nodescore/node_modules/express/History.md

112 KiB

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@0.6.0

4.18.3 / 2024-02-29

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2
  • deps: cookie@0.6.0
    • Add partitioned option

4.18.2 / 2022-10-08

  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1
    • deps: qs@6.11.0
    • perf: remove unnecessary object clone
  • deps: qs@6.11.0

4.18.1 / 2022-04-29

  • Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

  • Add "root" option to res.download
  • Allow options without filename in res.download
  • Deprecate string and non-integer arguments to res.status
  • Fix behavior of null/undefined as maxAge in res.cookie
  • Fix handling very large stacks of sync middleware
  • Ignore Object.prototype values in settings through app.set/app.get
  • Invoke default with same arguments as types in res.format
  • Support proper 205 responses using res.send
  • Use http-errors for res.format error
  • deps: body-parser@1.20.0
    • Fix error message for json parse whitespace in strict
    • Fix internal error when inflated body exceeds limit
    • Prevent loss of async hooks context
    • Prevent hanging when request already read
    • deps: depd@2.0.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: qs@6.10.3
    • deps: raw-body@2.5.1
  • deps: cookie@0.5.0
    • Add priority option
    • Fix expires option to reject invalid dates
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: finalhandler@1.2.0
    • Remove set content headers that break response
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
    • Prevent loss of async hooks context
  • deps: qs@6.10.3
  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property
    • Limit the headers removed for 304 response
    • deps: depd@2.0.0
    • deps: destroy@1.2.0
    • deps: http-errors@2.0.0
    • deps: on-finished@2.4.1
    • deps: statuses@2.0.1
  • deps: serve-static@1.15.0
    • deps: send@0.18.0
  • deps: statuses@2.0.1
    • Remove code 306
    • Rename 425 Unordered Collection to standard 425 Too Early

4.17.3 / 2022-02-16

  • deps: accepts@~1.3.8
    • deps: mime-types@~2.1.34
    • deps: negotiator@0.6.3
  • deps: body-parser@1.19.2
    • deps: bytes@3.1.2
    • deps: qs@6.9.7
    • deps: raw-body@2.4.3
  • deps: cookie@0.4.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • pref: remove unnecessary regexp for trust proxy

4.17.2 / 2021-12-16

  • Fix handling of undefined in res.jsonp
  • Fix handling of undefined when "json escape" is enabled
  • Fix incorrect middleware execution with unanchored RegExps
  • Fix res.jsonp(obj, status) deprecation message
  • Fix typo in res.is JSDoc
  • deps: body-parser@1.19.1
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
    • deps: qs@6.9.6
    • deps: raw-body@2.4.2
    • deps: safe-buffer@5.2.1
    • deps: type-is@~1.6.18
  • deps: content-disposition@0.5.4
    • deps: safe-buffer@5.2.1
  • deps: cookie@0.4.1
    • Fix maxAge option to reject invalid values
  • deps: proxy-addr@~2.0.7
    • Use req.socket over deprecated req.connection
    • deps: forwarded@0.2.0
    • deps: ipaddr.js@1.9.1
  • deps: qs@6.9.6
  • deps: safe-buffer@5.2.1
  • deps: send@0.17.2
    • deps: http-errors@1.8.1
    • deps: ms@2.1.3
    • pref: ignore empty http tokens
  • deps: serve-static@1.14.2
    • deps: send@0.17.2
  • deps: setprototypeof@1.2.0

4.17.1 / 2019-05-25

  • Revert "Improve error message for null/undefined to res.status"

4.17.0 / 2019-05-16

  • Add express.raw to parse bodies into Buffer
  • Add express.text to parse bodies into string
  • Improve error message for non-strings to res.sendFile
  • Improve error message for null/undefined to res.status
  • Support multiple hosts in X-Forwarded-Host
  • deps: accepts@~1.3.7
  • deps: body-parser@1.19.0
    • Add encoding MIK
    • Add petabyte (pb) support
    • Fix parsing array brackets after index
    • deps: bytes@3.1.0
    • deps: http-errors@1.7.2
    • deps: iconv-lite@0.4.24
    • deps: qs@6.7.0
    • deps: raw-body@2.4.0
    • deps: type-is@~1.6.17
  • deps: content-disposition@0.5.3
  • deps: cookie@0.4.0
    • Add SameSite=None support
  • deps: finalhandler@~1.1.2
    • Set stricter Content-Security-Policy header
    • deps: parseurl@~1.3.3
    • deps: statuses@~1.5.0
  • deps: parseurl@~1.3.3
  • deps: proxy-addr@~2.0.5
    • deps: ipaddr.js@1.9.0
  • deps: qs@6.7.0
    • Fix parsing array brackets after index
  • deps: range-parser@~1.2.1
  • deps: send@0.17.1
    • Set stricter CSP header in redirect & error responses
    • deps: http-errors@~1.7.2
    • deps: mime@1.6.0
    • deps: ms@2.1.1
    • deps: range-parser@~1.2.1
    • deps: statuses@~1.5.0
    • perf: remove redundant path.normalize call
  • deps: serve-static@1.14.1
    • Set stricter CSP header in redirect response
    • deps: parseurl@~1.3.3
    • deps: send@0.17.1
  • deps: setprototypeof@1.1.1
  • deps: statuses@~1.5.0
    • Add 103 Early Hints
  • deps: type-is@~1.6.18
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

4.16.4 / 2018-10-10

  • Fix issue where "Request aborted" may be logged in res.sendfile
  • Fix JSDoc for Router constructor
  • deps: body-parser@1.18.3
    • Fix deprecation warnings on Node.js 10+
    • Fix stack trace for strict json parse error
    • deps: depd@~1.1.2
    • deps: http-errors@~1.6.3
    • deps: iconv-lite@0.4.23
    • deps: qs@6.5.2
    • deps: raw-body@2.3.3
    • deps: type-is@~1.6.16
  • deps: proxy-addr@~2.0.4
    • deps: ipaddr.js@1.8.0
  • deps: qs@6.5.2
  • deps: safe-buffer@5.1.2

4.16.3 / 2018-03-12

  • deps: accepts@~1.3.5
    • deps: mime-types@~2.1.18
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
  • deps: encodeurl@~1.0.2
    • Fix encoding % as last character
  • deps: finalhandler@1.1.1
    • Fix 404 output for bad / missing pathnames
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: proxy-addr@~2.0.3
    • deps: ipaddr.js@1.6.0
  • deps: send@0.16.2
    • Fix incorrect end tag in default error & redirects
    • deps: depd@~1.1.2
    • deps: encodeurl@~1.0.2
    • deps: statuses@~1.4.0
  • deps: serve-static@1.13.2
    • Fix incorrect end tag in redirects
    • deps: encodeurl@~1.0.2
    • deps: send@0.16.2
  • deps: statuses@~1.4.0
  • deps: type-is@~1.6.16
    • deps: mime-types@~2.1.18

4.16.2 / 2017-10-09

  • Fix TypeError in res.send when given Buffer and ETag header set
  • perf: skip parsing of entire X-Forwarded-Proto header

4.16.1 / 2017-09-29

  • deps: send@0.16.1
  • deps: serve-static@1.13.1
    • Fix regression when root is incorrectly set to a file
    • deps: send@0.16.1

4.16.0 / 2017-09-28

  • Add "json escape" setting for res.json and res.jsonp
  • Add express.json and express.urlencoded to parse bodies
  • Add options argument to res.download
  • Improve error message when autoloading invalid view engine
  • Improve error messages when non-function provided as middleware
  • Skip Buffer encoding when not generating ETag for small response
  • Use safe-buffer for improved Buffer API
  • deps: accepts@~1.3.4
    • deps: mime-types@~2.1.16
  • deps: content-type@~1.0.4
    • perf: remove argument reassignment
    • perf: skip parameter parsing when no parameters
  • deps: etag@~1.8.1
    • perf: replace regular expression with substring
  • deps: finalhandler@1.1.0
    • Use res.headersSent when available
  • deps: parseurl@~1.3.2
    • perf: reduce overhead for full URLs
    • perf: unroll the "fast-path" RegExp
  • deps: proxy-addr@~2.0.2
    • Fix trimming leading / trailing OWS in X-Forwarded-For
    • deps: forwarded@~0.1.2
    • deps: ipaddr.js@1.5.2
    • perf: reduce overhead when no X-Forwarded-For header
  • deps: qs@6.5.1
    • Fix parsing & compacting very deep objects
  • deps: send@0.16.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Fix missing </html> in default error & redirects
    • Set charset as "UTF-8" for .js and .json
    • Use instance methods on steam to check for listeners
    • deps: mime@1.4.1
    • perf: improve path validation speed
  • deps: serve-static@1.13.0
    • Add 70 new types for file extensions
    • Add immutable option
    • Set charset as "UTF-8" for .js and .json
    • deps: send@0.16.0
  • deps: setprototypeof@1.1.0
  • deps: utils-merge@1.0.1
  • deps: vary@~1.1.2
    • perf: improve header token parsing speed
  • perf: re-use options object when generating ETags
  • perf: remove dead .charset set in res.jsonp

