[Snyk] Upgrade express from 3.4.8 to 4.17.1

[snyk-bot]

Snyk has created this PR to upgrade express from 3.4.8 to 4.17.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 143 versions ahead of your current version.
• The recommended version was released 9 months ago, on 2019-05-26.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Prototype Override Protection Bypass npm:qs:20170213	No Known Exploit
	Denial of Service (Memory Exhaustion) npm:qs:20140806	No Known Exploit
	Regular Expression Denial of Service (DoS) npm:negotiator:20160616	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	No Known Exploit
	Root Path Disclosure npm:send:20151103	No Known Exploit
	Directory Traversal npm:send:20140912	No Known Exploit
	Denial of Service (Event Loop Blocking) npm:qs:20140806-1	No Known Exploit
	Cross-site Scripting (XSS) npm:express:20140912	No Known Exploit
	Non-Constant Time String Comparison npm:cookie-signature:20160804	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	No Known Exploit

Release notes

Package name: express

• 4.17.1 - 2019-05-26
  
  • Revert "Improve error message for null/undefined to res.status"
• 4.17.0 - 2019-05-17
  
  • Add express.raw to parse bodies into Buffer
  • Add express.text to parse bodies into string
  • Improve error message for non-strings to res.sendFile
  • Improve error message for null/undefined to res.status
  • Support multiple hosts in X-Forwarded-Host
  • deps: accepts@~1.3.7
  • deps: body-parser@1.19.0
    • Add encoding MIK
    • Add petabyte (pb) support
    • Fix parsing array brackets after index
    • deps: bytes@3.1.0
    • deps: http-errors@1.7.2
    • deps: iconv-lite@0.4.24
    • deps: qs@6.7.0
    • deps: raw-body@2.4.0
    • deps: type-is@~1.6.17
  • deps: content-disposition@0.5.3
  • deps: cookie@0.4.0
    • Add SameSite=None support
  • deps: finalhandler@~1.1.2
    • Set stricter Content-Security-Policy header
    • deps: parseurl@~1.3.3
    • deps: statuses@~1.5.0
  • deps: parseurl@~1.3.3
  • deps: proxy-addr@~2.0.5
    • deps: ipaddr.js@1.9.0
  • deps: qs@6.7.0
    • Fix parsing array brackets after index
  • deps: range-parser@~1.2.1
  • deps: send@0.17.1
    • Set stricter CSP header in redirect & error responses
    • deps: http-errors@~1.7.2
    • deps: mime@1.6.0
    • deps: ms@2.1.1
    • deps: range-parser@~1.2.1
    • deps: statuses@~1.5.0
    • perf: remove redundant path.normalize call
  • deps: serve-static@1.14.1
    • Set stricter CSP header in redirect response
    • deps: parseurl@~1.3.3
    • deps: send@0.17.1
  • deps: setprototypeof@1.1.1
  • deps: statuses@~1.5.0
    • Add 103 Early Hints
  • deps: type-is@~1.6.18
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type
• 4.16.4 - 2018-10-11
  
  • Fix issue where "Request aborted" may be logged in res.sendfile
  • Fix JSDoc for Router constructor
  • deps: body-parser@1.18.3
    • Fix deprecation warnings on Node.js 10+
    • Fix stack trace for strict json parse error
    • deps: depd@~1.1.2
    • deps: http-errors@~1.6.3
    • deps: iconv-lite@0.4.23
    • deps: qs@6.5.2
    • deps: raw-body@2.3.3
    • deps: type-is@~1.6.16
  • deps: proxy-addr@~2.0.4
    • deps: ipaddr.js@1.8.0
  • deps: qs@6.5.2
  • deps: safe-buffer@5.1.2
• 4.16.3 - 2018-03-12
  
