
Loading

I believe we are undecided if it is really a security issue after investigation. And even if we were we would not disclose information about it until we had a patch.
@UlisesGascon @jonchurch
4.21.2
009a03b 
Signed-off-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
@jonchurch jonchurch marked this pull request as ready for review December 5, 2024 22:21
@jonchurch jonchurch merged commit 1faf228 into 4.x Dec 5, 2024
47 checks passed
@MilkaChucky MilkaChucky mentioned this pull request Dec 5, 2024
Merged
@holkeri holkeri mentioned this pull request Dec 6, 2024
Merged
@UlisesGascon UlisesGascon deleted the release/4.21.2 branch December 20, 2024 19:45
@Tobbe Tobbe mentioned this pull request Dec 26, 2024
Merged
This was referenced Aug 15, 2025
Closed
Closed
Closed
Closed
Closed
This was referenced Aug 24, 2025
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

4.x release

6 participants

@UlisesGascon @wesleytodd @NewEraCracker @blakeembrey @jonchurch @bjohansebas