4.15.5 / 2017-09-24

  • deps: debug@2.6.9
  • deps: finalhandler@~1.0.6
    • deps: debug@2.6.9
    • deps: parseurl@~1.3.2
  • deps: fresh@0.5.2
    • Fix handling of modified headers with invalid dates
    • perf: improve ETag match loop
    • perf: improve If-None-Match token parsing
  • deps: send@0.15.6
    • Fix handling of modified headers with invalid dates
    • deps: debug@2.6.9
    • deps: etag@~1.8.1
    • deps: fresh@0.5.2
    • perf: improve If-Match token parsing
  • deps: serve-static@1.12.6
    • deps: parseurl@~1.3.2
    • deps: send@0.15.6
    • perf: improve slash collapsing

4.15.4 / 2017-08-06

  • deps: debug@2.6.8
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading
  • deps: finalhandler@~1.0.4
    • deps: debug@2.6.8
  • deps: proxy-addr@~1.1.5
    • Fix array argument being altered
    • deps: ipaddr.js@1.4.0
  • deps: qs@6.5.0
  • deps: send@0.15.4
    • deps: debug@2.6.8
    • deps: depd@~1.1.1
    • deps: http-errors@~1.6.2
  • deps: serve-static@1.12.4
    • deps: send@0.15.4

4.15.3 / 2017-05-16

  • Fix error when res.set cannot add charset to Content-Type
  • deps: debug@2.6.7
    • Fix DEBUG_MAX_ARRAY_LENGTH
    • deps: ms@2.0.0
  • deps: finalhandler@~1.0.3
    • Fix missing </html> in HTML document
    • deps: debug@2.6.7
  • deps: proxy-addr@~1.1.4
    • deps: ipaddr.js@1.3.0
  • deps: send@0.15.3
    • deps: debug@2.6.7
    • deps: ms@2.0.0
  • deps: serve-static@1.12.3
    • deps: send@0.15.3
  • deps: type-is@~1.6.15
    • deps: mime-types@~2.1.15
  • deps: vary@~1.1.1
    • perf: hoist regular expression

4.15.2 / 2017-03-06

  • deps: qs@6.4.0
    • Fix regression parsing keys starting with [

4.15.1 / 2017-03-05

  • deps: send@0.15.1
    • Fix issue when Date.parse does not return NaN on invalid date
    • Fix strict violation in broken environments
  • deps: serve-static@1.12.1
    • Fix issue when Date.parse does not return NaN on invalid date
    • deps: send@0.15.1

4.15.0 / 2017-03-01

  • Add debug message when loading view engine
  • Add next("router") to exit from router
  • Fix case where router.use skipped requests routes did not
  • Remove usage of res._headers private field
    • Improves compatibility with Node.js 8 nightly
  • Skip routing when req.url is not set
  • Use %o in path debug to tell types apart
  • Use Object.create to setup request & response prototypes
  • Use setprototypeof module to replace __proto__ setting
  • Use statuses instead of http module for status messages
  • deps: debug@2.6.1
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable set to 3 or higher
    • Fix error when running under React Native
    • Use same color for same namespace
    • deps: ms@0.7.2
  • deps: etag@~1.8.0
    • Use SHA1 instead of MD5 for ETag hashing
    • Works with FIPS 140-2 OpenSSL configuration
  • deps: finalhandler@~1.0.0
    • Fix exception when err cannot be converted to a string
    • Fully URL-encode the pathname in the 404
    • Only include the pathname in the 404 message
    • Send complete HTML document
    • Set Content-Security-Policy: default-src 'self' header
    • deps: debug@2.6.1
  • deps: fresh@0.5.0
    • Fix false detection of no-cache request directive
    • Fix incorrect result when If-None-Match has both * and ETags
    • Fix weak ETag matching to match spec
    • perf: delay reading header values until needed
    • perf: enable strict mode
    • perf: hoist regular expressions
    • perf: remove duplicate conditional
    • perf: remove unnecessary boolean coercions
    • perf: skip checking modified time if ETag check failed
    • perf: skip parsing If-None-Match when no ETag header
    • perf: use Date.parse instead of new Date
  • deps: qs@6.3.1
    • Fix array parsing from skipping empty values
    • Fix compacting nested arrays
  • deps: send@0.15.0
    • Fix false detection of no-cache request directive
    • Fix incorrect result when If-None-Match has both * and ETags
    • Fix weak ETag matching to match spec
    • Remove usage of res._headers private field
    • Support If-Match and If-Unmodified-Since headers
    • Use res.getHeaderNames() when available
    • Use res.headersSent when available
    • deps: debug@2.6.1
    • deps: etag@~1.8.0
    • deps: fresh@0.5.0
    • deps: http-errors@~1.6.1
  • deps: serve-static@1.12.0
    • Fix false detection of no-cache request directive
    • Fix incorrect result when If-None-Match has both * and ETags
    • Fix weak ETag matching to match spec
    • Remove usage of res._headers private field
    • Send complete HTML document in redirect response
    • Set default CSP header in redirect response
    • Support If-Match and If-Unmodified-Since headers
    • Use res.getHeaderNames() when available
    • Use res.headersSent when available
    • deps: send@0.15.0
  • perf: add fast match path for * route
  • perf: improve req.ips performance

4.14.1 / 2017-01-28

  • deps: content-disposition@0.5.2
  • deps: finalhandler@0.5.1
    • Fix exception when err.headers is not an object
    • deps: statuses@~1.3.1
    • perf: hoist regular expressions
    • perf: remove duplicate validation path
  • deps: proxy-addr@~1.1.3
    • deps: ipaddr.js@1.2.0
  • deps: send@0.14.2
    • deps: http-errors@~1.5.1
    • deps: ms@0.7.2
    • deps: statuses@~1.3.1
  • deps: serve-static@~1.11.2
    • deps: send@0.14.2
  • deps: type-is@~1.6.14
    • deps: mime-types@~2.1.13

4.14.0 / 2016-06-16

  • Add acceptRanges option to res.sendFile/res.sendfile
  • Add cacheControl option to res.sendFile/res.sendfile
  • Add options argument to req.range
    • Includes the combine option
  • Encode URL in res.location/res.redirect if not already encoded
  • Fix some redirect handling in res.sendFile/res.sendfile
  • Fix Windows absolute path check using forward slashes
  • Improve error with invalid arguments to req.get()
  • Improve performance for res.json/res.jsonp in most cases
  • Improve Range header handling in res.sendFile/res.sendfile
  • deps: accepts@~1.3.3
    • Fix including type extensions in parameters in Accept parsing
    • Fix parsing Accept parameters with quoted equals
    • Fix parsing Accept parameters with quoted semicolons
    • Many performance improvements
    • deps: mime-types@~2.1.11
    • deps: negotiator@0.6.1
  • deps: content-type@~1.0.2
    • perf: enable strict mode
  • deps: cookie@0.3.1
    • Add sameSite option
    • Fix cookie Max-Age to never be a floating point number
    • Improve error message when encode is not a function
    • Improve error message when expires is not a Date
    • Throw better error for invalid argument to parse
    • Throw on invalid values provided to serialize
    • perf: enable strict mode
    • perf: hoist regular expression
    • perf: use for loop in parse
    • perf: use string concatenation for serialization
  • deps: finalhandler@0.5.0
    • Change invalid or non-numeric status code to 500
    • Overwrite status message to match set status code
    • Prefer err.statusCode if err.status is invalid
    • Set response headers from err.headers object
    • Use statuses instead of http module for status messages
  • deps: proxy-addr@~1.1.2
    • Fix accepting various invalid netmasks
    • Fix IPv6-mapped IPv4 validation edge cases
    • IPv4 netmasks must be contiguous
    • IPv6 addresses cannot be used as a netmask
    • deps: ipaddr.js@1.1.1
  • deps: qs@6.2.0
    • Add decoder option in parse function
  • deps: range-parser@~1.2.0
    • Add combine option to combine overlapping ranges
    • Fix incorrectly returning -1 when there is at least one valid range
    • perf: remove internal function
  • deps: send@0.14.1
    • Add acceptRanges option
    • Add cacheControl option
    • Attempt to combine multiple ranges into single range
    • Correctly inherit from Stream class
    • Fix Content-Range header in 416 responses when using start/end options
    • Fix Content-Range header missing from default 416 responses
    • Fix redirect error when path contains raw non-URL characters
    • Fix redirect when path starts with multiple forward slashes
    • Ignore non-byte Range headers
    • deps: http-errors@~1.5.0
    • deps: range-parser@~1.2.0
    • deps: statuses@~1.3.0
    • perf: remove argument reassignment
  • deps: serve-static@~1.11.1
    • Add acceptRanges option
    • Add cacheControl option
    • Attempt to combine multiple ranges into single range
    • Fix redirect error when req.url contains raw non-URL characters
    • Ignore non-byte Range headers
    • Use status code 301 for redirects
    • deps: send@0.14.1
  • deps: type-is@~1.6.13
    • Fix type error when given invalid type to match against
    • deps: mime-types@~2.1.11
  • deps: vary@~1.1.0
    • Only accept valid field names in the field argument
  • perf: use strict equality when possible

