- Improved fix for open redirect allow list bypass
- Allow passing non-strings to res.location with new encoding handling checks
- Prevent open redirect allow list bypass due to encodeurl
- deps: [email protected]
- Fix routing requests without method
- deps: [email protected]
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: [email protected]
- deps: [email protected]
- Add
partitioned
option
- Add
- Fix regression routing a large stack in a single route
- deps: [email protected]
- deps: [email protected]
- perf: remove unnecessary object clone
- deps: [email protected]
- Fix hanging on large stack of sync routes
- Add "root" option to
res.download
- Allow
options
withoutfilename
inres.download
- Deprecate string and non-integer arguments to
res.status
- Fix behavior of
null
/undefined
asmaxAge
inres.cookie
- Fix handling very large stacks of sync middleware
- Ignore
Object.prototype
values in settings throughapp.set
/app.get
- Invoke
default
with same arguments as types inres.format
- Support proper 205 responses using
res.send
- Use
http-errors
forres.format
error - deps: [email protected]
- Fix error message for json parse whitespace in
strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Fix error message for json parse whitespace in
- deps: [email protected]
- Add
priority
option - Fix
expires
option to reject invalid dates
- Add
- deps: [email protected]
- Replace internal
eval
usage withFunction
constructor - Use instance methods on
process
to check for listeners
- Replace internal
- deps: [email protected]
- Remove set content headers that break response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Prevent loss of async hooks context
- deps: [email protected]
- deps: [email protected]
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Remove code 306
- Rename
425 Unordered Collection
to standard425 Too Early
- deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Fix handling of
__proto__
keys
- Fix handling of
- pref: remove unnecessary regexp for trust proxy
- Fix handling of
undefined
inres.jsonp
- Fix handling of
undefined
when"json escape"
is enabled - Fix incorrect middleware execution with unanchored
RegExp
s - Fix
res.jsonp(obj, status)
deprecation message - Fix typo in
res.is
JSDoc - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.18
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Fix
maxAge
option to reject invalid values
- Fix
- deps: proxy-addr@~2.0.7
- Use
req.socket
over deprecatedreq.connection
- deps: [email protected]
- deps: [email protected]
- Use
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- pref: ignore empty http tokens
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Revert "Improve error message for
null
/undefined
tores.status
"
- Add
express.raw
to parse bodies intoBuffer
- Add
express.text
to parse bodies into string - Improve error message for non-strings to
res.sendFile
- Improve error message for
null
/undefined
tores.status
- Support multiple hosts in
X-Forwarded-Host
- deps: accepts@~1.3.7
- deps: [email protected]
- Add encoding MIK
- Add petabyte (
pb
) support - Fix parsing array brackets after index
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.17
- deps: [email protected]
- deps: [email protected]
- Add
SameSite=None
support
- Add
- deps: finalhandler@~1.1.2
- Set stricter
Content-Security-Policy
header - deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
- Set stricter
- deps: parseurl@~1.3.3
- deps: proxy-addr@~2.0.5
- deps: [email protected]
- deps: [email protected]
- Fix parsing array brackets after index
- deps: range-parser@~1.2.1
- deps: [email protected]
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: [email protected]
- deps: [email protected]
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant
path.normalize
call
- deps: [email protected]
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: [email protected]
- deps: [email protected]
- deps: statuses@~1.5.0
- Add
103 Early Hints
- Add
- deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal
throw
on invalid type
- Fix issue where
"Request aborted"
may be logged inres.sendfile
- Fix JSDoc for
Router
constructor - deps: [email protected]
- Fix deprecation warnings on Node.js 10+
- Fix stack trace for strict json parse error
- deps: depd@~1.1.2
- deps: http-errors@~1.6.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.16
- deps: proxy-addr@~2.0.4
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: accepts@~1.3.5
- deps: mime-types@~2.1.18
- deps: depd@~1.1.2
- perf: remove argument reassignment
- deps: encodeurl@~1.0.2
- Fix encoding
%
as last character
- Fix encoding
- deps: [email protected]
- Fix 404 output for bad / missing pathnames
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
- deps: proxy-addr@~2.0.3
- deps: [email protected]
- deps: [email protected]
- Fix incorrect end tag in default error & redirects
- deps: depd@~1.1.2
- deps: encodeurl@~1.0.2
- deps: statuses@~1.4.0
- deps: [email protected]
- Fix incorrect end tag in redirects
- deps: encodeurl@~1.0.2
- deps: [email protected]
- deps: statuses@~1.4.0
- deps: type-is@~1.6.16
- deps: mime-types@~2.1.18
- Fix
TypeError
inres.send
when givenBuffer
andETag
header set - perf: skip parsing of entire
X-Forwarded-Proto
header
- deps: [email protected]
- deps: [email protected]
- Fix regression when
root
is incorrectly set to a file - deps: [email protected]
- Fix regression when
- Add
"json escape"
setting forres.json
andres.jsonp
- Add
express.json
andexpress.urlencoded
to parse bodies - Add
options
argument tores.download
- Improve error message when autoloading invalid view engine
- Improve error messages when non-function provided as middleware
- Skip
Buffer
encoding when not generating ETag for small response - Use
safe-buffer
for improved Buffer API - deps: accepts@~1.3.4
- deps: mime-types@~2.1.16
- deps: content-type@~1.0.4
- perf: remove argument reassignment
- perf: skip parameter parsing when no parameters
- deps: etag@~1.8.1
- perf: replace regular expression with substring
- deps: [email protected]
- Use
res.headersSent
when available
- Use
- deps: parseurl@~1.3.2
- perf: reduce overhead for full URLs
- perf: unroll the "fast-path"
RegExp
- deps: proxy-addr@~2.0.2
- Fix trimming leading / trailing OWS in
X-Forwarded-For
- deps: forwarded@~0.1.2
- deps: [email protected]
- perf: reduce overhead when no
X-Forwarded-For
header
- Fix trimming leading / trailing OWS in
- deps: [email protected]
- Fix parsing & compacting very deep objects
- deps: [email protected]
- Add 70 new types for file extensions
- Add
immutable
option - Fix missing
</html>
in default error & redirects - Set charset as "UTF-8" for .js and .json
- Use instance methods on steam to check for listeners
- deps: [email protected]
- perf: improve path validation speed
- deps: [email protected]
- Add 70 new types for file extensions
- Add
immutable
option - Set charset as "UTF-8" for .js and .json
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: vary@~1.1.2
- perf: improve header token parsing speed
- perf: re-use options object when generating ETags
- perf: remove dead
.charset
set inres.jsonp
- deps: [email protected]
- deps: finalhandler@~1.0.6
- deps: [email protected]
- deps: parseurl@~1.3.2
- deps: [email protected]
- Fix handling of modified headers with invalid dates
- perf: improve ETag match loop
- perf: improve
If-None-Match
token parsing
- deps: [email protected]
- Fix handling of modified headers with invalid dates
- deps: [email protected]
- deps: etag@~1.8.1
- deps: [email protected]
- perf: improve
If-Match
token parsing
- deps: [email protected]
- deps: parseurl@~1.3.2
- deps: [email protected]
- perf: improve slash collapsing
- deps: [email protected]
- deps: depd@~1.1.1
- Remove unnecessary
Buffer
loading
- Remove unnecessary
- deps: finalhandler@~1.0.4
- deps: [email protected]
- deps: proxy-addr@~1.1.5
- Fix array argument being altered
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: depd@~1.1.1
- deps: http-errors@~1.6.2
- deps: [email protected]
- deps: [email protected]
- Fix error when
res.set
cannot add charset toContent-Type
- deps: [email protected]
- Fix
DEBUG_MAX_ARRAY_LENGTH
- deps: [email protected]
- Fix
- deps: finalhandler@~1.0.3
- Fix missing
</html>
in HTML document - deps: [email protected]
- Fix missing
- deps: proxy-addr@~1.1.4
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.15
- deps: mime-types@~2.1.15
- deps: vary@~1.1.1
- perf: hoist regular expression
- deps: [email protected]
- Fix regression parsing keys starting with
[
- Fix regression parsing keys starting with
- deps: [email protected]
- Fix issue when
Date.parse
does not returnNaN
on invalid date - Fix strict violation in broken environments
- Fix issue when
- deps: [email protected]
- Fix issue when
Date.parse
does not returnNaN
on invalid date - deps: [email protected]
- Fix issue when
- Add debug message when loading view engine
- Add
next("router")
to exit from router - Fix case where
router.use
skipped requests routes did not - Remove usage of
res._headers
private field- Improves compatibility with Node.js 8 nightly
- Skip routing when
req.url
is not set - Use
%o
in path debug to tell types apart - Use
Object.create
to setup request & response prototypes - Use
setprototypeof
module to replace__proto__
setting - Use
statuses
instead ofhttp
module for status messages - deps: [email protected]
- Allow colors in workers
- Deprecated
DEBUG_FD
environment variable set to3
or higher - Fix error when running under React Native
- Use same color for same namespace
- deps: [email protected]
- deps: etag@~1.8.0
- Use SHA1 instead of MD5 for ETag hashing
- Works with FIPS 140-2 OpenSSL configuration
- deps: finalhandler@~1.0.0
- Fix exception when
err
cannot be converted to a string - Fully URL-encode the pathname in the 404
- Only include the pathname in the 404 message
- Send complete HTML document
- Set
Content-Security-Policy: default-src 'self'
header - deps: [email protected]
- Fix exception when
- deps: [email protected]
- Fix false detection of
no-cache
request directive - Fix incorrect result when
If-None-Match
has both*
and ETags - Fix weak
ETag
matching to match spec - perf: delay reading header values until needed
- perf: enable strict mode
- perf: hoist regular expressions
- perf: remove duplicate conditional
- perf: remove unnecessary boolean coercions
- perf: skip checking modified time if ETag check failed
- perf: skip parsing
If-None-Match
when noETag
header - perf: use
Date.parse
instead ofnew Date
- Fix false detection of
- deps: [email protected]
- Fix array parsing from skipping empty values
- Fix compacting nested arrays
- deps: [email protected]
- Fix false detection of
no-cache
request directive - Fix incorrect result when
If-None-Match
has both*
and ETags - Fix weak
ETag
matching to match spec - Remove usage of
res._headers
private field - Support
If-Match
andIf-Unmodified-Since
headers - Use
res.getHeaderNames()
when available - Use
res.headersSent
when available - deps: [email protected]
- deps: etag@~1.8.0
- deps: [email protected]
- deps: http-errors@~1.6.1
- Fix false detection of
- deps: [email protected]
- Fix false detection of
no-cache
request directive - Fix incorrect result when
If-None-Match
has both*
and ETags - Fix weak
ETag
matching to match spec - Remove usage of
res._headers
private field - Send complete HTML document in redirect response
