Merge tag '4.17.1'

Author: dougwilson

.travis.yml

@@ -7,14 +7,16 @@ node_js:
   - "3.3"
   - "4.9"
   - "5.12"
-  - "6.14"
+  - "6.17"
   - "7.10"
-  - "8.12"
+  - "8.16"
+  - "9.11"
+  - "10.15"
+  - "11.15"
+  - "12.3"
 matrix:
   include:
-    - node_js: "9"
-      env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
-    - node_js: "10"
+    - node_js: "13"
       env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
   allow_failures:
     # Allow the nightly installs to fail
@@ -60,5 +62,5 @@ script:
 after_script:
   - |
     # Upload coverage to coveralls
-    npm install --save-dev coveralls@2.10.0
+    npm install --save-dev coveralls@2.12.0
     coveralls < ./coverage/lcov.info

Contributing.md

@@ -19,7 +19,7 @@ expertise to resolve rare disputes.
 
 Log an issue for any question or problem you might have. When in doubt, log an issue, and
 any additional policies about what to include will be provided in the responses. The only
-exception is security dislosures which should be sent privately.
+exception is security disclosures which should be sent privately.
 
 Committers may direct you to another repository, ask for additional clarifications, and
 add appropriate metadata before the issue is addressed.

History.md

@@ -1,3 +1,8 @@
+5.x
+===
+
+This incorporates all changes after 4.16.4 up to 4.17.1.
+
 5.0.0-alpha.7 / 2018-10-26
 ==========================
 
@@ -113,6 +118,62 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
   * add:
     - `app.router` is a reference to the base router
 
+4.17.1 / 2019-05-25
+===================
+
+  * Revert "Improve error message for `null`/`undefined` to `res.status`"
+
+4.17.0 / 2019-05-16
+===================
+
+  * Add `express.raw` to parse bodies into `Buffer`
+  * Add `express.text` to parse bodies into string
+  * Improve error message for non-strings to `res.sendFile`
+  * Improve error message for `null`/`undefined` to `res.status`
+  * Support multiple hosts in `X-Forwarded-Host`
+  * deps: accepts@~1.3.7
+  * deps: [email protected]
+    - Add encoding MIK
+    - Add petabyte (`pb`) support
+    - Fix parsing array brackets after index
+    - deps: [email protected]
+    - deps: [email protected]
+    - deps: [email protected]
+    - deps: [email protected]
+    - deps: [email protected]
+    - deps: type-is@~1.6.17
+  * deps: [email protected]
+  * deps: [email protected]
+    - Add `SameSite=None` support
+  * deps: finalhandler@~1.1.2
+    - Set stricter `Content-Security-Policy` header
+    - deps: parseurl@~1.3.3
+    - deps: statuses@~1.5.0
+  * deps: parseurl@~1.3.3
+  * deps: proxy-addr@~2.0.5
+    - deps: [email protected]
+  * deps: [email protected]
+    - Fix parsing array brackets after index
+  * deps: range-parser@~1.2.1
+  * deps: [email protected]
+    - Set stricter CSP header in redirect & error responses
+    - deps: http-errors@~1.7.2
+    - deps: [email protected]
+    - deps: [email protected]
+    - deps: range-parser@~1.2.1
+    - deps: statuses@~1.5.0
+    - perf: remove redundant `path.normalize` call
+  * deps: [email protected]
+    - Set stricter CSP header in redirect response
+    - deps: parseurl@~1.3.3
+    - deps: [email protected]
+  * deps: [email protected]
+  * deps: statuses@~1.5.0
+    - Add `103 Early Hints`
+  * deps: type-is@~1.6.18
+    - deps: mime-types@~2.1.24
+    - perf: prevent internal `throw` on invalid type
+
 4.16.4 / 2018-10-10
 ===================
 
@@ -409,7 +470,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
     - Fix including type extensions in parameters in `Accept` parsing
     - Fix parsing `Accept` parameters with quoted equals
     - Fix parsing `Accept` parameters with quoted semicolons
-    - Many performance improvments
+    - Many performance improvements
     - deps: mime-types@~2.1.11
     - deps: [email protected]
   * deps: content-type@~1.0.2
@@ -424,7 +485,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
     - perf: enable strict mode
     - perf: hoist regular expression
     - perf: use for loop in parse
-    - perf: use string concatination for serialization
+    - perf: use string concatenation for serialization
   * deps: [email protected]
     - Change invalid or non-numeric status code to 500
     - Overwrite status message to match set status code
@@ -434,7 +495,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
   * deps: proxy-addr@~1.1.2
     - Fix accepting various invalid netmasks
     - Fix IPv6-mapped IPv4 validation edge cases
-    - IPv4 netmasks must be contingous
+    - IPv4 netmasks must be contiguous
     - IPv6 addresses cannot be used as a netmask
     - deps: [email protected]
   * deps: [email protected]
@@ -1212,13 +1273,13 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
    - deps: [email protected]
  * deps: [email protected]
  * deps: [email protected]
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
    - Use `escape-html` for HTML escaping
    - deps: [email protected]
    - deps: [email protected]
    - deps: [email protected]
  * deps: [email protected]
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
    - deps: [email protected]
 