4.13.4 / 2016-01-21

  • deps: content-disposition@0.5.1
    • perf: enable strict mode
  • deps: cookie@0.1.5
    • Throw on invalid values provided to serialize
  • deps: depd@~1.1.0
    • Support web browser loading
    • perf: enable strict mode
  • deps: escape-html@~1.0.3
    • perf: enable strict mode
    • perf: optimize string replacement
    • perf: use faster string coercion
  • deps: finalhandler@0.4.1
    • deps: escape-html@~1.0.3
  • deps: merge-descriptors@1.0.1
    • perf: enable strict mode
  • deps: methods@~1.1.2
    • perf: enable strict mode
  • deps: parseurl@~1.3.1
    • perf: enable strict mode
  • deps: proxy-addr@~1.0.10
    • deps: ipaddr.js@1.0.5
    • perf: enable strict mode
  • deps: range-parser@~1.0.3
    • perf: enable strict mode
  • deps: send@0.13.1
    • deps: depd@~1.1.0
    • deps: destroy@~1.0.4
    • deps: escape-html@~1.0.3
    • deps: range-parser@~1.0.3
  • deps: serve-static@~1.10.2
    • deps: escape-html@~1.0.3
    • deps: parseurl@~1.3.0
    • deps: send@0.13.1

4.13.3 / 2015-08-02

  • Fix infinite loop condition using mergeParams: true
  • Fix inner numeric indices incorrectly altering parent req.params

4.13.2 / 2015-07-31

  • deps: accepts@~1.2.12
    • deps: mime-types@~2.1.4
  • deps: array-flatten@1.1.1
    • perf: enable strict mode
  • deps: path-to-regexp@0.1.7
    • Fix regression with escaped round brackets and matching groups
  • deps: type-is@~1.6.6
    • deps: mime-types@~2.1.4

4.13.1 / 2015-07-05

  • deps: accepts@~1.2.10
    • deps: mime-types@~2.1.2
  • deps: qs@4.0.0
    • Fix dropping parameters like hasOwnProperty
    • Fix various parsing edge cases
  • deps: type-is@~1.6.4
    • deps: mime-types@~2.1.2
    • perf: enable strict mode
    • perf: remove argument reassignment

4.13.0 / 2015-06-20

  • Add settings to debug output
  • Fix res.format error when only default provided
  • Fix issue where next('route') in app.param would incorrectly skip values
  • Fix hiding platform issues with decodeURIComponent
    • Only URIErrors are a 400
  • Fix using * before params in routes
  • Fix using capture groups before params in routes
  • Simplify res.cookie to call res.append
  • Use array-flatten module for flattening arrays
  • deps: accepts@~1.2.9
    • deps: mime-types@~2.1.1
    • perf: avoid argument reassignment & argument slice
    • perf: avoid negotiator recursive construction
    • perf: enable strict mode
    • perf: remove unnecessary bitwise operator
  • deps: cookie@0.1.3
    • perf: deduce the scope of try-catch deopt
    • perf: remove argument reassignments
  • deps: escape-html@1.0.2
  • deps: etag@~1.7.0
    • Always include entity length in ETags for hash length extensions
    • Generate non-Stats ETags using MD5 only (no longer CRC32)
    • Improve stat performance by removing hashing
    • Improve support for JXcore
    • Remove base64 padding in ETags to shorten
    • Support "fake" stats objects in environments without fs
    • Use MD5 instead of MD4 in weak ETags over 1KB
  • deps: finalhandler@0.4.0
    • Fix a false-positive when unpiping in Node.js 0.8
    • Support statusCode property on Error objects
    • Use unpipe module for unpiping requests
    • deps: escape-html@1.0.2
    • deps: on-finished@~2.3.0
    • perf: enable strict mode
    • perf: remove argument reassignment
  • deps: fresh@0.3.0
    • Add weak ETag matching support
  • deps: on-finished@~2.3.0
    • Add defined behavior for HTTP CONNECT requests
    • Add defined behavior for HTTP Upgrade requests
    • deps: ee-first@1.1.1
  • deps: path-to-regexp@0.1.6
  • deps: send@0.13.0
    • Allow Node.js HTTP server to set Date response header
    • Fix incorrectly removing Content-Location on 304 response
    • Improve the default redirect response headers
    • Send appropriate headers on default error response
    • Use http-errors for standard emitted errors
    • Use statuses instead of http module for status messages
    • deps: escape-html@1.0.2
    • deps: etag@~1.7.0
    • deps: fresh@0.3.0
    • deps: on-finished@~2.3.0
    • perf: enable strict mode
    • perf: remove unnecessary array allocations
  • deps: serve-static@~1.10.0
    • Add fallthrough option
    • Fix reading options from options prototype
    • Improve the default redirect response headers
    • Malformed URLs now next() instead of 400
    • deps: escape-html@1.0.2
    • deps: send@0.13.0
    • perf: enable strict mode
    • perf: remove argument reassignment
  • deps: type-is@~1.6.3
    • deps: mime-types@~2.1.1
    • perf: reduce try block size
    • perf: remove bitwise operations
  • perf: enable strict mode
  • perf: isolate app.render try block
  • perf: remove argument reassignments in application
  • perf: remove argument reassignments in request prototype
  • perf: remove argument reassignments in response prototype
  • perf: remove argument reassignments in routing
  • perf: remove argument reassignments in View
  • perf: skip attempting to decode zero length string
  • perf: use saved reference to http.STATUS_CODES

4.12.4 / 2015-05-17

  • deps: accepts@~1.2.7
    • deps: mime-types@~2.0.11
    • deps: negotiator@0.5.3
  • deps: debug@~2.2.0
    • deps: ms@0.7.1
  • deps: depd@~1.0.1
  • deps: etag@~1.6.0
    • Improve support for JXcore
    • Support "fake" stats objects in environments without fs
  • deps: finalhandler@0.3.6
    • deps: debug@~2.2.0
    • deps: on-finished@~2.2.1
  • deps: on-finished@~2.2.1
    • Fix isFinished(req) when data buffered
  • deps: proxy-addr@~1.0.8
    • deps: ipaddr.js@1.0.1
  • deps: qs@2.4.2
  • Fix allowing parameters like constructor
  • deps: send@0.12.3
    • deps: debug@~2.2.0
    • deps: depd@~1.0.1
    • deps: etag@~1.6.0
    • deps: ms@0.7.1
    • deps: on-finished@~2.2.1
  • deps: serve-static@~1.9.3
    • deps: send@0.12.3
  • deps: type-is@~1.6.2
    • deps: mime-types@~2.0.11

4.12.3 / 2015-03-17

  • deps: accepts@~1.2.5
    • deps: mime-types@~2.0.10
  • deps: debug@~2.1.3
    • Fix high intensity foreground color for bold
    • deps: ms@0.7.0
  • deps: finalhandler@0.3.4
    • deps: debug@~2.1.3
  • deps: proxy-addr@~1.0.7
    • deps: ipaddr.js@0.1.9
  • deps: qs@2.4.1
    • Fix error when parameter hasOwnProperty is present
  • deps: send@0.12.2
    • Throw errors early for invalid extensions or index options
    • deps: debug@~2.1.3
  • deps: serve-static@~1.9.2
    • deps: send@0.12.2
  • deps: type-is@~1.6.1
    • deps: mime-types@~2.0.10

4.12.2 / 2015-03-02

  • Fix regression where "Request aborted" is logged using res.sendFile

4.12.1 / 2015-03-01

  • Fix constructing application with non-configurable prototype properties
  • Fix ECONNRESET errors from res.sendFile usage
  • Fix req.host when using "trust proxy" hops count
  • Fix req.protocol/req.secure when using "trust proxy" hops count
  • Fix wrong code on aborted connections from res.sendFile
  • deps: merge-descriptors@1.0.0

4.12.0 / 2015-02-23

  • Fix "trust proxy" setting to inherit when app is mounted
  • Generate ETags for all request responses
    • No longer restricted to only responses for GET and HEAD requests
  • Use content-type to parse Content-Type headers
  • deps: accepts@~1.2.4
    • Fix preference sorting to be stable for long acceptable lists
    • deps: mime-types@~2.0.9
    • deps: negotiator@0.5.1
  • deps: cookie-signature@1.0.6
  • deps: send@0.12.1
    • Always read the stat size from the file
    • Fix mutating passed-in options
    • deps: mime@1.3.4
  • deps: serve-static@~1.9.1
    • deps: send@0.12.1
  • deps: type-is@~1.6.0
    • fix argument reassignment
    • fix false-positives in hasBody Transfer-Encoding check
    • support wildcard for both type and subtype (*/*)
    • deps: mime-types@~2.0.9

4.11.2 / 2015-02-01

  • Fix res.redirect double-calling res.end for HEAD requests
  • deps: accepts@~1.2.3
    • deps: mime-types@~2.0.8
  • deps: proxy-addr@~1.0.6
    • deps: ipaddr.js@0.1.8
  • deps: type-is@~1.5.6
    • deps: mime-types@~2.0.8

4.11.1 / 2015-01-20

  • deps: send@0.11.1
    • Fix root path disclosure
  • deps: serve-static@~1.8.1
    • Fix redirect loop in Node.js 0.11.14
    • Fix root path disclosure
    • deps: send@0.11.1