  • deps: accepts@~1.3.5
    • deps: mime-types@~2.1.18
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
  • deps: encodeurl@~1.0.2
    • Fix encoding % as last character
  • deps: finalhandler@1.1.1
    • Fix 404 output for bad / missing pathnames
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: proxy-addr@~2.0.3
    • deps: ipaddr.js@1.6.0
  • deps: send@0.16.2
    • Fix incorrect end tag in default error & redirects
    • deps: depd@~1.1.2
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: serve-static@1.13.2
    • Fix incorrect end tag in redirects
    • deps: encodeurl@~1.0.2
    • deps: send@0.16.2
  • deps: statuses@~1.4.0
  • deps: type-is@~1.6.16
    • deps: mime-types@~2.1.18
• 4.16.2 - 2017-10-10
  
  • Fix TypeError in res.send when given Buffer and ETag header set
  • perf: skip parsing of entire X-Forwarded-Proto header
• 4.16.1 - 2017-09-29
  
  • deps: send@0.16.1
  • deps: serve-static@1.13.1
    • Fix regression when root is incorrectly set to a file
    • deps: send@0.16.1
• 4.16.0 - 2017-09-28
  
  • Add "json escape" setting for res.json and res.jsonp
  • Add express.json and express.urlencoded to parse bodies
  • Add options argument to res.download
  • Improve error message when autoloading invalid view engine
  • Improve error messages when non-function provided as middleware
  • Skip Buffer encoding when not generating ETag for small response
  • Use safe-buffer for improved Buffer API
  • deps: accepts@~1.3.4
    • deps: mime-types@~2.1.16
  • deps: content-type@~1.0.4
    • perf: remove argument reassignment
    • perf: skip parameter parsing when no parameters
  • deps: etag@~1.8.1
    • perf: replace regular expression with substring
  • deps: finalhandler@1.1.0
    • Use res.headersSent when available
  • deps: parseurl@~1.3.2
    • perf: reduce overhead for full URLs
    • perf: unroll the "fast-path" RegExp
  • deps: proxy-addr@~2.0.2
    • Fix trimming leading / trailing OWS in X-Forwarded-For
    • deps: forwarded@~0.1.2
    • deps: ipaddr.js@1.5.2
    • perf: reduce overhead when no X-Forwarded-For header
  • deps: qs@6.5.1
    • Fix parsing & compacting very deep objects
  • deps: send@0.16.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Fix missing </html> in default error & redirects
    • Set charset as "UTF-8" for .js and .json
    • Use instance methods on steam to check for listeners
    • deps: mime@1.4.1
    • perf: improve path validation speed
  • deps: serve-static@1.13.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Set charset as "UTF-8" for .js and .json
    • deps: send@0.16.0
  • deps: setprototypeof@1.1.0
  • deps: utils-merge@1.0.1
  • deps: vary@~1.1.2
    • perf: improve header token parsing speed
  • perf: re-use options object when generating ETags
  • perf: remove dead .charset set in res.jsonp
• 4.15.5 - 2017-09-25
  