- Set default CSP header in redirect response
- Support
If-Match
andIf-Unmodified-Since
headers - Use
res.getHeaderNames()
when available - Use
res.headersSent
when available - deps: [email protected]
- Fix false detection of
- perf: add fast match path for
*
route - perf: improve
req.ips
performance
- deps: [email protected]
- deps: [email protected]
- Fix exception when
err.headers
is not an object - deps: statuses@~1.3.1
- perf: hoist regular expressions
- perf: remove duplicate validation path
- Fix exception when
- deps: proxy-addr@~1.1.3
- deps: [email protected]
- deps: [email protected]
- deps: http-errors@~1.5.1
- deps: [email protected]
- deps: statuses@~1.3.1
- deps: serve-static@~1.11.2
- deps: [email protected]
- deps: type-is@~1.6.14
- deps: mime-types@~2.1.13
- Add
acceptRanges
option tores.sendFile
/res.sendfile
- Add
cacheControl
option tores.sendFile
/res.sendfile
- Add
options
argument toreq.range
- Includes the
combine
option
- Includes the
- Encode URL in
res.location
/res.redirect
if not already encoded - Fix some redirect handling in
res.sendFile
/res.sendfile
- Fix Windows absolute path check using forward slashes
- Improve error with invalid arguments to
req.get()
- Improve performance for
res.json
/res.jsonp
in most cases - Improve
Range
header handling inres.sendFile
/res.sendfile
- deps: accepts@~1.3.3
- Fix including type extensions in parameters in
Accept
parsing - Fix parsing
Accept
parameters with quoted equals - Fix parsing
Accept
parameters with quoted semicolons - Many performance improvements
- deps: mime-types@~2.1.11
- deps: [email protected]
- Fix including type extensions in parameters in
- deps: content-type@~1.0.2
- perf: enable strict mode
- deps: [email protected]
- Add
sameSite
option - Fix cookie
Max-Age
to never be a floating point number - Improve error message when
encode
is not a function - Improve error message when
expires
is not aDate
- Throw better error for invalid argument to parse
- Throw on invalid values provided to
serialize
- perf: enable strict mode
- perf: hoist regular expression
- perf: use for loop in parse
- perf: use string concatenation for serialization
- Add
- deps: [email protected]
- Change invalid or non-numeric status code to 500
- Overwrite status message to match set status code
- Prefer
err.statusCode
iferr.status
is invalid - Set response headers from
err.headers
object - Use
statuses
instead ofhttp
module for status messages
- deps: proxy-addr@~1.1.2
- Fix accepting various invalid netmasks
- Fix IPv6-mapped IPv4 validation edge cases
- IPv4 netmasks must be contiguous
- IPv6 addresses cannot be used as a netmask
- deps: [email protected]
- deps: [email protected]
- Add
decoder
option inparse
function
- Add
- deps: range-parser@~1.2.0
- Add
combine
option to combine overlapping ranges - Fix incorrectly returning -1 when there is at least one valid range
- perf: remove internal function
- Add
- deps: [email protected]
- Add
acceptRanges
option - Add
cacheControl
option - Attempt to combine multiple ranges into single range
- Correctly inherit from
Stream
class - Fix
Content-Range
header in 416 responses when usingstart
/end
options - Fix
Content-Range
header missing from default 416 responses - Fix redirect error when
path
contains raw non-URL characters - Fix redirect when
path
starts with multiple forward slashes - Ignore non-byte
Range
headers - deps: http-errors@~1.5.0
- deps: range-parser@~1.2.0
- deps: statuses@~1.3.0
- perf: remove argument reassignment
- Add
- deps: serve-static@~1.11.1
- Add
acceptRanges
option - Add
cacheControl
option - Attempt to combine multiple ranges into single range
- Fix redirect error when
req.url
contains raw non-URL characters - Ignore non-byte
Range
headers - Use status code 301 for redirects
- deps: [email protected]
- Add
- deps: type-is@~1.6.13
- Fix type error when given invalid type to match against
- deps: mime-types@~2.1.11
- deps: vary@~1.1.0
- Only accept valid field names in the
field
argument
- Only accept valid field names in the
- perf: use strict equality when possible
- deps: [email protected]
- perf: enable strict mode
- deps: [email protected]
- Throw on invalid values provided to
serialize
- Throw on invalid values provided to
- deps: depd@~1.1.0
- Support web browser loading
- perf: enable strict mode
- deps: escape-html@~1.0.3
- perf: enable strict mode
- perf: optimize string replacement
- perf: use faster string coercion
- deps: [email protected]
- deps: escape-html@~1.0.3
- deps: [email protected]
- perf: enable strict mode
- deps: methods@~1.1.2
- perf: enable strict mode
- deps: parseurl@~1.3.1
- perf: enable strict mode
- deps: proxy-addr@~1.0.10
- deps: [email protected]
- perf: enable strict mode
- deps: range-parser@~1.0.3
- perf: enable strict mode
- deps: [email protected]
- deps: depd@~1.1.0
- deps: destroy@~1.0.4
- deps: escape-html@~1.0.3
- deps: range-parser@~1.0.3
- deps: serve-static@~1.10.2
- deps: escape-html@~1.0.3
- deps: parseurl@~1.3.0
- deps: [email protected]
- Fix infinite loop condition using
mergeParams: true
- Fix inner numeric indices incorrectly altering parent
req.params
- deps: accepts@~1.2.12
- deps: mime-types@~2.1.4
- deps: [email protected]
- perf: enable strict mode
- deps: [email protected]
- Fix regression with escaped round brackets and matching groups
- deps: type-is@~1.6.6
- deps: mime-types@~2.1.4
- deps: accepts@~1.2.10
- deps: mime-types@~2.1.2
- deps: [email protected]
- Fix dropping parameters like
hasOwnProperty
- Fix various parsing edge cases
- Fix dropping parameters like
- deps: type-is@~1.6.4
- deps: mime-types@~2.1.2
- perf: enable strict mode
- perf: remove argument reassignment
- Add settings to debug output
- Fix
res.format
error when onlydefault
provided - Fix issue where
next('route')
inapp.param
would incorrectly skip values - Fix hiding platform issues with
decodeURIComponent
- Only
URIError
s are a 400
- Only
- Fix using
*
before params in routes - Fix using capture groups before params in routes
- Simplify
res.cookie
to callres.append
- Use
array-flatten
module for flattening arrays - deps: accepts@~1.2.9
- deps: mime-types@~2.1.1
- perf: avoid argument reassignment & argument slice
- perf: avoid negotiator recursive construction
- perf: enable strict mode
- perf: remove unnecessary bitwise operator
- deps: [email protected]
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
- deps: [email protected]
- deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
- deps: [email protected]
- Fix a false-positive when unpiping in Node.js 0.8
- Support
statusCode
property onError
objects - Use
unpipe
module for unpiping requests - deps: [email protected]
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove argument reassignment
- deps: [email protected]
- Add weak
ETag
matching support
- Add weak
- deps: on-finished@~2.3.0
- Add defined behavior for HTTP
CONNECT
requests - Add defined behavior for HTTP
Upgrade
requests - deps: [email protected]
- Add defined behavior for HTTP
- deps: [email protected]
- deps: [email protected]
- Allow Node.js HTTP server to set
Date
response header - Fix incorrectly removing
Content-Location
on 304 response - Improve the default redirect response headers
- Send appropriate headers on default error response
- Use
http-errors
for standard emitted errors - Use
statuses
instead ofhttp
module for status messages - deps: [email protected]
- deps: etag@~1.7.0
- deps: [email protected]
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations
- Allow Node.js HTTP server to set
- deps: serve-static@~1.10.0
- Add
fallthrough
option - Fix reading options from options prototype
- Improve the default redirect response headers
- Malformed URLs now
next()
instead of 400 - deps: [email protected]
- deps: [email protected]
- perf: enable strict mode
- perf: remove argument reassignment
- Add
- deps: type-is@~1.6.3
- deps: mime-types@~2.1.1
- perf: reduce try block size
- perf: remove bitwise operations
- perf: enable strict mode
- perf: isolate
app.render
try block - perf: remove argument reassignments in application
- perf: remove argument reassignments in request prototype
- perf: remove argument reassignments in response prototype
- perf: remove argument reassignments in routing
- perf: remove argument reassignments in
View
- perf: skip attempting to decode zero length string
- perf: use saved reference to
http.STATUS_CODES
- deps: accepts@~1.2.7
- deps: mime-types@~2.0.11
- deps: [email protected]
- deps: debug@~2.2.0
- deps: [email protected]
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- Improve support for JXcore
- Support "fake" stats objects in environments without
fs
- deps: [email protected]
- deps: debug@~2.2.0
- deps: on-finished@~2.2.1
- deps: on-finished@~2.2.1
- Fix
isFinished(req)
when data buffered
- Fix
- deps: proxy-addr@~1.0.8
- deps: [email protected]
- deps: [email protected]
- Fix allowing parameters like
constructor
- deps: [email protected]
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: [email protected]
- deps: on-finished@~2.2.1
- deps: serve-static@~1.9.3
- deps: [email protected]
- deps: type-is@~1.6.2
- deps: mime-types@~2.0.11
- deps: accepts@~1.2.5
- deps: mime-types@~2.0.10
- deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: [email protected]
- deps: [email protected]
- deps: debug@~2.1.3
- deps: proxy-addr@~1.0.7
- deps: [email protected]
- deps: [email protected]
- Fix error when parameter
hasOwnProperty
is present
- Fix error when parameter
- deps: [email protected]
- Throw errors early for invalid
extensions
orindex
options - deps: debug@~2.1.3
- Throw errors early for invalid
- deps: serve-static@~1.9.2
- deps: [email protected]
- deps: type-is@~1.6.1
- deps: mime-types@~2.0.10
- Fix regression where
"Request aborted"
is logged usingres.sendFile
- Fix constructing application with non-configurable prototype properties
- Fix
ECONNRESET
errors fromres.sendFile
usage - Fix
req.host
when using "trust proxy" hops count - Fix
req.protocol
/req.secure
when using "trust proxy" hops count - Fix wrong
code
on aborted connections fromres.sendFile
- deps: [email protected]
- Fix
"trust proxy"
setting to inherit when app is mounted - Generate
ETag
s for all request responses- No longer restricted to only responses for
GET
andHEAD
requests
- No longer restricted to only responses for
- Use
content-type
to parseContent-Type
headers - deps: accepts@~1.2.4
- Fix preference sorting to be stable for long acceptable lists
- deps: mime-types@~2.0.9
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Always read the stat size from the file
- Fix mutating passed-in
options
- deps: [email protected]
- deps: serve-static@~1.9.1
- deps: [email protected]
- deps: type-is@~1.6.0
- fix argument reassignment
- fix false-positives in
hasBody
Transfer-Encoding
check - support wildcard for both type and subtype (
*/*
) - deps: mime-types@~2.0.9
- Fix
res.redirect
double-callingres.end
forHEAD
requests - deps: accepts@~1.2.3
- deps: mime-types@~2.0.8
- deps: proxy-addr@~1.0.6
- deps: [email protected]
- deps: type-is@~1.5.6
- deps: mime-types@~2.0.8
- deps: [email protected]
- Fix root path disclosure
- deps: serve-static@~1.8.1
- Fix redirect loop in Node.js 0.11.14
- Fix root path disclosure
- deps: [email protected]
- Add
res.append(field, val)
to append headers - Deprecate leading
:
inname
forapp.param(name, fn)
- Deprecate
req.param()
-- usereq.params
,req.body