4.11.0 / 2015-01-13

  • Add res.append(field, val) to append headers
  • Deprecate leading : in name for app.param(name, fn)
  • Deprecate req.param() -- use req.params, req.body, or req.query instead
  • Deprecate app.param(fn)
  • Fix OPTIONS responses to include the HEAD method properly
  • Fix res.sendFile not always detecting aborted connection
  • Match routes iteratively to prevent stack overflows
  • deps: accepts@~1.2.2
    • deps: mime-types@~2.0.7
    • deps: negotiator@0.5.0
  • deps: send@0.11.0
    • deps: debug@~2.1.1
    • deps: etag@~1.5.1
    • deps: ms@0.7.0
    • deps: on-finished@~2.2.0
  • deps: serve-static@~1.8.0
    • deps: send@0.11.0

4.10.8 / 2015-01-13

  • Fix crash from error within OPTIONS response handler
  • deps: proxy-addr@~1.0.5
    • deps: ipaddr.js@0.1.6

4.10.7 / 2015-01-04

  • Fix Allow header for OPTIONS to not contain duplicate methods
  • Fix incorrect "Request aborted" for res.sendFile when HEAD or 304
  • deps: debug@~2.1.1
  • deps: finalhandler@0.3.3
    • deps: debug@~2.1.1
    • deps: on-finished@~2.2.0
  • deps: methods@~1.1.1
  • deps: on-finished@~2.2.0
  • deps: serve-static@~1.7.2
    • Fix potential open redirect when mounted at root
  • deps: type-is@~1.5.5
    • deps: mime-types@~2.0.7

4.10.6 / 2014-12-12

  • Fix exception in req.fresh/req.stale without response headers

4.10.5 / 2014-12-10

  • Fix res.send double-calling res.end for HEAD requests
  • deps: accepts@~1.1.4
    • deps: mime-types@~2.0.4
  • deps: type-is@~1.5.4
    • deps: mime-types@~2.0.4

4.10.4 / 2014-11-24

  • Fix res.sendfile logging standard write errors

4.10.3 / 2014-11-23

  • Fix res.sendFile logging standard write errors
  • deps: etag@~1.5.1
  • deps: proxy-addr@~1.0.4
    • deps: ipaddr.js@0.1.5
  • deps: qs@2.3.3
    • Fix arrayLimit behavior

4.10.2 / 2014-11-09

  • Correctly invoke async router callback asynchronously
  • deps: accepts@~1.1.3
    • deps: mime-types@~2.0.3
  • deps: type-is@~1.5.3
    • deps: mime-types@~2.0.3

4.10.1 / 2014-10-28

  • Fix handling of URLs containing :// in the path
  • deps: qs@2.3.2
    • Fix parsing of mixed objects and values

4.10.0 / 2014-10-23

  • Add support for app.set('views', array)
    • Views are looked up in sequence in array of directories
  • Fix res.send(status) to mention res.sendStatus(status)
  • Fix handling of invalid empty URLs
  • Use content-disposition module for res.attachment/res.download
    • Sends standards-compliant Content-Disposition header
    • Full Unicode support
  • Use path.resolve in view lookup
  • deps: debug@~2.1.0
    • Implement DEBUG_FD env variable support
  • deps: depd@~1.0.0
  • deps: etag@~1.5.0
    • Improve string performance
    • Slightly improve speed for weak ETags over 1KB
  • deps: finalhandler@0.3.2
    • Terminate in progress response only on error
    • Use on-finished to determine request status
    • deps: debug@~2.1.0
    • deps: on-finished@~2.1.1
  • deps: on-finished@~2.1.1
    • Fix handling of pipelined requests
  • deps: qs@2.3.0
    • Fix parsing of mixed implicit and explicit arrays
  • deps: send@0.10.1
    • deps: debug@~2.1.0
    • deps: depd@~1.0.0
    • deps: etag@~1.5.0
    • deps: on-finished@~2.1.1
  • deps: serve-static@~1.7.1
    • deps: send@0.10.1

4.9.8 / 2014-10-17

  • Fix res.redirect body when redirect status specified
  • deps: accepts@~1.1.2
    • Fix error when media type has invalid parameter
    • deps: negotiator@0.4.9

4.9.7 / 2014-10-10

  • Fix using same param name in array of paths

4.9.6 / 2014-10-08

  • deps: accepts@~1.1.1
    • deps: mime-types@~2.0.2
    • deps: negotiator@0.4.8
  • deps: serve-static@~1.6.4
    • Fix redirect loop when index file serving disabled
  • deps: type-is@~1.5.2
    • deps: mime-types@~2.0.2

4.9.5 / 2014-09-24

  • deps: etag@~1.4.0
  • deps: proxy-addr@~1.0.3
    • Use forwarded npm module
  • deps: send@0.9.3
    • deps: etag@~1.4.0
  • deps: serve-static@~1.6.3
    • deps: send@0.9.3

4.9.4 / 2014-09-19

  • deps: qs@2.2.4
    • Fix issue with object keys starting with numbers truncated

4.9.3 / 2014-09-18

  • deps: proxy-addr@~1.0.2
    • Fix a global leak when multiple subnets are trusted
    • deps: ipaddr.js@0.1.3

4.9.2 / 2014-09-17

  • Fix regression for empty string path in app.use
  • Fix router.use to accept array of middleware without path
  • Improve error message for bad app.use arguments

4.9.1 / 2014-09-16

  • Fix app.use to accept array of middleware without path
  • deps: depd@0.4.5
  • deps: etag@~1.3.1
  • deps: send@0.9.2
    • deps: depd@0.4.5
    • deps: etag@~1.3.1
    • deps: range-parser@~1.0.2
  • deps: serve-static@~1.6.2
    • deps: send@0.9.2

4.9.0 / 2014-09-08

  • Add res.sendStatus
  • Invoke callback for sendfile when client aborts
    • Applies to res.sendFile, res.sendfile, and res.download
    • err will be populated with request aborted error
  • Support IP address host in req.subdomains
  • Use etag to generate ETag headers
  • deps: accepts@~1.1.0
    • update mime-types
  • deps: cookie-signature@1.0.5
  • deps: debug@~2.0.0
  • deps: finalhandler@0.2.0
    • Set X-Content-Type-Options: nosniff header
    • deps: debug@~2.0.0
  • deps: fresh@0.2.4
  • deps: media-typer@0.3.0
    • Throw error when parameter format invalid on parse
  • deps: qs@2.2.3
    • Fix issue where first empty value in array is discarded
  • deps: range-parser@~1.0.2
  • deps: send@0.9.1
    • Add lastModified option
    • Use etag to generate ETag header
    • deps: debug@~2.0.0
    • deps: fresh@0.2.4
  • deps: serve-static@~1.6.1
    • Add lastModified option
    • deps: send@0.9.1
  • deps: type-is@~1.5.1
    • fix hasbody to be true for content-length: 0
    • deps: media-typer@0.3.0
    • deps: mime-types@~2.0.1
  • deps: vary@~1.0.0
    • Accept valid Vary header string as field

4.8.8 / 2014-09-04

  • deps: send@0.8.5
    • Fix a path traversal issue when using root
    • Fix malicious path detection for empty string path
  • deps: serve-static@~1.5.4
    • deps: send@0.8.5

4.8.7 / 2014-08-29

  • deps: qs@2.2.2
    • Remove unnecessary cloning

4.8.6 / 2014-08-27

  • deps: qs@2.2.0
    • Array parsing fix
    • Performance improvements

4.8.5 / 2014-08-18

  • deps: send@0.8.3
    • deps: destroy@1.0.3
    • deps: on-finished@2.1.0
  • deps: serve-static@~1.5.3
    • deps: send@0.8.3

4.8.4 / 2014-08-14

  • deps: qs@1.2.2
  • deps: send@0.8.2
    • Work around fd leak in Node.js 0.10 for fs.ReadStream
  • deps: serve-static@~1.5.2
    • deps: send@0.8.2

4.8.3 / 2014-08-10

  • deps: parseurl@~1.3.0
  • deps: qs@1.2.1
  • deps: serve-static@~1.5.1
    • Fix parsing of weird req.originalUrl values
    • deps: parseurl@~1.3.0
    • deps: utils-merge@1.0.0

4.8.2 / 2014-08-07

  • deps: qs@1.2.0
    • Fix parsing array of objects

4.8.1 / 2014-08-06

  • fix incorrect deprecation warnings on res.download
  • deps: qs@1.1.0
    • Accept urlencoded square brackets
    • Accept empty values in implicit array notation

4.8.0 / 2014-08-05

  • add res.sendFile
    • accepts a file system path instead of a URL
    • requires an absolute path or root option specified
  • deprecate res.sendfile -- use res.sendFile instead
  • support mounted app as any argument to app.use()
  • deps: qs@1.0.2
    • Complete rewrite
    • Limits array length to 20
    • Limits object depth to 5
    • Limits parameters to 1,000
  • deps: send@0.8.1
    • Add extensions option
  • deps: serve-static@~1.5.0
    • Add extensions option
    • deps: send@0.8.1