  • deps: debug@2.6.9
  • deps: finalhandler@~1.0.6
    • deps: debug@2.6.9
    • deps: parseurl@~1.3.2
  • deps: fresh@0.5.2
    • Fix handling of modified headers with invalid dates
    • perf: improve ETag match loop
    • perf: improve If-None-Match token parsing
  • deps: send@0.15.6
    • Fix handling of modified headers with invalid dates
    • deps: debug@2.6.9
    • deps: etag@~1.8.1
    • deps: fresh@0.5.2
    • perf: improve If-Match token parsing
  • deps: serve-static@1.12.6
    • deps: parseurl@~1.3.2
    • deps: send@0.15.6
    • perf: improve slash collapsing
• 4.15.4 - 2017-08-07
• 4.15.3 - 2017-05-17
• 4.15.2 - 2017-03-06
• 4.15.1 - 2017-03-06
• 4.15.0 - 2017-03-01
• 4.14.1 - 2017-01-28
• 4.14.0 - 2016-06-16
• 4.13.4 - 2016-01-22
• 4.13.3 - 2015-08-03
• 4.13.2 - 2015-07-31
• 4.13.1 - 2015-07-06
• 4.13.0 - 2015-06-21
• 4.12.4 - 2015-05-18
• 4.12.3 - 2015-03-17
• 4.12.2 - 2015-03-03
• 4.12.1 - 2015-03-02
• 4.12.0 - 2015-02-23
• 4.11.2 - 2015-02-01
• 4.11.1 - 2015-01-21
• 4.11.0 - 2015-01-14
• 4.10.8 - 2015-01-13
• 4.10.7 - 2015-01-05
• 4.10.6 - 2014-12-13
• 4.10.5 - 2014-12-11
• 4.10.4 - 2014-11-25
• 4.10.3 - 2014-11-24
• 4.10.2 - 2014-11-10
• 4.10.1 - 2014-10-29
• 4.10.0 - 2014-10-24
• 4.9.8 - 2014-10-18
• 4.9.7 - 2014-10-10
• 4.9.6 - 2014-10-09
• 4.9.5 - 2014-09-25
• 4.9.4 - 2014-09-20
• 4.9.3 - 2014-09-18
• 4.9.2 - 2014-09-18
• 4.9.1 - 2014-09-17
• 4.9.0 - 2014-09-09
• 4.8.8 - 2014-09-05
• 4.8.7 - 2014-08-30
• 4.8.6 - 2014-08-28
• 4.8.5 - 2014-08-19
• 4.8.4 - 2014-08-15
• 4.8.3 - 2014-08-11
• 4.8.2 - 2014-08-07
• 4.8.1 - 2014-08-06
• 4.8.0 - 2014-08-06
• 4.7.4 - 2014-08-04
• 4.7.3 - 2014-08-04
• 4.7.2 - 2014-07-27
• 4.7.1 - 2014-07-26
• 4.7.0 - 2014-07-26
• 4.6.1 - 2014-07-13
• 4.6.0 - 2014-07-12
• 4.5.1 - 2014-07-06
• 4.5.0 - 2014-07-05
• 4.4.5 - 2014-06-27
• 4.4.4 - 2014-06-20
• 4.4.3 - 2014-06-12
• 4.4.2 - 2014-06-10
• 4.4.1 - 2014-06-03
• 4.4.0 - 2014-05-31
• 4.3.2 - 2014-05-29
• 4.3.1 - 2014-05-23
• 4.3.0 - 2014-05-21
• 4.2.0 - 2014-05-12
• 4.1.2 - 2014-05-08
• 4.1.1 - 2014-04-27
• 4.1.0 - 2014-04-24
• 4.0.0 - 2014-04-09
• 4.0.0-rc4 - 2014-03-25
• 4.0.0-rc3 - 2014-03-12
• 4.0.0-rc2 - 2014-03-05
• 4.0.0-rc1 - 2014-03-02
• 3.21.2 - 2015-07-31
• 3.21.1 - 2015-07-06
• 3.21.0 - 2015-06-19
• 3.20.3 - 2015-05-18
• 3.20.2 - 2015-03-17
• 3.20.1 - 2015-03-01
• 3.20.0 - 2015-02-19
• 3.19.2 - 2015-02-01
• 3.19.1 - 2015-01-21
• 3.19.0 - 2015-01-09
• 3.18.6 - 2014-12-13
• 3.18.5 - 2014-12-12
• 3.18.4 - 2014-11-23
• 3.18.3 - 2014-11-09
• 3.18.2 - 2014-10-29
• 3.18.1 - 2014-10-23
• 3.18.0 - 2014-10-18
• 3.17.8 - 2014-10-16
• 3.17.7 - 2014-10-08
• 3.17.6 - 2014-10-03
• 3.17.5 - 2014-09-24
• 3.17.4 - 2014-09-20
• 3.17.3 - 2014-09-18
• 3.17.2 - 2014-09-16
• 3.17.1 - 2014-09-09
• 3.17.0 - 2014-09-09
• 3.16.10 - 2014-09-05
• 3.16.9 - 2014-08-30
• 3.16.8 - 2014-08-28
• 3.16.7 - 2014-08-19
• 3.16.6 - 2014-08-15
• 3.16.5 - 2014-08-12
• 3.16.4 - 2014-08-11
• 3.16.3 - 2014-08-08
• 3.16.2 - 2014-08-07
• 3.16.1 - 2014-08-06
• 3.16.0 - 2014-08-06
• 3.15.3 - 2014-08-04
• 3.15.2 - 2014-07-27
• 3.15.1 - 2014-07-26
• 3.15.0 - 2014-07-23
• 3.14.0 - 2014-07-11
• 3.13.0 - 2014-07-04
• 3.12.1 - 2014-06-27
• 3.12.0 - 2014-06-22
• 3.11.0 - 2014-06-20
• 3.10.5 - 2014-06-12
• 3.10.4 - 2014-06-09
• 3.10.3 - 2014-06-06
• 3.10.2 - 2014-06-04
• 3.10.1 - 2014-06-03
• 3.10.0 - 2014-06-03
• 3.9.0 - 2014-05-31
• 3.8.1 - 2014-05-28
• 3.8.0 - 2014-05-21
• 3.7.0 - 2014-05-18
• 3.6.0 - 2014-05-09
• 3.5.3 - 2014-05-08
• 3.5.2 - 2014-04-24
• 3.5.1 - 2014-03-25
• 3.5.0 - 2014-03-06
• 3.4.8 - 2014-01-14

