Unleash / unleash / 19849711907
86%
master: 91%

LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran
Jobs 1
Files 1220
Run time 4min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 91.194% (-0.007%) from 91.201%
19849711907

push

github

web-flow 
chore(deps): update dependency express to v4.22.0 [security] (#11059)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [express](https://expressjs.com/)
([source](https://redirect.github.com/expressjs/express)) | [`4.21.2` ->
`4.22.0`](https://renovatebot.com/diffs/npm/express/4.21.2/4.22.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.21.2/4.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-51999](https://redirect.github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)

### Impact

when using the extended query parser in express (`'query parser':
'extended'`), the `request.query` object inherits all object prototype
properties, but these properties can be overwritten by query string
parameter keys that match the property names

> [!IMPORTANT]  
> the extended query parser is the default in express 4; this was
changed in express 5 which by default uses the simple query parser

### Patches

the issue has been patched to ensure `request.query` is a plain object
so `request.query` no longer has object prototype properties. this
brings the default behavior of extended query parsing in line with
express's default simple query parser

### Workaround

this only impacts users using extended query parsing (`'query parser':
'extended'`), which is the default in express 4, but not express 5. all
users are encouraged to upgrade to the patched versions, but can
otherwise work around this issue:

#### provide `qs` directly and specify `plainObjects: true`

```js
app.set('query parser',
  function (str) {
    return qs.parse(str, {
      plainObjects: true
  });
});
```

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

###
[`v4.22.0`](h... (continued)

7271 of 7322 branches covered (99.3%)

69281 of 75971 relevant lines covered (91.19%)

439.85 hits per line

Uncovered Existing Lines

Lines Coverage File
2
80.47
 0.78% src/lib/features/playground/feature-evaluator/constraint.ts
6
46.9
 -1.03% src/lib/services/email-service.ts
Jobs
ID Job ID Ran Files Coverage
1 19849711907.1 1220
91.19
 GitHub Action Run
Source Files on build 19849711907