4.7.4 / 2014-08-04

  • fix res.sendfile regression for serving directory index files
  • deps: send@0.7.4
    • Fix incorrect 403 on Windows and Node.js 0.11
    • Fix serving index files without root dir
  • deps: serve-static@~1.4.4
    • deps: send@0.7.4

4.7.3 / 2014-08-04

  • deps: send@0.7.3
    • Fix incorrect 403 on Windows and Node.js 0.11
  • deps: serve-static@~1.4.3
    • Fix incorrect 403 on Windows and Node.js 0.11
    • deps: send@0.7.3

4.7.2 / 2014-07-27

  • deps: depd@0.4.4
    • Work-around v8 generating empty stack traces
  • deps: send@0.7.2
    • deps: depd@0.4.4
  • deps: serve-static@~1.4.2

4.7.1 / 2014-07-26

  • deps: depd@0.4.3
    • Fix exception when global Error.stackTraceLimit is too low
  • deps: send@0.7.1
    • deps: depd@0.4.3
  • deps: serve-static@~1.4.1

4.7.0 / 2014-07-25

  • fix req.protocol for proxy-direct connections
  • configurable query parser with app.set('query parser', parser)
    • app.set('query parser', 'extended') parse with "qs" module
    • app.set('query parser', 'simple') parse with "querystring" core module
    • app.set('query parser', false) disable query string parsing
    • app.set('query parser', true) enable simple parsing
  • deprecate res.json(status, obj) -- use res.status(status).json(obj) instead
  • deprecate res.jsonp(status, obj) -- use res.status(status).jsonp(obj) instead
  • deprecate res.send(status, body) -- use res.status(status).send(body) instead
  • deps: debug@1.0.4
  • deps: depd@0.4.2
    • Add TRACE_DEPRECATION environment variable
    • Remove non-standard grey color from color output
    • Support --no-deprecation argument
    • Support --trace-deprecation argument
  • deps: finalhandler@0.1.0
    • Respond after request fully read
    • deps: debug@1.0.4
  • deps: parseurl@~1.2.0
    • Cache URLs based on original value
    • Remove no-longer-needed URL mis-parse work-around
    • Simplify the "fast-path" RegExp
  • deps: send@0.7.0
    • Add dotfiles option
    • Cap maxAge value to 1 year
    • deps: debug@1.0.4
    • deps: depd@0.4.2
  • deps: serve-static@~1.4.0
    • deps: parseurl@~1.2.0
    • deps: send@0.7.0
  • perf: prevent multiple Buffer creation in res.send

4.6.1 / 2014-07-12

  • fix subapp.mountpath regression for app.use(subapp)

4.6.0 / 2014-07-11

  • accept multiple callbacks to app.use()
  • add explicit "Rosetta Flash JSONP abuse" protection
    • previous versions are not vulnerable; this is just explicit protection
  • catch errors in multiple req.param(name, fn) handlers
  • deprecate res.redirect(url, status) -- use res.redirect(status, url) instead
  • fix res.send(status, num) to send num as json (not error)
  • remove unnecessary escaping when res.jsonp returns JSON response
  • support non-string path in app.use(path, fn)
    • supports array of paths
    • supports RegExp
  • router: fix optimization on router exit
  • router: refactor location of try blocks
  • router: speed up standard app.use(fn)
  • deps: debug@1.0.3
    • Add support for multiple wildcards in namespaces
  • deps: finalhandler@0.0.3
    • deps: debug@1.0.3
  • deps: methods@1.1.0
    • add CONNECT
  • deps: parseurl@~1.1.3
    • faster parsing of href-only URLs
  • deps: path-to-regexp@0.1.3
  • deps: send@0.6.0
    • deps: debug@1.0.3
  • deps: serve-static@~1.3.2
    • deps: parseurl@~1.1.3
    • deps: send@0.6.0
  • perf: fix arguments reassign deopt in some res methods

4.5.1 / 2014-07-06

  • fix routing regression when altering req.method

4.5.0 / 2014-07-04

  • add deprecation message to non-plural req.accepts*
  • add deprecation message to res.send(body, status)
  • add deprecation message to res.vary()
  • add headers option to res.sendfile
    • use to set headers on successful file transfer
  • add mergeParams option to Router
    • merges req.params from parent routes
  • add req.hostname -- correct name for what req.host returns
  • deprecate things with depd module
  • deprecate req.host -- use req.hostname instead
  • fix behavior when handling request without routes
  • fix handling when route.all is only route
  • invoke router.param() only when route matches
  • restore req.params after invoking router
  • use finalhandler for final response handling
  • use media-typer to alter content-type charset
  • deps: accepts@~1.0.7
  • deps: send@0.5.0
    • Accept string for maxage (converted by ms)
    • Include link in default redirect response
  • deps: serve-static@~1.3.0
    • Accept string for maxAge (converted by ms)
    • Add setHeaders option
    • Include HTML link in redirect response
    • deps: send@0.5.0
  • deps: type-is@~1.3.2

4.4.5 / 2014-06-26

  • deps: cookie-signature@1.0.4
    • fix for timing attacks

4.4.4 / 2014-06-20

  • fix res.attachment Unicode filenames in Safari
  • fix "trim prefix" debug message in express:router
  • deps: accepts@~1.0.5
  • deps: buffer-crc32@0.2.3

4.4.3 / 2014-06-11

  • fix persistence of modified req.params[name] from app.param()
  • deps: accepts@1.0.3
    • deps: negotiator@0.4.6
  • deps: debug@1.0.2
  • deps: send@0.4.3
    • Do not throw uncatchable error on file open race condition
    • Use escape-html for HTML escaping
    • deps: debug@1.0.2
    • deps: finished@1.2.2
    • deps: fresh@0.2.2
  • deps: serve-static@1.2.3
    • Do not throw uncatchable error on file open race condition
    • deps: send@0.4.3

4.4.2 / 2014-06-09

  • fix catching errors from top-level handlers
  • use vary module for res.vary
  • deps: debug@1.0.1
  • deps: proxy-addr@1.0.1
  • deps: send@0.4.2
    • fix "event emitter leak" warnings
    • deps: debug@1.0.1
    • deps: finished@1.2.1
  • deps: serve-static@1.2.2
    • fix "event emitter leak" warnings
    • deps: send@0.4.2
  • deps: type-is@1.2.1

4.4.1 / 2014-06-02

  • deps: methods@1.0.1
  • deps: send@0.4.1
    • Send max-age in Cache-Control in correct format
  • deps: serve-static@1.2.1
    • use escape-html for escaping
    • deps: send@0.4.1

4.4.0 / 2014-05-30

  • custom etag control with app.set('etag', val)
    • app.set('etag', function(body, encoding){ return '"etag"' }) custom etag generation
    • app.set('etag', 'weak') weak tag
    • app.set('etag', 'strong') strong etag
    • app.set('etag', false) turn off
    • app.set('etag', true) standard etag
  • mark res.send ETag as weak and reduce collisions
  • update accepts to 1.0.2
    • Fix interpretation when header not in request
  • update send to 0.4.0
    • Calculate ETag with md5 for reduced collisions
    • Ignore stream errors after request ends
    • deps: debug@0.8.1
  • update serve-static to 1.2.0
    • Calculate ETag with md5 for reduced collisions
    • Ignore stream errors after request ends
    • deps: send@0.4.0

4.3.2 / 2014-05-28

  • fix handling of errors from router.param() callbacks

4.3.1 / 2014-05-23

  • revert "fix behavior of multiple app.VERB for the same path"
    • this caused a regression in the order of route execution

4.3.0 / 2014-05-21

  • add req.baseUrl to access the path stripped from req.url in routes
  • fix behavior of multiple app.VERB for the same path
  • fix issue routing requests among sub routers
  • invoke router.param() only when necessary instead of every match
  • proper proxy trust with app.set('trust proxy', trust)
    • app.set('trust proxy', 1) trust first hop
    • app.set('trust proxy', 'loopback') trust loopback addresses
    • app.set('trust proxy', '10.0.0.1') trust single IP
    • app.set('trust proxy', '10.0.0.1/16') trust subnet
    • app.set('trust proxy', '10.0.0.1, 10.0.0.2') trust list
    • app.set('trust proxy', false) turn off
    • app.set('trust proxy', true) trust everything
  • set proper charset in Content-Type for res.send
  • update type-is to 1.2.0
    • support suffix matching

4.2.0 / 2014-05-11

  • deprecate app.del() -- use app.delete() instead
  • deprecate res.json(obj, status) -- use res.json(status, obj) instead
    • the edge-case res.json(status, num) requires res.status(status).json(num)
  • deprecate res.jsonp(obj, status) -- use res.jsonp(status, obj) instead
    • the edge-case res.jsonp(status, num) requires res.status(status).jsonp(num)
  • fix req.next when inside router instance
  • include ETag header in HEAD requests
  • keep previous Content-Type for res.jsonp
  • support PURGE method
    • add app.purge
    • add router.purge
    • include PURGE in app.all
  • update debug to 0.8.0
    • add enable() method
    • change from stderr to stdout
  • update methods to 1.0.0
    • add PURGE