, orreq.query
instead - Deprecate
app.param(fn)
- Fix
OPTIONS
responses to include theHEAD
method properly - Fix
res.sendFile
not always detecting aborted connection - Match routes iteratively to prevent stack overflows
- deps: accepts@~1.2.2
- deps: mime-types@~2.0.7
- deps: [email protected]
- deps: [email protected]
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: [email protected]
- deps: on-finished@~2.2.0
- deps: serve-static@~1.8.0
- deps: [email protected]
- Fix crash from error within
OPTIONS
response handler - deps: proxy-addr@~1.0.5
- deps: [email protected]
- Fix
Allow
header forOPTIONS
to not contain duplicate methods - Fix incorrect "Request aborted" for
res.sendFile
whenHEAD
or 304 - deps: debug@~2.1.1
- deps: [email protected]
- deps: debug@~2.1.1
- deps: on-finished@~2.2.0
- deps: methods@~1.1.1
- deps: on-finished@~2.2.0
- deps: serve-static@~1.7.2
- Fix potential open redirect when mounted at root
- deps: type-is@~1.5.5
- deps: mime-types@~2.0.7
- Fix exception in
req.fresh
/req.stale
without response headers
- Fix
res.send
double-callingres.end
forHEAD
requests - deps: accepts@~1.1.4
- deps: mime-types@~2.0.4
- deps: type-is@~1.5.4
- deps: mime-types@~2.0.4
- Fix
res.sendfile
logging standard write errors
- Fix
res.sendFile
logging standard write errors - deps: etag@~1.5.1
- deps: proxy-addr@~1.0.4
- deps: [email protected]
- deps: [email protected]
- Fix
arrayLimit
behavior
- Fix
- Correctly invoke async router callback asynchronously
- deps: accepts@~1.1.3
- deps: mime-types@~2.0.3
- deps: type-is@~1.5.3
- deps: mime-types@~2.0.3
- Fix handling of URLs containing
://
in the path - deps: [email protected]
- Fix parsing of mixed objects and values
- Add support for
app.set('views', array)
- Views are looked up in sequence in array of directories
- Fix
res.send(status)
to mentionres.sendStatus(status)
- Fix handling of invalid empty URLs
- Use
content-disposition
module forres.attachment
/res.download
- Sends standards-compliant
Content-Disposition
header - Full Unicode support
- Sends standards-compliant
- Use
path.resolve
in view lookup - deps: debug@~2.1.0
- Implement
DEBUG_FD
env variable support
- Implement
- deps: depd@~1.0.0
- deps: etag@~1.5.0
- Improve string performance
- Slightly improve speed for weak ETags over 1KB
- deps: [email protected]
- Terminate in progress response only on error
- Use
on-finished
to determine request status - deps: debug@~2.1.0
- deps: on-finished@~2.1.1
- deps: on-finished@~2.1.1
- Fix handling of pipelined requests
- deps: [email protected]
- Fix parsing of mixed implicit and explicit arrays
- deps: [email protected]
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: etag@~1.5.0
- deps: on-finished@~2.1.1
- deps: serve-static@~1.7.1
- deps: [email protected]
- Fix
res.redirect
body when redirect status specified - deps: accepts@~1.1.2
- Fix error when media type has invalid parameter
- deps: [email protected]
- Fix using same param name in array of paths
- deps: accepts@~1.1.1
- deps: mime-types@~2.0.2
- deps: [email protected]
- deps: serve-static@~1.6.4
- Fix redirect loop when index file serving disabled
- deps: type-is@~1.5.2
- deps: mime-types@~2.0.2
- deps: etag@~1.4.0
- deps: proxy-addr@~1.0.3
- Use
forwarded
npm module
- Use
- deps: [email protected]
- deps: etag@~1.4.0
- deps: serve-static@~1.6.3
- deps: [email protected]
- deps: [email protected]
- Fix issue with object keys starting with numbers truncated
- deps: proxy-addr@~1.0.2
- Fix a global leak when multiple subnets are trusted
- deps: [email protected]
- Fix regression for empty string
path
inapp.use
- Fix
router.use
to accept array of middleware without path - Improve error message for bad
app.use
arguments
- Fix
app.use
to accept array of middleware without path - deps: [email protected]
- deps: etag@~1.3.1
- deps: [email protected]
- deps: [email protected]
- deps: etag@~1.3.1
- deps: range-parser@~1.0.2
- deps: serve-static@~1.6.2
- deps: [email protected]
- Add
res.sendStatus
- Invoke callback for sendfile when client aborts
- Applies to
res.sendFile
,res.sendfile
, andres.download
err
will be populated with request aborted error
- Applies to
- Support IP address host in
req.subdomains
- Use
etag
to generateETag
headers - deps: accepts@~1.1.0
- update
mime-types
- update
- deps: [email protected]
- deps: debug@~2.0.0
- deps: [email protected]
- Set
X-Content-Type-Options: nosniff
header - deps: debug@~2.0.0
- Set
- deps: [email protected]
- deps: [email protected]
- Throw error when parameter format invalid on parse
- deps: [email protected]
- Fix issue where first empty value in array is discarded
- deps: range-parser@~1.0.2
- deps: [email protected]
- Add
lastModified
option - Use
etag
to generateETag
header - deps: debug@~2.0.0
- deps: [email protected]
- Add
- deps: serve-static@~1.6.1
- Add
lastModified
option - deps: [email protected]
- Add
- deps: type-is@~1.5.1
- fix
hasbody
to be true forcontent-length: 0
- deps: [email protected]
- deps: mime-types@~2.0.1
- fix
- deps: vary@~1.0.0
- Accept valid
Vary
header string asfield
- Accept valid
- deps: [email protected]
- Fix a path traversal issue when using
root
- Fix malicious path detection for empty string path
- Fix a path traversal issue when using
- deps: serve-static@~1.5.4
- deps: [email protected]
- deps: [email protected]
- Remove unnecessary cloning
- deps: [email protected]
- Array parsing fix
- Performance improvements
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: serve-static@~1.5.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Work around
fd
leak in Node.js 0.10 forfs.ReadStream
- Work around
- deps: serve-static@~1.5.2
- deps: [email protected]
- deps: parseurl@~1.3.0
- deps: [email protected]
- deps: serve-static@~1.5.1
- Fix parsing of weird
req.originalUrl
values - deps: parseurl@~1.3.0
- deps: [email protected]
- Fix parsing of weird
- deps: [email protected]
- Fix parsing array of objects
- fix incorrect deprecation warnings on
res.download
- deps: [email protected]
- Accept urlencoded square brackets
- Accept empty values in implicit array notation
- add
res.sendFile
- accepts a file system path instead of a URL
- requires an absolute path or
root
option specified
- deprecate
res.sendfile
-- useres.sendFile
instead - support mounted app as any argument to
app.use()
- deps: [email protected]
- Complete rewrite
- Limits array length to 20
- Limits object depth to 5
- Limits parameters to 1,000
- deps: [email protected]
- Add
extensions
option
- Add
- deps: serve-static@~1.5.0
- Add
extensions
option - deps: [email protected]
- Add
- fix
res.sendfile
regression for serving directory index files - deps: [email protected]
- Fix incorrect 403 on Windows and Node.js 0.11
- Fix serving index files without root dir
- deps: serve-static@~1.4.4
- deps: [email protected]
- deps: [email protected]
- Fix incorrect 403 on Windows and Node.js 0.11
- deps: serve-static@~1.4.3
- Fix incorrect 403 on Windows and Node.js 0.11
- deps: [email protected]
- deps: [email protected]
- Work-around v8 generating empty stack traces
- deps: [email protected]
- deps: [email protected]
- deps: serve-static@~1.4.2
- deps: [email protected]
- Fix exception when global
Error.stackTraceLimit
is too low
- Fix exception when global
- deps: [email protected]
- deps: [email protected]
- deps: serve-static@~1.4.1
- fix
req.protocol
for proxy-direct connections - configurable query parser with
app.set('query parser', parser)
app.set('query parser', 'extended')
parse with "qs" moduleapp.set('query parser', 'simple')
parse with "querystring" core moduleapp.set('query parser', false)
disable query string parsingapp.set('query parser', true)
enable simple parsing
- deprecate
res.json(status, obj)
-- useres.status(status).json(obj)
instead - deprecate
res.jsonp(status, obj)
-- useres.status(status).jsonp(obj)
instead - deprecate
res.send(status, body)
-- useres.status(status).send(body)
instead - deps: [email protected]
- deps: [email protected]
- Add
TRACE_DEPRECATION
environment variable - Remove non-standard grey color from color output
- Support
--no-deprecation
argument - Support
--trace-deprecation
argument
- Add
- deps: [email protected]
- Respond after request fully read
- deps: [email protected]
- deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path"
RegExp
- deps: [email protected]
- Add
dotfiles
option - Cap
maxAge
value to 1 year - deps: [email protected]
- deps: [email protected]
- Add
- deps: serve-static@~1.4.0
- deps: parseurl@~1.2.0
- deps: [email protected]
- perf: prevent multiple
Buffer
creation inres.send
- fix
subapp.mountpath
regression forapp.use(subapp)
- accept multiple callbacks to
app.use()
- add explicit "Rosetta Flash JSONP abuse" protection
- previous versions are not vulnerable; this is just explicit protection
- catch errors in multiple
req.param(name, fn)
handlers - deprecate
res.redirect(url, status)
-- useres.redirect(status, url)
instead - fix
res.send(status, num)
to sendnum
as json (not error) - remove unnecessary escaping when
res.jsonp
returns JSON response - support non-string
path
inapp.use(path, fn)
- supports array of paths
- supports
RegExp
- router: fix optimization on router exit
- router: refactor location of
try
blocks - router: speed up standard
app.use(fn)
- deps: [email protected]
- Add support for multiple wildcards in namespaces
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- add
CONNECT
- add
- deps: parseurl@~1.1.3
- faster parsing of href-only URLs
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: serve-static@~1.3.2
- deps: parseurl@~1.1.3
- deps: [email protected]
- perf: fix arguments reassign deopt in some
res
methods
- fix routing regression when altering
req.method
- add deprecation message to non-plural
req.accepts*
- add deprecation message to
res.send(body, status)
- add deprecation message to
res.vary()
- add
headers
option tores.sendfile
- use to set headers on successful file transfer
- add
mergeParams
option toRouter
- merges
req.params
from parent routes
- merges
- add
req.hostname
-- correct name for whatreq.host
returns - deprecate things with
depd
module - deprecate
req.host
-- usereq.hostname
instead - fix behavior when handling request without routes
- fix handling when
route.all
is only route - invoke
router.param()
only when route matches - restore
req.params
after invoking router - use
finalhandler
for final response handling - use
media-typer
to alter content-type charset - deps: accepts@~1.0.7
- deps: [email protected]
- Accept string for
maxage
(converted byms
) - Include link in default redirect response
- Accept string for
- deps: serve-static@~1.3.0
- Accept string for
maxAge
(converted byms
) - Add
setHeaders
option - Include HTML link in redirect response
- deps: [email protected]
- Accept string for
- deps: type-is@~1.3.2
- deps: [email protected]
- fix for timing attacks
- fix
res.attachment
Unicode filenames in Safari - fix "trim prefix" debug message in
express:router
- deps: accepts@~1.0.5
- deps: [email protected]
- fix persistence of modified
req.params[name]
fromapp.param()
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Do not throw uncatchable error on file open race condition
- Use
escape-html
for HTML escaping - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Do not throw uncatchable error on file open race condition
- deps: [email protected]
- fix catching errors from top-level handlers
- use
vary