from express GitHub release notes

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[//]: # (snyk:metadata:{"dependencies":[{"name":"express","from":"3.4.8","to":"4.17.1"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/tjenkinson/project/7361fbd6-c83e-48c9-b7e1-4fd0fa8bd955?utm_source=github&utm_medium=upgrade-pr","projectPublicId":"7361fbd6-c83e-48c9-b7e1-4fd0fa8bd955","env":"prod","prType":"upgrade","vulns":["npm:qs:20170213","npm:qs:20140806","npm:negotiator:20160616","npm:fresh:20170908","npm:send:20151103","npm:send:20140912","npm:qs:20140806-1","npm:express:20140912","npm:cookie-signature:20160804","npm:mime:20170907"],"issuesToFix":[{"issueId":"npm:qs:20170213","severity":"high","title":"Prototype Override Protection Bypass","exploitMaturity":"no-known-exploit"},{"issueId":"npm:qs:20140806","severity":"high","title":"Denial of Service (Memory Exhaustion)","exploitMaturity":"no-known-exploit"},{"issueId":"npm:negotiator:20160616","severity":"high","title":"Regular Expression Denial of Service (DoS)","exploitMaturity":"no-known-exploit"},{"issueId":"npm:fresh:20170908","severity":"high","title":"Regular Expression Denial of Service (ReDoS)","exploitMaturity":"no-known-exploit"},{"issueId":"npm:send:20151103","severity":"medium","title":"Root Path Disclosure","exploitMaturity":"no-known-exploit"},{"issueId":"npm:send:20140912","severity":"medium","title":"Directory Traversal","exploitMaturity":"no-known-exploit"},{"issueId":"npm:qs:20140806-1","severity":"medium","title":"Denial of Service (Event Loop Blocking)","exploitMaturity":"no-known-exploit"},{"issueId":"npm:express:20140912","severity":"medium","title":"Cross-site Scripting (XSS)","exploitMaturity":"no-known-exploit"},{"issueId":"npm:cookie-signature:20160804","severity":"medium","title":"Non-Constant Time String Comparison","exploitMaturity":"no-known-exploit"},{"issueId":"npm:mime:20170907","severity":"low","title":"Regular Expression Denial of Service (ReDoS)","exploitMaturity":"no-known-exploit"}],"upgrade":["npm:qs:20170213","npm:qs:20140806","npm:negotiator:20160616","npm:fresh:20170908","npm:send:20151103","npm:send:20140912","npm:qs:20140806-1","npm:express:20140912","npm:cookie-signature:20160804","npm:mime:20170907"],"upgradeInfo":{"versionsDiff":143,"publishedDate":"2019-05-26T04:25:34.606Z"},"templateVariants":[],"hasFixes":true,"isMajorUpgrade":true,"isBreakingChange":true})