Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release: 4.21.2 #6094

Merged
merged 1 commit into from
Dec 5, 2024
Merged

Release: 4.21.2 #6094

merged 1 commit into from
Dec 5, 2024

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Oct 29, 2024

Plan to release it on Nov 06

What's included in the HISTORY.md

What's Changed

Full Changelog: 4.21.1...4.x

@UlisesGascon UlisesGascon self-assigned this Oct 29, 2024
@wesleytodd
Copy link
Member

Same comment as here: expressjs/discussions#228 (comment)

I think we need more eyes on the funding field before we publish. Ideally a change like this would be reviewed by a few members of the TC before landing since it is often considered a sensitive issue.

@NewEraCracker
Copy link

Just release it. It is Oct 31st.

The funding field is only some metadata npm adds on the package-lock.json for people who install this version.

@UlisesGascon UlisesGascon requested a review from a team November 6, 2024 11:10
@UlisesGascon

This comment was marked as off-topic.

@UlisesGascon
Copy link
Member Author

We plan to include a security patch too so this release is on hold now

@UlisesGascon UlisesGascon marked this pull request as draft November 7, 2024 10:05
@NewEraCracker
Copy link

@UlisesGascon

We plan to include a security patch too so this release is on hold now

Can you please disclose how serious (low, medium, high) it is? Does it impact a dependency or express code itself? Can it be sorted by npm overrides?

We are kind of aggressive with user input and never pass untrusted/unfiltered parameters to express functions.

@wesleytodd
Copy link
Member

wesleytodd commented Nov 8, 2024

I believe we are undecided if it is really a security issue after investigation. And even if we were we would not disclose information about it until we had a patch.

Signed-off-by: Ulises Gascon <[email protected]>
@jonchurch jonchurch marked this pull request as ready for review December 5, 2024 22:21
@jonchurch jonchurch merged commit 1faf228 into 4.x Dec 5, 2024
47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants