Skip to content

Release: 1.20.4 #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
UlisesGascon wants to merge 1 commit into from
Closed

Release: 1.20.4 #662

UlisesGascon wants to merge 1 commit into from

Conversation

@UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Nov 20, 2025

What's included in the HISTORY.md

* Security fix for [GHSA-wqch-xfxh-vrr4](https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4)
* refactor: move common request validation to read function
* deps: 
  * type-is@^2.0.1
  * iconv-lite@^0.7.0
    * Handle split surrogate pairs when encoding UTF-8
    * Avoid false positives in `encodingExists` by using prototype-less objects 
  * raw-body@^3.0.1
  * debug@^4.4.3

What's Changed

Full Changelog: 1.20.3...1.x

@UlisesGascon UlisesGascon self-assigned this Nov 20, 2025
@UlisesGascon UlisesGascon mentioned this pull request Nov 20, 2025
Open
36 tasks
@Phillip9587
Copy link
Member

Phillip9587 commented Nov 20, 2025

@UlisesGascon This is not needed at least from the security perspective: https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4#advisory-comment-143780

@UlisesGascon
Copy link
Member Author

UlisesGascon commented Nov 20, 2025

Thanks for the update @Phillip9587!

@pwlnpro
Copy link

pwlnpro commented Nov 25, 2025
edited
Loading

This needs to be reopened.

There is a disconnect between Repository Advisory, and Git Advisory.
Resources:

Repository advisory marks version 2.2.0 as Vulnerable.
Github advisory marks any version below 2.2.1 as Vulnerable.

Solutions:

  • Fix advisory version on Github (if that is incorrect)
  • Fix advisory version on Repository (if that is incorrect), and implement this PR.

Thanks!

Edit:
This is needed by everyone who still uses express@4xx. 1.20.3 is still the most used version, and is now marked vulnerable.

@bjohansebas
Copy link
Member

bjohansebas commented Nov 25, 2025

Hey, the team has already been informed. The correct range is the one in GHSA-wqch-xfxh-vrr4, the only affected version was 2.2.0

@jonchurch
Copy link
Member

jonchurch commented Nov 25, 2025
edited
Loading

We don't know how what we published was not what github propogated to the global registry, we have a PR open against their global registry to fix the affected version string to be exact.

github/advisory-database#6470
Thanks for your patience folks

@UlisesGascon UlisesGascon deleted the release/1.20.4 branch November 26, 2025 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@UlisesGascon UlisesGascon

Labels

release v1.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@UlisesGascon @Phillip9587 @pwlnpro @bjohansebas @jonchurch