module forres.vary
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- fix "event emitter leak" warnings
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- fix "event emitter leak" warnings
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Send
max-age
inCache-Control
in correct format
- Send
- deps: [email protected]
- use
escape-html
for escaping - deps: [email protected]
- use
- custom etag control with
app.set('etag', val)
app.set('etag', function(body, encoding){ return '"etag"' })
custom etag generationapp.set('etag', 'weak')
weak tagapp.set('etag', 'strong')
strong etagapp.set('etag', false)
turn offapp.set('etag', true)
standard etag
- mark
res.send
ETag as weak and reduce collisions - update accepts to 1.0.2
- Fix interpretation when header not in request
- update send to 0.4.0
- Calculate ETag with md5 for reduced collisions
- Ignore stream errors after request ends
- deps: [email protected]
- update serve-static to 1.2.0
- Calculate ETag with md5 for reduced collisions
- Ignore stream errors after request ends
- deps: [email protected]
- fix handling of errors from
router.param()
callbacks
- revert "fix behavior of multiple
app.VERB
for the same path"- this caused a regression in the order of route execution
- add
req.baseUrl
to access the path stripped fromreq.url
in routes - fix behavior of multiple
app.VERB
for the same path - fix issue routing requests among sub routers
- invoke
router.param()
only when necessary instead of every match - proper proxy trust with
app.set('trust proxy', trust)
app.set('trust proxy', 1)
trust first hopapp.set('trust proxy', 'loopback')
trust loopback addressesapp.set('trust proxy', '10.0.0.1')
trust single IPapp.set('trust proxy', '10.0.0.1/16')
trust subnetapp.set('trust proxy', '10.0.0.1, 10.0.0.2')
trust listapp.set('trust proxy', false)
turn offapp.set('trust proxy', true)
trust everything
- set proper
charset
inContent-Type
forres.send
- update type-is to 1.2.0
- support suffix matching
- deprecate
app.del()
-- useapp.delete()
instead - deprecate
res.json(obj, status)
-- useres.json(status, obj)
instead- the edge-case
res.json(status, num)
requiresres.status(status).json(num)
- the edge-case
- deprecate
res.jsonp(obj, status)
-- useres.jsonp(status, obj)
instead- the edge-case
res.jsonp(status, num)
requiresres.status(status).jsonp(num)
- the edge-case
- fix
req.next
when inside router instance - include
ETag
header inHEAD
requests - keep previous
Content-Type
forres.jsonp
- support PURGE method
- add
app.purge
- add
router.purge
- include PURGE in
app.all
- add
- update debug to 0.8.0
- add
enable()
method - change from stderr to stdout
- add
- update methods to 1.0.0
- add PURGE
- fix
req.host
for IPv6 literals - fix
res.jsonp
error if callback param is object
- fix package.json to reflect supported node version
- pass options from
res.sendfile
tosend
- preserve casing of headers in
res.header
andres.set
- support unicode file names in
res.attachment
andres.download
- update accepts to 1.0.1
- deps: [email protected]
- update cookie to 0.1.2
- Fix for maxAge == 0
- made compat with expires field
- update send to 0.3.0
- Accept API options in options object
- Coerce option types
- Control whether to generate etags
- Default directory access to 403 when index disabled
- Fix sending files with dots without root set
- Include file path in etag
- Make "Can't set headers after they are sent." catchable
- Send full entity-body for multi range requests
- Set etags to "weak"
- Support "If-Range" header
- Support multiple index paths
- deps: [email protected]
- update serve-static to 1.1.0
- Accept options directly to
send
module - Resolve relative paths at middleware setup
- Use parseurl to parse the URL from request
- deps: [email protected]
- Accept options directly to
- update type-is to 1.1.0
- add non-array values support
- add
multipart
as a shorthand
- remove:
- node 0.8 support
- connect and connect's patches except for charset handling
- express(1) - moved to express-generator
express.createServer()
- it has been deprecated for a long time. Useexpress()
app.configure
- use logic in your own app codeapp.router
- is removedreq.auth
- usebasic-auth
insteadreq.accepted*
- usereq.accepts*()
insteadres.location
- relative URL resolution is removedres.charset
- include the charset in the content type when usingres.set()
- all bundled middleware except
static
- change:
app.route
->app.mountpath
when mounting an express app in another express appjson spaces
no longer enabled by default in developmentreq.accepts*
->req.accepts*s
- i.e.req.acceptsEncoding
->req.acceptsEncodings
req.params
is now an object instead of an arrayres.locals
is no longer a function. It is a plain js object. Treat it as such.res.headerSent
->res.headersSent
to match node.js ServerResponse object
- refactor:
req.accepts*
with acceptsreq.is
with type-is- path-to-regexp
- add:
app.router()
- returns the app Router instanceapp.route()
- Proxy to the app'sRouter#route()
method to create a new route- Router & Route - public API
- deps: [email protected]
- deps: body-parser@~1.13.3
- deps: compression@~1.5.2
- deps: errorhandler@~1.4.2
- deps: method-override@~2.3.5
- deps: serve-index@~1.7.2
- deps: type-is@~1.6.6
- deps: vhost@~3.0.1
- deps: vary@~1.0.1
- Fix setting empty header from empty
field
- perf: enable strict mode
- perf: remove argument reassignments
- Fix setting empty header from empty
- deps: basic-auth@~1.0.3
- deps: [email protected]
- deps: body-parser@~1.13.2
- deps: compression@~1.5.1
- deps: errorhandler@~1.4.1
- deps: morgan@~1.6.1
- deps: [email protected]
- deps: [email protected]
- deps: serve-index@~1.7.1
- deps: type-is@~1.6.4
- deps: [email protected]
- perf: enable strict mode
- perf: hoist regular expression
- perf: parse with regular expressions
- perf: remove argument reassignment
- deps: [email protected]
- deps: body-parser@~1.13.1
- deps: [email protected]
- deps: compression@~1.5.0
- deps: [email protected]
- deps: cookie-parser@~1.3.5
- deps: csurf@~1.8.3
- deps: errorhandler@~1.4.0
- deps: express-session@~1.11.3
- deps: [email protected]
- deps: [email protected]
- deps: morgan@~1.6.0
- deps: serve-favicon@~2.3.0
- deps: serve-index@~1.7.0
- deps: serve-static@~1.10.0
- deps: type-is@~1.6.3
- deps: [email protected]
- perf: deduce the scope of try-catch deopt
- perf: remove argument reassignments
- deps: [email protected]
- deps: etag@~1.7.0
- Always include entity length in ETags for hash length extensions
- Generate non-Stats ETags using MD5 only (no longer CRC32)
- Improve stat performance by removing hashing
- Improve support for JXcore
- Remove base64 padding in ETags to shorten
- Support "fake" stats objects in environments without fs
- Use MD5 instead of MD4 in weak ETags over 1KB
- deps: [email protected]
- Add weak
ETag
matching support
- Add weak
- deps: [email protected]
- Work in global strict mode
- deps: [email protected]
- Allow Node.js HTTP server to set
Date
response header - Fix incorrectly removing
Content-Location
on 304 response - Improve the default redirect response headers
- Send appropriate headers on default error response
- Use
http-errors
for standard emitted errors - Use
statuses
instead ofhttp
module for status messages - deps: [email protected]
- deps: etag@~1.7.0
- deps: [email protected]
- deps: on-finished@~2.3.0
- perf: enable strict mode
- perf: remove unnecessary array allocations
- Allow Node.js HTTP server to set
- deps: [email protected]
- deps: body-parser@~1.12.4
- deps: compression@~1.4.4
- deps: connect-timeout@~1.6.2
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: errorhandler@~1.3.6
- deps: [email protected]
- deps: method-override@~2.3.3
- deps: morgan@~1.5.3
- deps: [email protected]
- deps: response-time@~2.3.1
- deps: serve-favicon@~2.2.1
- deps: serve-index@~1.6.4
- deps: serve-static@~1.9.3
- deps: type-is@~1.6.2
- deps: debug@~2.2.0
- deps: [email protected]
- deps: depd@~1.0.1
- deps: proxy-addr@~1.0.8
- deps: [email protected]
- deps: [email protected]
- deps: debug@~2.2.0
- deps: depd@~1.0.1
- deps: etag@~1.6.0
- deps: [email protected]
- deps: on-finished@~2.2.1
- deps: [email protected]
- deps: body-parser@~1.12.2
- deps: compression@~1.4.3
- deps: connect-timeout@~1.6.1
- deps: debug@~2.1.3
- deps: errorhandler@~1.3.5
- deps: express-session@~1.10.4
- deps: [email protected]
- deps: method-override@~2.3.2
- deps: morgan@~1.5.2
- deps: [email protected]
- deps: serve-index@~1.6.3
- deps: serve-static@~1.9.2
- deps: type-is@~1.6.1
- deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: [email protected]
- deps: [email protected]
- deps: proxy-addr@~1.0.7
- deps: [email protected]
- deps: [email protected]
- Throw errors early for invalid
extensions
orindex
options - deps: debug@~2.1.3
- Throw errors early for invalid
- Fix
req.host
when using "trust proxy" hops count - Fix
req.protocol
/req.secure
when using "trust proxy" hops count
- Fix
"trust proxy"
setting to inherit when app is mounted - Generate
ETag
s for all request responses- No longer restricted to only responses for
GET
andHEAD
requests
- No longer restricted to only responses for
- Use
content-type
to parseContent-Type
headers - deps: [email protected]
- Use
content-type
to parseContent-Type
headers - deps: body-parser@~1.12.0
- deps: compression@~1.4.1
- deps: connect-timeout@~1.6.0
- deps: cookie-parser@~1.3.4
- deps: [email protected]
- deps: csurf@~1.7.0
- deps: errorhandler@~1.3.4
- deps: express-session@~1.10.3
- deps: http-errors@~1.3.1
- deps: response-time@~2.3.0
- deps: serve-index@~1.6.2
- deps: serve-static@~1.9.1
- deps: type-is@~1.6.0
- Use
- deps: [email protected]
- deps: [email protected]
- Always read the stat size from the file
- Fix mutating passed-in
options
- deps: [email protected]
- deps: [email protected]
- deps: compression@~1.3.1
- deps: csurf@~1.6.6
- deps: errorhandler@~1.3.3
- deps: express-session@~1.10.2
- deps: serve-index@~1.6.1
- deps: type-is@~1.5.6
- deps: proxy-addr@~1.0.6
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.10.2
- deps: serve-static@~1.8.1
- deps: [email protected]
- Fix root path disclosure
- Fix
OPTIONS
responses to include theHEAD
method property - Use
readline
for prompt inexpress(1)
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.10.1
- deps: compression@~1.3.0
- deps: connect-timeout@~1.5.0
- deps: csurf@~1.6.4
- deps: debug@~2.1.1
- deps: errorhandler@~1.3.2
- deps: express-session@~1.10.1
- deps: [email protected]
- deps: method-override@~2.3.1
- deps: morgan@~1.5.1
- deps: serve-favicon@~2.2.0
- deps: serve-index@~1.6.0
- deps: serve-static@~1.8.0
- deps: type-is@~1.5.5
- deps: debug@~2.1.1
- deps: methods@~1.1.1
- deps: proxy-addr@~1.0.5
- deps: [email protected]
- deps: [email protected]
- deps: debug@~2.1.1
- deps: etag@~1.5.1
- deps: [email protected]
- deps: on-finished@~2.2.0
- Fix exception in
req.fresh
/req.stale
without response headers
- deps: [email protected]
- deps: compression@~1.2.2
- deps: express-session@~1.9.3
- deps: http-errors@~1.2.8
- deps: serve-index@~1.5.3
- deps: type-is@~1.5.4
- deps: [email protected]
- deps: body-parser@~1.9.3
- deps: compression@~1.2.1
- deps: errorhandler@~1.2.3
- deps: express-session@~1.9.2
- deps: [email protected]
- deps: serve-favicon@~2.1.7
- deps: serve-static@~1.5.1
- deps: type-is@~1.5.3
- deps: etag@~1.5.1
- deps: proxy-addr@~1.0.4
- deps: [email protected]
- deps: [email protected]