4.1.2 / 2014-05-08

  • fix req.host for IPv6 literals
  • fix res.jsonp error if callback param is object

4.1.1 / 2014-04-27

  • fix package.json to reflect supported node version

4.1.0 / 2014-04-24

  • pass options from res.sendfile to send
  • preserve casing of headers in res.header and res.set
  • support unicode file names in res.attachment and res.download
  • update accepts to 1.0.1
    • deps: negotiator@0.4.0
  • update cookie to 0.1.2
    • Fix for maxAge == 0
    • made compat with expires field
  • update send to 0.3.0
    • Accept API options in options object
    • Coerce option types
    • Control whether to generate etags
    • Default directory access to 403 when index disabled
    • Fix sending files with dots without root set
    • Include file path in etag
    • Make "Can't set headers after they are sent." catchable
    • Send full entity-body for multi range requests
    • Set etags to "weak"
    • Support "If-Range" header
    • Support multiple index paths
    • deps: mime@1.2.11
  • update serve-static to 1.1.0
    • Accept options directly to send module
    • Resolve relative paths at middleware setup
    • Use parseurl to parse the URL from request
    • deps: send@0.3.0
  • update type-is to 1.1.0
    • add non-array values support
    • add multipart as a shorthand

4.0.0 / 2014-04-09

  • remove:
    • node 0.8 support
    • connect and connect's patches except for charset handling
    • express(1) - moved to express-generator
    • express.createServer() - it has been deprecated for a long time. Use express()
    • app.configure - use logic in your own app code
    • app.router - is removed
    • req.auth - use basic-auth instead
    • req.accepted* - use req.accepts*() instead
    • res.location - relative URL resolution is removed
    • res.charset - include the charset in the content type when using res.set()
    • all bundled middleware except static
  • change:
    • app.route -> app.mountpath when mounting an express app in another express app
    • json spaces no longer enabled by default in development
    • req.accepts* -> req.accepts*s - i.e. req.acceptsEncoding -> req.acceptsEncodings
    • req.params is now an object instead of an array
    • res.locals is no longer a function. It is a plain js object. Treat it as such.
    • res.headerSent -> res.headersSent to match node.js ServerResponse object
  • refactor:
  • add:
    • app.router() - returns the app Router instance
    • app.route() - Proxy to the app's Router#route() method to create a new route
    • Router & Route - public API

3.21.2 / 2015-07-31

  • deps: connect@2.30.2
    • deps: body-parser@~1.13.3
    • deps: compression@~1.5.2
    • deps: errorhandler@~1.4.2
    • deps: method-override@~2.3.5
    • deps: serve-index@~1.7.2
    • deps: type-is@~1.6.6
    • deps: vhost@~3.0.1
  • deps: vary@~1.0.1
    • Fix setting empty header from empty field
    • perf: enable strict mode
    • perf: remove argument reassignments

3.21.1 / 2015-07-05

  • deps: basic-auth@~1.0.3
  • deps: connect@2.30.1
    • deps: body-parser@~1.13.2
    • deps: compression@~1.5.1
    • deps: errorhandler@~1.4.1
    • deps: morgan@~1.6.1
    • deps: pause@0.1.0
    • deps: qs@4.0.0
    • deps: serve-index@~1.7.1
    • deps: type-is@~1.6.4

3.21.0 / 2015-06-18

  • deps: basic-auth@1.0.2
    • perf: enable strict mode
    • perf: hoist regular expression
    • perf: parse with regular expressions
    • perf: remove argument reassignment
  • deps: connect@2.30.0
    • deps: body-parser@~1.13.1
    • deps: bytes@2.1.0
    • deps: compression@~1.5.0
    • deps: cookie@0.1.3
    • deps: cookie-parser@~1.3.5
    • deps: csurf@~1.8.3
    • deps: errorhandler@~1.4.0
    • deps: express-session@~1.11.3
    • deps: finalhandler@0.4.0
    • deps: fresh@0.3.0
    • deps: morgan@~1.6.0
    • deps: serve-favicon@~2.3.0
    • deps: serve-index@~1.7.0
    • deps: serve-static@~1.10.0
    • deps: type-is@~1.6.3
  • deps: cookie@0.1.3
    • perf: deduce the scope of try-catch deopt
    • perf: remove argument reassignments
  • deps: escape-html@1.0.2
  • deps: etag@~1.7.0
    • Always include entity length in ETags for hash length extensions
    • Generate non-Stats ETags using MD5 only (no longer CRC32)
    • Improve stat performance by removing hashing
    • Improve support for JXcore
    • Remove base64 padding in ETags to shorten
    • Support "fake" stats objects in environments without fs
    • Use MD5 instead of MD4 in weak ETags over 1KB
  • deps: fresh@0.3.0
    • Add weak ETag matching support
  • deps: mkdirp@0.5.1
    • Work in global strict mode
  • deps: send@0.13.0
    • Allow Node.js HTTP server to set Date response header
    • Fix incorrectly removing Content-Location on 304 response
    • Improve the default redirect response headers
    • Send appropriate headers on default error response
    • Use http-errors for standard emitted errors
    • Use statuses instead of http module for status messages
    • deps: escape-html@1.0.2
    • deps: etag@~1.7.0
    • deps: fresh@0.3.0
    • deps: on-finished@~2.3.0
    • perf: enable strict mode
    • perf: remove unnecessary array allocations

3.20.3 / 2015-05-17

  • deps: connect@2.29.2
    • deps: body-parser@~1.12.4
    • deps: compression@~1.4.4
    • deps: connect-timeout@~1.6.2
    • deps: debug@~2.2.0
    • deps: depd@~1.0.1
    • deps: errorhandler@~1.3.6
    • deps: finalhandler@0.3.6
    • deps: method-override@~2.3.3
    • deps: morgan@~1.5.3
    • deps: qs@2.4.2
    • deps: response-time@~2.3.1
    • deps: serve-favicon@~2.2.1
    • deps: serve-index@~1.6.4
    • deps: serve-static@~1.9.3
    • deps: type-is@~1.6.2
  • deps: debug@~2.2.0
    • deps: ms@0.7.1
  • deps: depd@~1.0.1
  • deps: proxy-addr@~1.0.8
    • deps: ipaddr.js@1.0.1
  • deps: send@0.12.3
    • deps: debug@~2.2.0
    • deps: depd@~1.0.1
    • deps: etag@~1.6.0
    • deps: ms@0.7.1
    • deps: on-finished@~2.2.1

3.20.2 / 2015-03-16

  • deps: connect@2.29.1
    • deps: body-parser@~1.12.2
    • deps: compression@~1.4.3
    • deps: connect-timeout@~1.6.1
    • deps: debug@~2.1.3
    • deps: errorhandler@~1.3.5
    • deps: express-session@~1.10.4
    • deps: finalhandler@0.3.4
    • deps: method-override@~2.3.2
    • deps: morgan@~1.5.2
    • deps: qs@2.4.1
    • deps: serve-index@~1.6.3
    • deps: serve-static@~1.9.2
    • deps: type-is@~1.6.1
  • deps: debug@~2.1.3
    • Fix high intensity foreground color for bold
    • deps: ms@0.7.0
  • deps: merge-descriptors@1.0.0
  • deps: proxy-addr@~1.0.7
    • deps: ipaddr.js@0.1.9
  • deps: send@0.12.2
    • Throw errors early for invalid extensions or index options
    • deps: debug@~2.1.3

3.20.1 / 2015-02-28

  • Fix req.host when using "trust proxy" hops count
  • Fix req.protocol/req.secure when using "trust proxy" hops count

3.20.0 / 2015-02-18

  • Fix "trust proxy" setting to inherit when app is mounted
  • Generate ETags for all request responses
    • No longer restricted to only responses for GET and HEAD requests
  • Use content-type to parse Content-Type headers
  • deps: connect@2.29.0
    • Use content-type to parse Content-Type headers
    • deps: body-parser@~1.12.0
    • deps: compression@~1.4.1
    • deps: connect-timeout@~1.6.0
    • deps: cookie-parser@~1.3.4
    • deps: cookie-signature@1.0.6
    • deps: csurf@~1.7.0
    • deps: errorhandler@~1.3.4
    • deps: express-session@~1.10.3
    • deps: http-errors@~1.3.1
    • deps: response-time@~2.3.0
    • deps: serve-index@~1.6.2
    • deps: serve-static@~1.9.1
    • deps: type-is@~1.6.0
  • deps: cookie-signature@1.0.6
  • deps: send@0.12.1
    • Always read the stat size from the file
    • Fix mutating passed-in options
    • deps: mime@1.3.4

3.19.2 / 2015-02-01

  • deps: connect@2.28.3
    • deps: compression@~1.3.1
    • deps: csurf@~1.6.6
    • deps: errorhandler@~1.3.3
    • deps: express-session@~1.10.2
    • deps: serve-index@~1.6.1
    • deps: type-is@~1.5.6
  • deps: proxy-addr@~1.0.6
    • deps: ipaddr.js@0.1.8

3.19.1 / 2015-01-20

  • deps: connect@2.28.2
    • deps: body-parser@~1.10.2
    • deps: serve-static@~1.8.1
  • deps: send@0.11.1
    • Fix root path disclosure