 4.4.2 / 2014-06-09
@@ -2098,7 +2159,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
    - deps: [email protected]
  * deps: [email protected]
  * deps: [email protected]
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
    - Use `escape-html` for HTML escaping
    - deps: [email protected]
    - deps: [email protected]
@@ -3283,7 +3344,7 @@ Shaw]
   * Updated haml submodule
   * Changed ETag; removed inode, modified time only
   * Fixed LF to CRLF for setting multiple cookies
-  * Fixed cookie complation; values are now urlencoded
+  * Fixed cookie compilation; values are now urlencoded
   * Fixed cookies parsing; accepts quoted values and url escaped cookies
 
 0.11.0 / 2010-05-06
@@ -3478,7 +3539,7 @@ Shaw]
 
   * Added "plot" format option for Profiler (for gnuplot processing)
   * Added request number to Profiler plugin
-  * Fixed binary encoding for multi-part file uploads, was previously defaulting to UTF8
+  * Fixed binary encoding for multipart file uploads, was previously defaulting to UTF8
   * Fixed issue with routes not firing when not files are present. Closes #184
   * Fixed process.Promise -> events.Promise
 
@@ -3524,7 +3585,7 @@ Shaw]
   * Updated sample chat app to show messages on load
   * Updated libxmljs parseString -> parseHtmlString
   * Fixed `make init` to work with older versions of git
-  * Fixed specs can now run independent specs for those who cant build deps. Closes #127
+  * Fixed specs can now run independent specs for those who can't build deps. Closes #127
   * Fixed issues introduced by the node url module changes. Closes 126.
   * Fixed two assertions failing due to Collection#keys() returning strings
   * Fixed faulty Collection#toArray() spec due to keys() returning strings

Readme.md

@@ -9,8 +9,8 @@
   [![Test Coverage][coveralls-image]][coveralls-url]
 
 ```js
-var express = require('express')
-var app = express()
+const express = require('express')
+const app = express()
 
 app.get('/', function (req, res) {
   res.send('Hello World')
@@ -90,6 +90,8 @@ $ npm install
 $ npm start
 ```
 
+  View the website at: http://localhost:3000
+
 ## Philosophy
 
   The Express philosophy is to provide small, robust tooling for HTTP servers, making
@@ -125,6 +127,10 @@ $ npm install
 $ npm test
 ```
 
+## Contributing
+
+[Contributing Guide](Contributing.md)
+
 ## People
 
 The original author of Express is [TJ Holowaychuk](https://github.com/tj)
@@ -147,7 +153,3 @@ The current lead maintainer is [Douglas Christopher Wilson](https://github.com/d
 [appveyor-url]: https://ci.appveyor.com/project/dougwilson/express
 [coveralls-image]: https://img.shields.io/coveralls/expressjs/express/master.svg
 [coveralls-url]: https://coveralls.io/r/expressjs/express?branch=master
-[gratipay-image-visionmedia]: https://img.shields.io/gratipay/visionmedia.svg
-[gratipay-url-visionmedia]: https://gratipay.com/visionmedia/
-[gratipay-image-dougwilson]: https://img.shields.io/gratipay/dougwilson.svg
-[gratipay-url-dougwilson]: https://gratipay.com/dougwilson/

appveyor.yml

@@ -7,9 +7,13 @@ environment:
     - nodejs_version: "3.3"
     - nodejs_version: "4.9"
     - nodejs_version: "5.12"
-    - nodejs_version: "6.14"
+    - nodejs_version: "6.17"
     - nodejs_version: "7.10"
-    - nodejs_version: "8.12"
+    - nodejs_version: "8.16"
+    - nodejs_version: "9.11"
+    - nodejs_version: "10.15"
+    - nodejs_version: "11.15"
+    - nodejs_version: "12.3"
 cache:
   - node_modules
 install:

examples/downloads/index.js

@@ -21,7 +21,7 @@ app.get('/files/:file(*)', function(req, res, next){
 
   res.download(filePath, function (err) {
     if (!err) return; // file sent
-    if (err && err.status !== 404) return next(err); // non-404 error
+    if (err.status !== 404) return next(err); // non-404 error
     // file for download not found
     res.statusCode = 404;
     res.send('Cant find that file, sorry!');

examples/mvc/public/style.css

@@ -1,6 +1,6 @@
 body {
   padding: 50px;
-  font: 16px "Helvetica Neue", Helvetica, Arial;
+  font: 16px "Helvetica Neue", Helvetica, Arial, sans-serif;
 }
 a {
   color: #107aff;

examples/static-files/public/js/app.js

@@ -1 +1 @@
-foo
+// foo

lib/express.js

@@ -75,5 +75,7 @@ exports.Router = Router;
  */
 
 exports.json = bodyParser.json
+exports.raw = bodyParser.raw
 exports.static = require('serve-static');
+exports.text = bodyParser.text
 exports.urlencoded = bodyParser.urlencoded

lib/request.js

@@ -409,6 +409,10 @@ defineGetter(req, 'host', function host(){
 
   if (!val || !trust(this.connection.remoteAddress, 0)) {
     val = this.get('Host');
+  } else if (val.indexOf(',') !== -1) {
+    // Note: X-Forwarded-Host is normally only ever a
+    //       single value, but this is to be safe.
+    val = val.substring(0, val.indexOf(',')).trimRight()
   }
 
   return val || undefined;