- Correctly invoke async callback asynchronously
- deps: csurf@~1.6.3
- deps: [email protected]
- Fix handling of URLs containing
://
in the path - deps: body-parser@~1.9.2
- deps: [email protected]
- Fix handling of URLs containing
- Fix internal
utils.merge
deprecation warnings - deps: [email protected]
- deps: body-parser@~1.9.1
- deps: express-session@~1.9.1
- deps: [email protected]
- deps: morgan@~1.4.1
- deps: [email protected]
- deps: serve-static@~1.7.1
- deps: [email protected]
- deps: on-finished@~2.1.1
- Use
content-disposition
module forres.attachment
/res.download
- Sends standards-compliant
Content-Disposition
header - Full Unicode support
- Sends standards-compliant
- Use
etag
module to generateETag
headers - deps: [email protected]
- Use
http-errors
module for creating errors - Use
utils-merge
module for merging objects - deps: body-parser@~1.9.0
- deps: compression@~1.2.0
- deps: connect-timeout@~1.4.0
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: express-session@~1.9.0
- deps: [email protected]
- deps: method-override@~2.3.0
- deps: morgan@~1.4.0
- deps: response-time@~2.2.0
- deps: serve-favicon@~2.1.6
- deps: serve-index@~1.5.0
- deps: serve-static@~1.7.0
- Use
- deps: debug@~2.1.0
- Implement
DEBUG_FD
env variable support
- Implement
- deps: depd@~1.0.0
- deps: [email protected]
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: etag@~1.5.0
- deps: [email protected]
- deps: compression@~1.1.2
- deps: csurf@~1.6.2
- deps: errorhandler@~1.2.2
- deps: [email protected]
- Fix accepting non-object arguments to
logger
- deps: serve-static@~1.6.4
- Fix accepting non-object arguments to
- deps: [email protected]
- deps: morgan@~1.3.2
- deps: type-is@~1.5.2
- deps: [email protected]
- deps: body-parser@~1.8.4
- deps: serve-favicon@~2.1.5
- deps: serve-static@~1.6.3
- deps: proxy-addr@~1.0.3
- Use
forwarded
npm module
- Use
- deps: [email protected]
- deps: etag@~1.4.0
- deps: [email protected]
- deps: body-parser@~1.8.3
- deps: [email protected]
- deps: proxy-addr@~1.0.2
- Fix a global leak when multiple subnets are trusted
- deps: [email protected]
- Use
crc
instead ofbuffer-crc32
for speed - deps: [email protected]
- deps: body-parser@~1.8.2
- deps: [email protected]
- deps: express-session@~1.8.2
- deps: morgan@~1.3.1
- deps: serve-favicon@~2.1.3
- deps: serve-static@~1.6.2
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: etag@~1.3.1
- deps: range-parser@~1.0.2
- Fix error in
req.subdomains
on empty host
- Support
X-Forwarded-Host
inreq.subdomains
- Support IP address host in
req.subdomains
- deps: [email protected]
- deps: body-parser@~1.8.1
- deps: compression@~1.1.0
- deps: connect-timeout@~1.3.0
- deps: cookie-parser@~1.3.3
- deps: [email protected]
- deps: csurf@~1.6.1
- deps: debug@~2.0.0
- deps: errorhandler@~1.2.0
- deps: express-session@~1.8.1
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: method-override@~2.2.0
- deps: morgan@~1.3.0
- deps: [email protected]
- deps: serve-favicon@~2.1.3
- deps: serve-index@~1.2.1
- deps: serve-static@~1.6.1
- deps: type-is@~1.5.1
- deps: vhost@~3.0.0
- deps: [email protected]
- deps: debug@~2.0.0
- deps: [email protected]
- deps: [email protected]
- Throw error when parameter format invalid on parse
- deps: range-parser@~1.0.2
- deps: [email protected]
- Add
lastModified
option - Use
etag
to generateETag
header - deps: debug@~2.0.0
- deps: [email protected]
- Add
- deps: vary@~1.0.0
- Accept valid
Vary
header string asfield
- Accept valid
- deps: [email protected]
- deps: serve-static@~1.5.4
- deps: [email protected]
- Fix a path traversal issue when using
root
- Fix malicious path detection for empty string path
- Fix a path traversal issue when using
- deps: [email protected]
- deps: body-parser@~1.6.7
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.6.6
- deps: csurf@~1.4.1
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.6.5
- deps: express-session@~1.7.6
- deps: morgan@~1.2.3
- deps: serve-static@~1.5.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.6.4
- deps: [email protected]
- deps: serve-static@~1.5.2
- deps: [email protected]
- Work around
fd
leak in Node.js 0.10 forfs.ReadStream
- Work around
- deps: [email protected]
- Fix backwards compatibility in
logger
- Fix backwards compatibility in
- Fix original URL parsing in
res.location
- deps: [email protected]
- Fix
query
middleware breaking with argument - deps: body-parser@~1.6.3
- deps: compression@~1.0.11
- deps: connect-timeout@~1.2.2
- deps: express-session@~1.7.5
- deps: method-override@~2.1.3
- deps: on-headers@~1.0.0
- deps: parseurl@~1.3.0
- deps: [email protected]
- deps: response-time@~2.0.1
- deps: serve-index@~1.1.6
- deps: serve-static@~1.5.1
- Fix
- deps: parseurl@~1.3.0
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.6.2
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.6.1
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.6.0
- deps: compression@~1.0.10
- deps: csurf@~1.4.0
- deps: express-session@~1.7.4
- deps: [email protected]
- deps: serve-static@~1.5.0
- deps: [email protected]
- Add
extensions
option
- Add
- fix
res.sendfile
regression for serving directory index files - deps: [email protected]
- deps: serve-index@~1.1.5
- deps: serve-static@~1.4.4
- deps: [email protected]
- Fix incorrect 403 on Windows and Node.js 0.11
- Fix serving index files without root dir
- deps: [email protected]
- deps: body-parser@~1.5.2
- deps: [email protected]
- deps: express-session@~1.7.2
- deps: morgan@~1.2.2
- deps: serve-static@~1.4.2
- deps: [email protected]
- Work-around v8 generating empty stack traces
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.5.1
- deps: [email protected]
- deps: express-session@~1.7.1
- deps: morgan@~1.2.1
- deps: serve-index@~1.1.4
- deps: serve-static@~1.4.1
- deps: [email protected]
- Fix exception when global
Error.stackTraceLimit
is too low
- Fix exception when global
- deps: [email protected]
- deps: [email protected]
- Fix
req.protocol
for proxy-direct connections - Pass options from
res.sendfile
tosend
- deps: [email protected]
- deps: body-parser@~1.5.0
- deps: compression@~1.0.9
- deps: connect-timeout@~1.2.1
- deps: [email protected]
- deps: [email protected]
- deps: express-session@~1.7.0
- deps: [email protected]
- deps: method-override@~2.1.2
- deps: morgan@~1.2.0
- deps: [email protected]
- deps: parseurl@~1.2.0
- deps: serve-static@~1.4.0
- deps: [email protected]
- deps: [email protected]
- Add
TRACE_DEPRECATION
environment variable - Remove non-standard grey color from color output
- Support
--no-deprecation
argument - Support
--trace-deprecation
argument
- Add
- deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path"
RegExp
- deps: [email protected]
- Add
dotfiles
option - Cap
maxAge
value to 1 year - deps: [email protected]
- deps: [email protected]
- Add
- add explicit "Rosetta Flash JSONP abuse" protection
- previous versions are not vulnerable; this is just explicit protection
- deprecate
res.redirect(url, status)
-- useres.redirect(status, url)
instead - fix
res.send(status, num)
to sendnum
as json (not error) - remove unnecessary escaping when
res.jsonp
returns JSON response - deps: [email protected]
- support empty password
- support empty username
- deps: [email protected]
- deps: [email protected]
- deps: express-session@~1.6.4
- deps: method-override@~2.1.0
- deps: parseurl@~1.1.3
- deps: serve-static@~1.3.1
- deps: [email protected]
- Add support for multiple wildcards in namespaces
- deps: [email protected]
- add
CONNECT
- add
- deps: parseurl@~1.1.3
- faster parsing of href-only URLs
- add deprecation message to
app.configure
- add deprecation message to
req.auth
- use
basic-auth
to parseAuthorization
header - deps: [email protected]
- deps: csurf@~1.3.0
- deps: express-session@~1.6.1
- deps: [email protected]
- deps: serve-static@~1.3.0
- deps: [email protected]
- Accept string for
maxage
(converted byms
) - Include link in default redirect response
- Accept string for
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: express-session@~1.5.2
- deps: type-is@~1.3.2
- deps: [email protected]
- fix for timing attacks
- use
media-typer
to alter content-type charset - deps: [email protected]
- deprecate
connect(middleware)
-- useapp.use(middleware)
instead - deprecate
connect.createServer()
-- useconnect()
instead - fix
res.setHeader()
patch to work with get -> append -> set pattern - deps: compression@~1.0.8
- deps: errorhandler@~1.1.1
- deps: express-session@~1.5.0
- deps: serve-index@~1.1.3
- deprecate
- deprecate things with
depd
module - deps: [email protected]
- deps: [email protected]
- deprecate
verify
option tojson
-- usebody-parser
npm module instead - deprecate
verify
option tourlencoded
-- usebody-parser
npm module instead - deprecate things with
depd
module - use
finalhandler
for final response handling - use
media-typer
to parsecontent-type
for charset - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deprecate
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Do not throw uncatchable error on file open race condition
- Use
escape-html
for HTML escaping - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- fix "event emitter leak" warnings
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- fix "event emitter leak" warnings
- deps: [email protected]
- deps: [email protected]
- use
vary
module forres.vary
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deprecate
methodOverride()
-- usemethod-override
npm module instead - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deprecate
- deps: [email protected]
- deps: [email protected]
- Send
max-age
inCache-Control
in correct format
- Send
- custom etag control with
app.set('etag', val)
app.set('etag', function(body, encoding){ return '"etag"' })
custom etag generationapp.set('etag', 'weak')
weak tagapp.set('etag', 'strong')
strong etagapp.set('etag', false)
turn offapp.set('etag', true)
standard etag
- Include ETag in HEAD requests
- mark
res.send
ETag as weak and reduce collisions - update connect to 2.18.0
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- update send to 0.4.0
- Calculate ETag with md5 for reduced collisions
- Ignore stream errors after request ends
- deps: [email protected]
- update connect to 2.17.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- keep previous
Content-Type
forres.jsonp
- set proper
charset
inContent-Type
forres.send
- update connect to 2.17.1
- fix
res.charset
appending charset whencontent-type
has one - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- fix
- proper proxy trust with
app.set('trust proxy', trust)
app.set('trust proxy', 1)
trust first hopapp.set('trust proxy', 'loopback')
trust loopback addressesapp.set('trust proxy', '10.0.0.1')
trust single IPapp.set('trust proxy', '10.0.0.1/16')
trust subnetapp.set('trust proxy', '10.0.0.1, 10.0.0.2')
trust listapp.set('trust proxy', false)
turn offapp.set('trust proxy', true)
trust everything
- update connect to 2.16.2
- deprecate
res.headerSent
-- useres.headersSent
- deprecate
res.on("header")
-- use on-headers module instead - fix edge-case in
res.appendHeader
that would append in wrong order - json: use body-parser
- urlencoded: use body-parser
- dep: [email protected]
- dep: [email protected]
- dep: [email protected]
- dep: [email protected]
- dep: [email protected]
- deprecate
- deprecate
app.del()
-- useapp.delete()
instead - deprecate
res.json(obj, status)
-- useres.json(status, obj)