3.19.0 / 2015-01-09

  • Fix OPTIONS responses to include the HEAD method property
  • Use readline for prompt in express(1)
  • deps: commander@2.6.0
  • deps: connect@2.28.1
    • deps: body-parser@~1.10.1
    • deps: compression@~1.3.0
    • deps: connect-timeout@~1.5.0
    • deps: csurf@~1.6.4
    • deps: debug@~2.1.1
    • deps: errorhandler@~1.3.2
    • deps: express-session@~1.10.1
    • deps: finalhandler@0.3.3
    • deps: method-override@~2.3.1
    • deps: morgan@~1.5.1
    • deps: serve-favicon@~2.2.0
    • deps: serve-index@~1.6.0
    • deps: serve-static@~1.8.0
    • deps: type-is@~1.5.5
  • deps: debug@~2.1.1
  • deps: methods@~1.1.1
  • deps: proxy-addr@~1.0.5
    • deps: ipaddr.js@0.1.6
  • deps: send@0.11.0
    • deps: debug@~2.1.1
    • deps: etag@~1.5.1
    • deps: ms@0.7.0
    • deps: on-finished@~2.2.0

3.18.6 / 2014-12-12

  • Fix exception in req.fresh/req.stale without response headers

3.18.5 / 2014-12-11

  • deps: connect@2.27.6
    • deps: compression@~1.2.2
    • deps: express-session@~1.9.3
    • deps: http-errors@~1.2.8
    • deps: serve-index@~1.5.3
    • deps: type-is@~1.5.4

3.18.4 / 2014-11-23

  • deps: connect@2.27.4
    • deps: body-parser@~1.9.3
    • deps: compression@~1.2.1
    • deps: errorhandler@~1.2.3
    • deps: express-session@~1.9.2
    • deps: qs@2.3.3
    • deps: serve-favicon@~2.1.7
    • deps: serve-static@~1.5.1
    • deps: type-is@~1.5.3
  • deps: etag@~1.5.1
  • deps: proxy-addr@~1.0.4
    • deps: ipaddr.js@0.1.5

3.18.3 / 2014-11-09

  • deps: connect@2.27.3
    • Correctly invoke async callback asynchronously
    • deps: csurf@~1.6.3

3.18.2 / 2014-10-28

  • deps: connect@2.27.2
    • Fix handling of URLs containing :// in the path
    • deps: body-parser@~1.9.2
    • deps: qs@2.3.2

3.18.1 / 2014-10-22

  • Fix internal utils.merge deprecation warnings
  • deps: connect@2.27.1
    • deps: body-parser@~1.9.1
    • deps: express-session@~1.9.1
    • deps: finalhandler@0.3.2
    • deps: morgan@~1.4.1
    • deps: qs@2.3.0
    • deps: serve-static@~1.7.1
  • deps: send@0.10.1
    • deps: on-finished@~2.1.1

3.18.0 / 2014-10-17

  • Use content-disposition module for res.attachment/res.download
    • Sends standards-compliant Content-Disposition header
    • Full Unicode support
  • Use etag module to generate ETag headers
  • deps: connect@2.27.0
    • Use http-errors module for creating errors
    • Use utils-merge module for merging objects
    • deps: body-parser@~1.9.0
    • deps: compression@~1.2.0
    • deps: connect-timeout@~1.4.0
    • deps: debug@~2.1.0
    • deps: depd@~1.0.0
    • deps: express-session@~1.9.0
    • deps: finalhandler@0.3.1
    • deps: method-override@~2.3.0
    • deps: morgan@~1.4.0
    • deps: response-time@~2.2.0
    • deps: serve-favicon@~2.1.6
    • deps: serve-index@~1.5.0
    • deps: serve-static@~1.7.0
  • deps: debug@~2.1.0
    • Implement DEBUG_FD env variable support
  • deps: depd@~1.0.0
  • deps: send@0.10.0
    • deps: debug@~2.1.0
    • deps: depd@~1.0.0
    • deps: etag@~1.5.0

3.17.8 / 2014-10-15

  • deps: connect@2.26.6
    • deps: compression@~1.1.2
    • deps: csurf@~1.6.2
    • deps: errorhandler@~1.2.2

3.17.7 / 2014-10-08

  • deps: connect@2.26.5
    • Fix accepting non-object arguments to logger
    • deps: serve-static@~1.6.4

3.17.6 / 2014-10-02

  • deps: connect@2.26.4
    • deps: morgan@~1.3.2
    • deps: type-is@~1.5.2

3.17.5 / 2014-09-24

  • deps: connect@2.26.3
    • deps: body-parser@~1.8.4
    • deps: serve-favicon@~2.1.5
    • deps: serve-static@~1.6.3
  • deps: proxy-addr@~1.0.3
    • Use forwarded npm module
  • deps: send@0.9.3
    • deps: etag@~1.4.0

3.17.4 / 2014-09-19

  • deps: connect@2.26.2
    • deps: body-parser@~1.8.3
    • deps: qs@2.2.4

3.17.3 / 2014-09-18

  • deps: proxy-addr@~1.0.2
    • Fix a global leak when multiple subnets are trusted
    • deps: ipaddr.js@0.1.3

3.17.2 / 2014-09-15

  • Use crc instead of buffer-crc32 for speed
  • deps: connect@2.26.1
    • deps: body-parser@~1.8.2
    • deps: depd@0.4.5
    • deps: express-session@~1.8.2
    • deps: morgan@~1.3.1
    • deps: serve-favicon@~2.1.3
    • deps: serve-static@~1.6.2
  • deps: depd@0.4.5
  • deps: send@0.9.2
    • deps: depd@0.4.5
    • deps: etag@~1.3.1
    • deps: range-parser@~1.0.2

3.17.1 / 2014-09-08

  • Fix error in req.subdomains on empty host

3.17.0 / 2014-09-08

  • Support X-Forwarded-Host in req.subdomains
  • Support IP address host in req.subdomains
  • deps: connect@2.26.0
    • deps: body-parser@~1.8.1
    • deps: compression@~1.1.0
    • deps: connect-timeout@~1.3.0
    • deps: cookie-parser@~1.3.3
    • deps: cookie-signature@1.0.5
    • deps: csurf@~1.6.1
    • deps: debug@~2.0.0
    • deps: errorhandler@~1.2.0
    • deps: express-session@~1.8.1
    • deps: finalhandler@0.2.0
    • deps: fresh@0.2.4
    • deps: media-typer@0.3.0
    • deps: method-override@~2.2.0
    • deps: morgan@~1.3.0
    • deps: qs@2.2.3
    • deps: serve-favicon@~2.1.3
    • deps: serve-index@~1.2.1
    • deps: serve-static@~1.6.1
    • deps: type-is@~1.5.1
    • deps: vhost@~3.0.0
  • deps: cookie-signature@1.0.5
  • deps: debug@~2.0.0
  • deps: fresh@0.2.4
  • deps: media-typer@0.3.0
    • Throw error when parameter format invalid on parse
  • deps: range-parser@~1.0.2
  • deps: send@0.9.1
    • Add lastModified option
    • Use etag to generate ETag header
    • deps: debug@~2.0.0
    • deps: fresh@0.2.4
  • deps: vary@~1.0.0
    • Accept valid Vary header string as field

3.16.10 / 2014-09-04

  • deps: connect@2.25.10
    • deps: serve-static@~1.5.4
  • deps: send@0.8.5
    • Fix a path traversal issue when using root
    • Fix malicious path detection for empty string path

3.16.9 / 2014-08-29

  • deps: connect@2.25.9
    • deps: body-parser@~1.6.7
    • deps: qs@2.2.2

3.16.8 / 2014-08-27

  • deps: connect@2.25.8
    • deps: body-parser@~1.6.6
    • deps: csurf@~1.4.1
    • deps: qs@2.2.0

3.16.7 / 2014-08-18

  • deps: connect@2.25.7
    • deps: body-parser@~1.6.5
    • deps: express-session@~1.7.6
    • deps: morgan@~1.2.3
    • deps: serve-static@~1.5.3
  • deps: send@0.8.3
    • deps: destroy@1.0.3
    • deps: on-finished@2.1.0

3.16.6 / 2014-08-14

  • deps: connect@2.25.6
    • deps: body-parser@~1.6.4
    • deps: qs@1.2.2
    • deps: serve-static@~1.5.2
  • deps: send@0.8.2
    • Work around fd leak in Node.js 0.10 for fs.ReadStream

3.16.5 / 2014-08-11

  • deps: connect@2.25.5
    • Fix backwards compatibility in logger

3.16.4 / 2014-08-10

  • Fix original URL parsing in res.location
  • deps: connect@2.25.4
    • Fix query middleware breaking with argument
    • deps: body-parser@~1.6.3
    • deps: compression@~1.0.11
    • deps: connect-timeout@~1.2.2
    • deps: express-session@~1.7.5
    • deps: method-override@~2.1.3
    • deps: on-headers@~1.0.0
    • deps: parseurl@~1.3.0
    • deps: qs@1.2.1
    • deps: response-time@~2.0.1
    • deps: serve-index@~1.1.6
    • deps: serve-static@~1.5.1
  • deps: parseurl@~1.3.0