instead- the edge-case
res.json(status, num)
requiresres.status(status).json(num)
- the edge-case
- deprecate
res.jsonp(obj, status)
-- useres.jsonp(status, obj)
instead- the edge-case
res.jsonp(status, num)
requiresres.status(status).jsonp(num)
- the edge-case
- support PURGE method
- add
app.purge
- add
router.purge
- include PURGE in
app.all
- add
- update connect to 2.15.0
- Add
res.appendHeader
- Call error stack even when response has been sent
- Patch
res.headerSent
to return Boolean - Patch
res.headersSent
for node.js 0.8 - Prevent default 404 handler after response sent
- dep: [email protected]
- dep: [email protected]
- dep: debug@^0.8.0
- dep: [email protected]
- dep: [email protected]
- dep: [email protected]
- dep: [email protected]
- dep: [email protected]
- Add
- update debug to 0.8.0
- add
enable()
method - change from stderr to stdout
- add
- update methods to 1.0.0
- add PURGE
- update mkdirp to 0.5.0
- fix
req.host
for IPv6 literals - fix
res.jsonp
error if callback param is object
- update connect to 2.14.5
- update cookie to 0.1.2
- update mkdirp to 0.4.0
- update send to 0.3.0
- pin less-middleware in generated app
- bump deps
- prevent incorrect automatic OPTIONS responses #1868 @dpatti
- update binary and examples for jade 1.0 #1876 @yossi, #1877 @reqshark, #1892 @matheusazzi
- throw 400 in case of malformed paths @rlidwka
- update connect
- update connect (raw-body)
- update connect
- res.location: remove leading ./ #1802 @kapouer
- res.redirect: fix `res.redirect('toString') #1829 @michaelficarra
- res.send: always send ETag when content-length > 0
- router: add Router.all() method
- update connect
- update supertest
- update methods
- express(1): replace bodyParser() with urlencoded() and json() #1795 @chirag04
- update connect
- update connect
- downgrade commander
- update connect
- update commander
- jsonp: check if callback is a function
- router: wrap encodeURIComponent in a try/catch #1735 (@lxe)
- res.format: now includes charset @1747 (@sorribas)
- res.links: allow multiple calls @1746 (@sorribas)
- add res.vary(). Closes #1682
- update connect
- update connect
- update connect
- Revert "remove charset from json responses. Closes #1631" (causes issues in some clients)
- add: req.accepts take an argument list
- update send and connect
- update connect
- update connect
- update send
- remove .version export
- update connect
- update connect
- add support for multiple X-Forwarded-Proto values. Closes #1646
- change: remove charset from json responses. Closes #1631
- change: return actual booleans from req.accept* functions
- fix jsonp callback array throw
- update connect
- update connect
- update node-cookie
- add: throw a meaningful error when there is no default engine
- change generation of ETags with res.send() to GET requests only. Closes #1619
- fix
req.subdomains
when no Host is present - fix
req.host
when no Host is present, return undefined
- update connect / qs
- update qs
- add app.VERB() paths array deprecation warning
- update connect
- update qs and remove all ~ semver crap
- fix: accept number as value of Signed Cookie
- add "view" constructor setting to override view behaviour
- add req.acceptsEncoding(name)
- add req.acceptedEncodings
- revert cookie signature change causing session race conditions
- fix sorting of Accept values of the same quality
- add support for custom Accept parameters
- update cookie-signature
- add X-Forwarded-Host support to
req.host
- fix relative redirects
- update mkdirp
- update buffer-crc32
- remove legacy app.configure() method from app template.
- add support for leading "." in "view engine" setting
- add array support to
res.set()
- add node 0.8.x to travis.yml
- add "subdomain offset" setting for tweaking
req.subdomains
- add
res.location(url)
implementingres.redirect()
-like setting of Location - use app.get() for x-powered-by setting for inheritance
- fix colons in passwords for
req.auth
- add http verb methods to Router
- update connect
- fix mangling of the
res.cookie()
options object - fix jsonp whitespace escape. Closes #1132
- add throwing when a non-function is passed to a route
- fix: explicitly remove Transfer-Encoding header from 204 and 304 responses
- revert "add 'etag' option"
- add 'etag' option to disable
res.send()
Etags - add escaping of urls in text/plain in
res.redirect()
for old browsers interpreting as html - change crc32 module for a more liberal license
- update connect
- update connect
- update cookie module
- fix cookie max-age
- add OPTIONS to cors example. Closes #1398
- fix route chaining regression. Closes #1397
- update connect
- add
make clean
- add "Basic" check to req.auth
- add
req.auth
test coverage - add cb && cb(payload) to
res.jsonp()
. Closes #1374 - add backwards compat for
res.redirect()
status. Closes #1336 - add support for
res.json()
to retain previously defined Content-Types. Closes #1349 - update connect
- change
res.redirect()
to utilize a pathname-relative Location again. Closes #1382 - remove non-primitive string support for
res.send()
- fix view-locals example. Closes #1370
- fix route-separation example
- update connect
- add redis search example
- add static-files example
- add "x-powered-by" setting (
app.disable('x-powered-by')
) - add "application/octet-stream" redirect Accept test case. Closes #1317
- add
res.jsonp()
. Closes #1307 - add "verbose errors" option to error-pages example
- add another route example to express(1) so people are not so confused
- add redis online user activity tracking example
- update connect dep
- fix etag quoting. Closes #1310
- fix error-pages 404 status
- fix jsonp callback char restrictions
- remove old OPTIONS default response
- update connect dep
- fix signed cookies to work with
connect.cookieParser()
("s:" prefix was missing) [tnydwrds] - fix
res.render()
clobbering of "locals"
- add CORS example
- update connect dep
- deprecate
.createServer()
& remove old stale examples - fix: escape
res.redirect()
link - fix vhost example
- add more examples to view-locals
- add scheme-relative redirects (
res.redirect("//foo.com")
) support - update cookie dep
- update connect dep
- update send dep
- fix
express(1)
-h flag, use -H for hogan. Closes #1245 - fix
res.sendfile()
socket error handling regression
- update connect dep for
send()
root normalization regression
- add
err.view
property for view errors. Closes #1226 - add "jsonp callback name" setting
- add support for "/foo/:bar*" non-greedy matches
- change
res.sendfile()
to usesend()
module - change
res.send
to use "response-send" module - remove
app.locals.use
andres.locals.use
, use regular middleware
- add "make check" support
- add route-map example
- add
res.json(obj, status)
support back for BC - add "methods" dep, remove internal methods module
- update connect dep
- update auth example to utilize cores pbkdf2
- updated tests to use "supertest"
- Added
req.auth
- Added
req.range(size)
- Added
res.links(obj)
- Added
res.send(body, status)
support back for backwards compat - Added
.default()
support tores.format()
- Added 2xx / 304 check to
req.fresh
- Revert "Added + support to the router"
- Fixed
res.send()
freshness check, respect res.statusCode
- Added hogan
--hjs
to express(1) [nullfirm] - Added another example to content-negotiation
- Added
fresh
dep - Changed:
res.send()
always checks freshness - Fixed: expose connects mime module. Closes #1165
- Added
+
support to the router - Added
req.host
- Changed
req.param()
to check route first - Update connect dep
- Added
res.format()
callback to override default 406 behaviour - Fixed
res.redirect()
406. Closes #1154
- Added
req.ip
- Added
{ signed: true }
option tores.cookie()
- Removed
res.signedCookie()
- Changed: dont reverse
req.ips
- Fixed "trust proxy" setting check for
req.ips
- Added: allow
[]
in jsonp callback. Closes #1128 - Added
PORT
env var support in generated template. Closes #1118 [benatkin] - Updated: connect 2.2.2
- Added public
app.routes
. Closes #887 - Added view-locals example
- Added mvc example
- Added
res.locals.use()
. Closes #1120 - Added conditional-GET support to
res.send()
- Added: coerce
res.set()
values to strings - Changed: moved
static()
in generated apps below router - Changed:
res.send()
only set ETag when not previously set - Changed connect 2.2.1 dep
- Changed:
make test
now runs unit / acceptance tests - Fixed req/res proto inheritance
- Added
make benchmark
back - Added
res.send()
support forString
objects - Added client-side data exposing example
- Added
res.header()
andreq.header()
aliases for BC - Added
express.createServer()
for BC - Perf: memoize parsed urls
- Perf: connect 2.2.0 dep
- Changed: make
expressInit()
middleware self-aware - Fixed: use app.get() for all core settings
- Fixed redis session example
- Fixed session example. Closes #1105
- Fixed generated express dep. Closes #1078
- Added
app.locals.use(callback)
- Added
app.locals
object - Added
app.locals(obj)
- Added
res.locals
object - Added
res.locals(obj)
- Added
res.format()
for content-negotiation - Added
app.engine()
- Added
res.cookie()
JSON cookie support - Added "trust proxy" setting
- Added
req.subdomains
- Added
req.protocol
- Added
req.secure
- Added
req.path
- Added
req.ips
- Added
req.fresh
- Added
req.stale
- Added comma-delimited / array support for
req.accepts()
- Added debug instrumentation
- Added
res.set(obj)
- Added
res.set(field, value)
- Added
res.get(field)
- Added
app.get(setting)
. Closes #842 - Added
req.acceptsLanguage()
- Added
req.acceptsCharset()
- Added
req.accepted
- Added
req.acceptedLanguages
- Added
req.acceptedCharsets
- Added "json replacer" setting
- Added "json spaces" setting
- Added X-Forwarded-Proto support to
res.redirect()
. Closes #92 - Added
--less
support to express(1) - Added
express.response
prototype - Added
express.request
prototype - Added
express.application
prototype - Added
app.path()
- Added
app.render()
- Added
res.type()
to replaceres.contentType()
- Changed:
res.redirect()
to add relative support - Changed: enable "jsonp callback" by default
- Changed: renamed "case sensitive routes" to "case sensitive routing"
- Rewrite of all tests with mocha
- Removed "root" setting
- Removed
res.redirect('home')
support - Removed
req.notify()
- Removed
app.register()
- Removed
app.redirect()
- Removed
app.is()
- Removed
app.helpers()
- Removed
app.dynamicHelpers()
- Fixed
res.sendfile()
with non-GET. Closes #723 - Fixed express(1) public dir for windows. Closes #866
- Added support for PURGE request method [pbuyle]
- Fixed
express(1)
generated appapp.address()
beforelistening
[mmalecki]
- Update mkdirp dep. Closes #991
- Fixed
app.all
duplicate DELETE requests [mscdex]
- Updated hamljs dev dep. Closes #953
- Fixed: set
filename
on cached templates [matthewleon]
- Fixed
express(1)
eol on 0.4.x. Closes #947
- Fixed
req.is()
when a charset is present
- Fixed: express(1) LF -> CRLF for windows
- Changed: updated connect to 1.8.x
- Removed sass.js support from express(1)
- Added ./routes dir for generated app by default
- Added npm install reminder to express(1) app gen
- Added 0.5.x support
- Removed
make test-cov
since it wont work with node 0.5.x - Fixed express(1) public dir for windows. Closes #866
- Added mkdirp to express(1). Closes #795
- Added simple json-config example
- Added shorthand for the parsed request's pathname via
req.path
- Changed connect dep to 1.7.x to fix npm issue...
- Fixed
res.redirect()
HEAD support. [reported by xerox] - Fixed
req.flash()
, only escape args - Fixed absolute path checking on windows. Closes #829 [reported by andrewpmckenzie]
- Fixed multiple param callback regression. Closes #824 [reported by TroyGoode]
- Added support for routes to handle errors. Closes #809
- Added
app.routes.all()
. Closes #803 - Added "basepath" setting to work in conjunction with reverse proxies etc.
- Refactored
Route
to use a single array of callbacks - Added support for multiple callbacks for
app.param()
. Closes #801 Closes #805 - Changed: removed .call(self) for route callbacks
- Dependency:
qs >= 0.3.1
- Fixed
res.redirect()
on windows due tojoin()
usage. Closes #808
- Fixed
res.header()
intention of a set, even whenundefined
- Fixed
*
, value no longer required - Fixed
res.send(204)
support. Closes #771
- Added docs for
status
option special-case. Closes #739 - Fixed
options.filename
, exposing the view path to template engines
- Revert "removed jsonp stripping" for XSS
- Added
res.json()
JSONP support. Closes #737 - Added extending-templates example. Closes #730
- Added "strict routing" setting for trailing slashes
- Added support for multiple envs in
app.configure()
calls. Closes #735 - Changed:
res.send()
usingres.json()
- Changed: when cookie
path === null
don't default it - Changed; default cookie path to "home" setting. Closes #731
- Removed pids/logs creation from express(1)
- Added chainable
res.status(code)
- Added
res.json()
, an explicit version ofres.send(obj)
- Added simple web-service example
- #express is now on freenode! come join!
- Added
req.get(field, param)
- Added links to Japanese documentation, thanks @hideyukisaito!
- Added; the
express(1)
generated app outputs the env - Added
content-negotiation
example - Dependency: connect >= 1.5.1 < 2.0.0
- Fixed view layout bug. Closes #720
- Fixed; ignore body on 304. Closes #701
- Added
npm test
- Removed generation of dummy test file from
express(1)
- Fixed;
express(1)
adds express as a dep - Fixed; prune on
prepublish
- Added
req.route
, exposing the current route - Added package.json generation support to
express(1)
- Fixed call to
app.param()
function for optional params. Closes #682
- Fixed bug-ish with
../' in
res.partial()` calls
- Fixed
app.options()
- Added route
Collection
, ex:app.get('/user/:id').remove();
- Added support for
app.param(fn)
to define param logic - Removed
app.param()
support for callback with return value - Removed module.parent check from express(1) generated app. Closes #670
- Refactored router. Closes #639
- Changed; using devDependencies instead of git submodules
- Fixed redis session example
- Fixed markdown example
- Fixed view caching, should not be enabled in development
- Added export
.view
as alias for.View
- Added
./examples/say
- Fixed
res.sendfile()
bug preventing the transfer of files with spaces
- Added "case sensitive routes" option.
- Changed; split methods supported per rfc [slaskis]
- Fixed route-specific middleware when using the same callback function several times
- Fixed view hints
- Added
app.match()
asapp.match.all()
- Added
app.lookup()
asapp.lookup.all()
- Added
app.remove()
forapp.remove.all()
- Added
app.remove.VERB()
- Fixed template caching collision issue. Closes #644
- Moved router over from connect and started refactor
- Added options support to
res.clearCookie()
- Added
res.helpers()
as alias ofres.locals()
- Added; json defaults to UTF-8 with
res.send()
. Closes #632. [Daniel * Dependencyconnect >= 1.4.0
- Changed; auto set Content-Type in res.attachement [Aaron Heckmann]
- Renamed "cache views" to "view cache". Closes #628
- Fixed caching of views when using several apps. Closes #637
- Fixed gotcha invoking
app.param()
callbacks once per route middleware. Closes #638 - Fixed partial lookup precedence. Closes #631 Shaw]
- Added second callback support for
res.download()
connection errors - Fixed
filename
option passing to template engine
-
Added
layout(path)
helper to change the layout within a view. Closes #610 -
Fixed
partial()
collection object support. Previously only anything with.length
would work. When.length
is present one must still be aware of holes, however now{ collection: {foo: 'bar'}}
is valid, exposeskeyInCollection
andkeysInCollection
. -
Performance improved with better view caching
-
Removed
request
andresponse
locals -
Changed; errorHandler page title is now
Express
instead ofConnect
- Added
app.lookup.VERB()
, exapp.lookup.put('/user/:id')
. Closes #606 - Added
app.match.VERB()
, exapp.match.put('/user/12')
. Closes #606 - Added
app.VERB(path)
as alias ofapp.lookup.VERB()
. - Dependency
connect >= 1.2.0
- Added; expose
err.view
object when failing to locate a view - Fixed
res.partial()
callnext(err)
when no callback is given [reported by aheckmann] - Fixed;
res.send(undefined)
responds with 204 [aheckmann]
- Added
<root>/_?<name>
partial lookup support. Closes #447 - Added
request
,response
, andapp
local variables - Added
settings
local variable, containing the app's settings - Added
req.flash()
exception ifreq.session
is not available - Added
res.send(bool)
support (json response) - Fixed stylus example for latest version
- Fixed; wrap try/catch around
res.render()
- Fixed up index view path alternative.
- Changed;
res.locals()
without object returns the locals
- Added
res.locals(obj)
to complimentres.local(key, val)
- Added
res.partial()
callback support - Fixed recursive error reporting issue in
res.render()
- Changed;
partial()
"locals" are now optional - Fixed
SlowBuffer
support. Closes #584 [reported by tyrda01] - Fixed .filename view engine option [reported by drudge]
- Fixed blog example
- Fixed
{req,res}.app
reference when mounting [Ben Weaver]
- Fixed; expose
HTTPSServer
constructor - Fixed express(1) default test charset. Closes #579 [reported by secoif]
- Fixed; default charset to utf-8 instead of utf8 for lame IE [reported by NickP]
- Added support for
res.contentType()
literal The originalres.contentType('.json')
,res.contentType('application/json')
, andres.contentType('json')
will work now. - Added
res.render()
status option support back - Added charset option for
res.render()
- Added
.charset
support (via connect 1.0.4) - Added view resolution hints when in development and a lookup fails
- Added layout lookup support relative to the page view.
For example while rendering
./views/user/index.jade
if you create./views/user/layout.jade
it will be used in favour of the root layout. - Fixed
res.redirect()
. RFC states absolute url [reported by unlink] - Fixed; default
res.send()
string charset to utf8 - Removed
Partial
constructor (not currently used)
- Added res.render()
.locals
support back to aid in migration process - Fixed flash example
- Added HTTPS support
- Added
res.cookie()
maxAge support - Added
req.header()
Referrer / Referer special-case, either works - Added mount support for
res.redirect()
, now respects the mount-point - Added
union()
util, taking place ofmerge(clone())
combo - Added stylus support to express(1) generated app
- Added secret to session middleware used in examples and generated app
- Added
res.local(name, val)
for progressive view locals - Added default param support to
req.param(name, default)
- Added
app.disabled()
andapp.enabled()
- Added
app.register()
support for omitting leading ".", either works - Added
res.partial()
, using the same interface aspartial()
within a view. Closes #539 - Added
app.param()
to map route params to async/sync logic - Added; aliased
app.helpers()
asapp.locals()
. Closes #481 - Added extname with no leading "." support to
res.contentType()
- Added
cache views
setting, defaulting to enabled in "production" env - Added index file partial resolution, eg: partial('user') may try views/user/index.jade.
- Added
req.accepts()
support for extensions - Changed;
res.download()
andres.sendfile()
now utilize Connect's static file serverconnect.static.send()
. - Changed; replaced
connect.utils.mime()
with npm mime module - Changed; allow
req.query
to be pre-defined (via middleware or other parent - Changed view partial resolution, now relative to parent view
- Changed view engine signature. no longer
engine.render(str, options, callback)
, nowengine.compile(str, options) -> Function
, the returned function acceptsfn(locals)
. - Fixed
req.param()
bug returning Array.prototype methods. Closes #552 - Fixed; using
Stream#pipe()
instead ofsys.pump()
inres.sendfile()
- Fixed; using qs module instead of querystring
- Fixed; strip unsafe chars from jsonp callbacks
- Removed "stream threshold" setting
- Allow
req.query
to be pre-defined (via middleware or other parent app) - "connect": ">= 0.5.0 < 1.0.0". Closes #547
- Removed the long deprecated EXPRESS_ENV support
- Fixed
render()
setting inheritance. Mounted apps would not inherit "view engine"
- Fixed
view engine
setting bug when period is in dirname
- Added secret to generated app
session()
call
- Added
qs
dependency to package.json - Fixed namespaced
require()
s for latest connect support
- Remove unsafe characters from JSONP callback names [Ryan Grove]
- Removed nested require, using
connect.router
- Fixed for middleware stacked via
createServer()
previously thefoo
middleware passed tocreateServer(foo)
would not have access to Express methods such asres.send()
or props likereq.query
etc.
- Added; deduce partial object names from the last segment.
For example by default
partial('forum/post', postObject)
will give you the post object, providing a meaningful default. - Added http status code string representation to
res.redirect()
body - Added;
res.redirect()
supporting text/plain and text/html via Accept. - Added
req.is()
to aid in content negotiation - Added partial local inheritance [suggested by masylum]. Closes #102 providing access to parent template locals.
- Added -s, --session[s] flag to express(1) to add session related middleware
- Added --template flag to express(1) to specify the template engine to use.
- Added --css flag to express(1) to specify the stylesheet engine to use (or just plain css by default).
- Added
app.all()
support [thanks aheckmann] - Added partial direct object support.
You may now
partial('user', user)
providing the "user" local, vs previouslypartial('user', { object: user })
. - Added route-separation example since many people question ways to do this with CommonJS modules. Also view the blog example for an alternative.
- Performance; caching view path derived partial object names
- Fixed partial local inheritance precedence. [reported by Nick Poulden] Closes #454
- Fixed jsonp support; text/javascript as per mailinglist discussion
- Added NODE_ENV support, EXPRESS_ENV is deprecated and will be removed in 1.0.0
- Added route-middleware support (very helpful, see the docs)
- Added jsonp callback setting to enable/disable jsonp autowrapping [Dav Glass]
- Added callback query check on response.send to autowrap JSON objects for simple webservice implementations [Dav Glass]
- Added
partial()
support for array-like collections. Closes #434 - Added support for swappable querystring parsers
- Added session usage docs. Closes #443
- Added dynamic helper caching. Closes #439 [suggested by maritz]
- Added authentication example
- Added basic Range support to
res.sendfile()
(andres.download()
etc) - Changed;
express(1)
generated app using 2 spaces instead of 4 - Default env to "development" again [aheckmann]
- Removed context option is no more, use "scope"
- Fixed; exposing ./support libs to examples so they can run without installs
- Fixed mvc example
- Added confirmation for
express(1)
app generation. Closes #391 - Added extending of flash formatters via
app.flashFormatters
- Added flash formatter support. Closes #411
- Added streaming support to
res.sendfile()
usingsys.pump()
when >= "stream threshold" - Added stream threshold setting for
res.sendfile()
- Added
res.send()
HEAD support - Added
res.clearCookie()
- Added
res.cookie()
- Added
res.render()
headers option - Added
res.redirect()
response bodies - Added
res.render()
status option support. Closes #425 [thanks aheckmann] - Fixed
res.sendfile()
responding with 403 on malicious path - Fixed
res.download()
bug; when an error occurs remove Content-Disposition - Fixed; mounted apps settings now inherit from parent app [aheckmann]
- Fixed; stripping Content-Length / Content-Type when 204
- Fixed
res.send()
204. Closes #419 - Fixed multiple Set-Cookie headers via
res.header()
. Closes #402 - Fixed bug messing with error handlers when
listenFD()
is called instead oflisten()
. [thanks guillermo]
- Added
app.register()
for template engine mapping. Closes #390 - Added
res.render()
callback support as second argument (no options) - Added callback support to
res.download()
- Added callback support for
res.sendfile()
- Added support for middleware access via
express.middlewareName()
vsconnect.middlewareName()
- Added "partials" setting to docs
- Added default expresso tests to
express(1)
generated app. Closes #384 - Fixed
res.sendfile()
error handling, defer vianext()
- Fixed
res.render()
callback when a layout is used [thanks guillermo] - Fixed;
make install
creating ~/.node_libraries when not present - Fixed issue preventing error handlers from being defined anywhere. Closes #387
-
Added mounted hook. Closes #369
-
Added connect dependency to package.json
-
Removed "reload views" setting and support code development env never caches, production always caches.
-
Removed param in route callbacks, signature is now simply (req, res, next), previously (req, res, params, next). Use req.params for path captures, req.query for GET params.
-
Fixed "home" setting
-
Fixed middleware/router precedence issue. Closes #366
-
Fixed; configure() callbacks called immediately. Closes #368
- Added more examples
- Added; exporting
Server
constructor - Added
Server#helpers()
for view locals - Added
Server#dynamicHelpers()
for dynamic view locals. Closes #349 - Added support for absolute view paths
- Added; home setting defaults to
Server#route
for mounted apps. Closes #363 - Added Guillermo Rauch to the contributor list
- Added support for "as" for non-collection partials. Closes #341
- Fixed install.sh, ensuring ~/.node_libraries exists. Closes #362 [thanks jf]
- Fixed
res.render()
exceptions, now passed tonext()
when no callback is given [thanks guillermo] - Fixed instanceof
Array
checks, nowArray.isArray()
- Fixed express(1) expansion of public dirs. Closes #348
- Fixed middleware precedence. Closes #345
- Fixed view watcher, now async [thanks aheckmann]
- Re-write
- much faster
- much lighter
- Check ExpressJS.com for migration guide and updated docs
- Utilize relative requires
- Added Static bufferSize option [aheckmann]
- Fixed caching of view and partial subdirectories [aheckmann]
- Fixed mime.type() comments now that ".ext" is not supported
- Updated haml submodule
- Updated class submodule
- Removed bin/express
- Added node v0.1.97 compatibility
- Added support for deleting cookies via Request#cookie('key', null)
- Updated haml submodule
- Fixed not-found page, now using charset utf-8
- Fixed show-exceptions page, now using charset utf-8
- Fixed view support due to fs.readFile Buffers
- Changed; mime.type() no longer accepts ".type" due to node extname() changes
- Added node v0.1.96 compatibility
- Added view
helpers
export which act as additional local variables - Updated haml submodule
- Changed ETag; removed inode, modified time only
- Fixed LF to CRLF for setting multiple cookies
- Fixed cookie compilation; values are now urlencoded
- Fixed cookies parsing; accepts quoted values and url escaped cookies
- Added support for layouts using different engines
- this.render('page.html.haml', { layout: 'super-cool-layout.html.ejs' })
- this.render('page.html.haml', { layout: 'foo' }) // assumes 'foo.html.haml'
- this.render('page.html.haml', { layout: false }) // no layout
- Updated ext submodule
- Updated haml submodule
- Fixed EJS partial support by passing along the context. Issue #307
- Fixed binary uploads.
- Added charset support via Request#charset (automatically assigned to 'UTF-8' when respond()'s encoding is set to 'utf8' or 'utf-8').
- Added "encoding" option to Request#render(). Closes #299
- Added "dump exceptions" setting, which is enabled by default.
- Added simple ejs template engine support
- Added error response support for text/plain, application/json. Closes #297
- Added callback function param to Request#error()
- Added Request#sendHead()
- Added Request#stream()
- Added support for Request#respond(304, null) for empty response bodies
- Added ETag support to Request#sendfile()
- Added options to Request#sendfile(), passed to fs.createReadStream()
- Added filename arg to Request#download()
- Performance enhanced due to pre-reversing plugins so that plugins.reverse() is not called on each request
- Performance enhanced by preventing several calls to toLowerCase() in Router#match()
- Changed; Request#sendfile() now streams
- Changed; Renamed Request#halt() to Request#respond(). Closes #289
- Changed; Using sys.inspect() instead of JSON.encode() for error output
- Changed; run() returns the http.Server instance. Closes #298
- Changed; Defaulting Server#host to null (INADDR_ANY)
- Changed; Logger "common" format scale of 0.4f
- Removed Logger "request" format
- Fixed; Catching ENOENT in view caching, preventing error when "views/partials" is not found
- Fixed several issues with http client
- Fixed Logger Content-Length output
- Fixed bug preventing Opera from retaining the generated session id. Closes #292
- Added DSL level error() route support
- Added DSL level notFound() route support
- Added Request#error()
- Added Request#notFound()
- Added Request#render() callback function. Closes #258
- Added "max upload size" setting
- Added "magic" variables to collection partials (__index__, __length__, __isFirst__, __isLast__). Closes #254
- Added haml.js submodule; removed haml-js
- Added callback function support to Request#halt() as 3rd/4th arg
- Added preprocessing of route param wildcards using param(). Closes #251
- Added view partial support (with collections etc.)
- Fixed bug preventing falsey params (such as ?page=0). Closes #286
- Fixed setting of multiple cookies. Closes #199
- Changed; view naming convention is now NAME.TYPE.ENGINE (for example page.html.haml)
- Changed; session cookie is now httpOnly
- Changed; Request is no longer global
- Changed; Event is no longer global
- Changed; "sys" module is no longer global
- Changed; moved Request#download to Static plugin where it belongs
- Changed; Request instance created before body parsing. Closes #262
- Changed; Pre-caching views in memory when "cache view contents" is enabled. Closes #253
- Changed; Pre-caching view partials in memory when "cache view partials" is enabled
- Updated support to node --version 0.1.90
- Updated dependencies
- Removed set("session cookie") in favour of use(Session, { cookie: { ... }})
- Removed utils.mixin(); use Object#mergeDeep()
- Added coffeescript example app. Closes #242
- Changed; cache api now async friendly. Closes #240
- Removed deprecated 'express/static' support. Use 'express/plugins/static'
- Added Request#isXHR. Closes #229
- Added
make install
(for the executable) - Added
express
executable for setting up simple app templates - Added "GET /public/*" to Static plugin, defaulting to /public
- Added Static plugin
- Fixed; Request#render() only calls cache.get() once
- Fixed; Namespacing View caches with "view:"
- Fixed; Namespacing Static caches with "static:"
- Fixed; Both example apps now use the Static plugin
- Fixed set("views"). Closes #239
- Fixed missing space for combined log format
- Deprecated Request#sendfile() and 'express/static'
- Removed Server#running
- Added Request#flash() support without args, now returns all flashes
- Updated ext submodule
- Fixed session reaper
- Changed; class.js replacing js-oo Class implementation (quite a bit faster, no browser cruft)
- Added package.json
- Fixed requiring of haml / sass due to kiwi removal
- Fixed GIT submodules (HAH!)
- Changed; Express now using submodules again until a PM is adopted
- Changed; chat example using millisecond conversions from ext
- Added Request#pass() support (finds the next matching route, or the given path)
- Added Logger plugin (default "common" format replaces CommonLogger)
- Removed Profiler plugin
- Removed CommonLogger plugin
-
Added seed.yml for kiwi package management support
-
Added HTTP client query string support when method is GET. Closes #205
-
Added support for arbitrary view engines. For example "foo.engine.html" will now require('engine'), the exports from this module are cached after the first require().
-
Added async plugin support
-
Removed usage of RESTful route funcs as http client get() etc, use http.get() and friends
-
Removed custom exceptions
- Added ext dependency (library of js extensions)
- Removed extname() / basename() utils. Use path module
- Removed toArray() util. Use arguments.values
- Removed escapeRegexp() util. Use RegExp.escape()
- Removed process.mixin() dependency. Use utils.mixin()
- Removed Collection
- Removed ElementCollection
- Shameless self promotion of ebook "Advanced JavaScript" (http://dev-mag.com) ;)
- Added flash() example to sample upload app
- Added high level restful http client module (express/http)
- Changed; RESTful route functions double as HTTP clients. Closes #69
- Changed; throwing error when routes are added at runtime
- Changed; defaulting render() context to the current Request. Closes #197
- Updated haml submodule
- Updated haml / sass submodules. Closes #200
- Added flash message support. Closes #64
- Added accepts() now allows multiple args. fixes #117
- Added support for plugins to halt. Closes #189
- Added alternate layout support. Closes #119
- Removed Route#run(). Closes #188
- Fixed broken specs due to use(Cookie) missing
- Added "plot" format option for Profiler (for gnuplot processing)
- Added request number to Profiler plugin
- Fixed binary encoding for multipart file uploads, was previously defaulting to UTF8
- Fixed issue with routes not firing when not files are present. Closes #184
- Fixed process.Promise -> events.Promise
- Added parseParam() support for name[] etc. (allows for file inputs with "multiple" attr) Closes #180
- Added Both Cache and Session option "reapInterval" may be "reapEvery". Closes #174
- Added expiration support to cache api with reaper. Closes #133
- Added cache Store.Memory#reap()
- Added Cache; cache api now uses first class Cache instances
- Added abstract session Store. Closes #172
- Changed; cache Memory.Store#get() utilizing Collection
- Renamed MemoryStore -> Store.Memory
- Fixed use() of the same plugin several time will always use latest options. Closes #176
- Changed; Hooks (before / after) pass request as arg as well as evaluated in their context
- Updated node support to 0.1.27 Closes #169
- Updated dirname(__filename) -> __dirname
- Updated libxmljs support to v0.2.0
- Added session support with memory store / reaping
- Added quick uid() helper
- Added multi-part upload support
- Added Sass.js support / submodule
- Added production env caching view contents and static files
- Added static file caching. Closes #136
- Added cache plugin with memory stores
- Added support to StaticFile so that it works with non-textual files.
- Removed dirname() helper
- Removed several globals (now their modules must be required)
- Added view benchmarks; currently haml vs ejs
- Added Request#attachment() specs. Closes #116
- Added use of node's parseQuery() util. Closes #123
- Added
make init
for submodules - Updated Haml
- Updated sample chat app to show messages on load
- Updated libxmljs parseString -> parseHtmlString
- Fixed
make init
to work with older versions of git - Fixed specs can now run independent specs for those who can't build deps. Closes #127
- Fixed issues introduced by the node url module changes. Closes 126.
- Fixed two assertions failing due to Collection#keys() returning strings
- Fixed faulty Collection#toArray() spec due to keys() returning strings
- Fixed
make test
now builds libxmljs.node before testing
- Initial release