3.16.3 / 2014-08-07

  • deps: connect@2.25.3
    • deps: multiparty@3.3.2

3.16.2 / 2014-08-07

  • deps: connect@2.25.2
    • deps: body-parser@~1.6.2
    • deps: qs@1.2.0

3.16.1 / 2014-08-06

  • deps: connect@2.25.1
    • deps: body-parser@~1.6.1
    • deps: qs@1.1.0

3.16.0 / 2014-08-05

  • deps: connect@2.25.0
    • deps: body-parser@~1.6.0
    • deps: compression@~1.0.10
    • deps: csurf@~1.4.0
    • deps: express-session@~1.7.4
    • deps: qs@1.0.2
    • deps: serve-static@~1.5.0
  • deps: send@0.8.1
    • Add extensions option

3.15.3 / 2014-08-04

  • fix res.sendfile regression for serving directory index files
  • deps: connect@2.24.3
    • deps: serve-index@~1.1.5
    • deps: serve-static@~1.4.4
  • deps: send@0.7.4
    • Fix incorrect 403 on Windows and Node.js 0.11
    • Fix serving index files without root dir

3.15.2 / 2014-07-27

  • deps: connect@2.24.2
    • deps: body-parser@~1.5.2
    • deps: depd@0.4.4
    • deps: express-session@~1.7.2
    • deps: morgan@~1.2.2
    • deps: serve-static@~1.4.2
  • deps: depd@0.4.4
    • Work-around v8 generating empty stack traces
  • deps: send@0.7.2
    • deps: depd@0.4.4

3.15.1 / 2014-07-26

  • deps: connect@2.24.1
    • deps: body-parser@~1.5.1
    • deps: depd@0.4.3
    • deps: express-session@~1.7.1
    • deps: morgan@~1.2.1
    • deps: serve-index@~1.1.4
    • deps: serve-static@~1.4.1
  • deps: depd@0.4.3
    • Fix exception when global Error.stackTraceLimit is too low
  • deps: send@0.7.1
    • deps: depd@0.4.3

3.15.0 / 2014-07-22

  • Fix req.protocol for proxy-direct connections
  • Pass options from res.sendfile to send
  • deps: connect@2.24.0
    • deps: body-parser@~1.5.0
    • deps: compression@~1.0.9
    • deps: connect-timeout@~1.2.1
    • deps: debug@1.0.4
    • deps: depd@0.4.2
    • deps: express-session@~1.7.0
    • deps: finalhandler@0.1.0
    • deps: method-override@~2.1.2
    • deps: morgan@~1.2.0
    • deps: multiparty@3.3.1
    • deps: parseurl@~1.2.0
    • deps: serve-static@~1.4.0
  • deps: debug@1.0.4
  • deps: depd@0.4.2
    • Add TRACE_DEPRECATION environment variable
    • Remove non-standard grey color from color output
    • Support --no-deprecation argument
    • Support --trace-deprecation argument
  • deps: parseurl@~1.2.0
    • Cache URLs based on original value
    • Remove no-longer-needed URL mis-parse work-around
    • Simplify the "fast-path" RegExp
  • deps: send@0.7.0
    • Add dotfiles option
    • Cap maxAge value to 1 year
    • deps: debug@1.0.4
    • deps: depd@0.4.2

3.14.0 / 2014-07-11

  • add explicit "Rosetta Flash JSONP abuse" protection
    • previous versions are not vulnerable; this is just explicit protection
  • deprecate res.redirect(url, status) -- use res.redirect(status, url) instead
  • fix res.send(status, num) to send num as json (not error)
  • remove unnecessary escaping when res.jsonp returns JSON response
  • deps: basic-auth@1.0.0
    • support empty password
    • support empty username
  • deps: connect@2.23.0
    • deps: debug@1.0.3
    • deps: express-session@~1.6.4
    • deps: method-override@~2.1.0
    • deps: parseurl@~1.1.3
    • deps: serve-static@~1.3.1
  • deps: debug@1.0.3
    • Add support for multiple wildcards in namespaces
  • deps: methods@1.1.0
    • add CONNECT
  • deps: parseurl@~1.1.3
    • faster parsing of href-only URLs

3.13.0 / 2014-07-03

  • add deprecation message to app.configure
  • add deprecation message to req.auth
  • use basic-auth to parse Authorization header
  • deps: connect@2.22.0
    • deps: csurf@~1.3.0
    • deps: express-session@~1.6.1
    • deps: multiparty@3.3.0
    • deps: serve-static@~1.3.0
  • deps: send@0.5.0
    • Accept string for maxage (converted by ms)
    • Include link in default redirect response

3.12.1 / 2014-06-26

  • deps: connect@2.21.1
    • deps: cookie-parser@1.3.2
    • deps: cookie-signature@1.0.4
    • deps: express-session@~1.5.2
    • deps: type-is@~1.3.2
  • deps: cookie-signature@1.0.4
    • fix for timing attacks

3.12.0 / 2014-06-21

  • use media-typer to alter content-type charset
  • deps: connect@2.21.0
    • deprecate connect(middleware) -- use app.use(middleware) instead
    • deprecate connect.createServer() -- use connect() instead
    • fix res.setHeader() patch to work with get -> append -> set pattern
    • deps: compression@~1.0.8
    • deps: errorhandler@~1.1.1
    • deps: express-session@~1.5.0
    • deps: serve-index@~1.1.3

3.11.0 / 2014-06-19

  • deprecate things with depd module
  • deps: buffer-crc32@0.2.3
  • deps: connect@2.20.2
    • deprecate verify option to json -- use body-parser npm module instead
    • deprecate verify option to urlencoded -- use body-parser npm module instead
    • deprecate things with depd module
    • use finalhandler for final response handling
    • use media-typer to parse content-type for charset
    • deps: body-parser@1.4.3
    • deps: connect-timeout@1.1.1
    • deps: cookie-parser@1.3.1
    • deps: csurf@1.2.2
    • deps: errorhandler@1.1.0
    • deps: express-session@1.4.0
    • deps: multiparty@3.2.9
    • deps: serve-index@1.1.2
    • deps: type-is@1.3.1
    • deps: vhost@2.0.0

3.10.5 / 2014-06-11

  • deps: connect@2.19.6
    • deps: body-parser@1.3.1
    • deps: compression@1.0.7
    • deps: debug@1.0.2
    • deps: serve-index@1.1.1
    • deps: serve-static@1.2.3
  • deps: debug@1.0.2
  • deps: send@0.4.3
    • Do not throw uncatchable error on file open race condition
    • Use escape-html for HTML escaping
    • deps: debug@1.0.2
    • deps: finished@1.2.2
    • deps: fresh@0.2.2

3.10.4 / 2014-06-09

  • deps: connect@2.19.5
    • fix "event emitter leak" warnings
    • deps: csurf@1.2.1
    • deps: debug@1.0.1
    • deps: serve-static@1.2.2
    • deps: type-is@1.2.1
  • deps: debug@1.0.1
  • deps: send@0.4.2
    • fix "event emitter leak" warnings
    • deps: finished@1.2.1
    • deps: debug@1.0.1

3.10.3 / 2014-06-05

  • use vary module for res.vary
  • deps: connect@2.19.4
    • deps: errorhandler@1.0.2
    • deps: method-override@2.0.2
    • deps: serve-favicon@2.0.1
  • deps: debug@1.0.0

3.10.2 / 2014-06-03

  • deps: connect@2.19.3
    • deps: compression@1.0.6

3.10.1 / 2014-06-03

  • deps: connect@2.19.2
    • deps: compression@1.0.4
  • deps: proxy-addr@1.0.1

3.10.0 / 2014-06-02

  • deps: connect@2.19.1
    • deprecate methodOverride() -- use method-override npm module instead
    • deps: body-parser@1.3.0
    • deps: method-override@2.0.1
    • deps: multiparty@3.2.8
    • deps: response-time@2.0.0
    • deps: serve-static@1.2.1
  • deps: methods@1.0.1
  • deps: send@0.4.1
    • Send max-age in Cache-Control in correct format

3.9.0 / 2014-05-30

  • custom etag control with app.set('etag', val)
    • app.set('etag', function(body, encoding){ return '"etag"' }) custom etag generation
    • app.set('etag', 'weak') weak tag
    • app.set('etag', 'strong') strong etag
    • app.set('etag', false) turn off
    • app.set('etag', true) standard etag
  • Include ETag in HEAD requests
  • mark res.send ETag as weak and reduce collisions
  • update connect to 2.18.0
    • deps: compression@1.0.3
    • deps: serve-index@1.1.0
    • deps: serve-static@1.2.0
  • update send to 0.4.0
    • Calculate ETag with md5 for reduced collisions
    • Ignore stream errors after request ends
    • deps: debug@0.8.1

3.8.1 / 2014-05-27

  • update connect to 2.17.3
    • deps: body-parser@1.2.2
    • deps: express-session@1.2.1
    • deps: method-override@1.0.2

3.8.0 / 2014-05-21

  • keep previous Content-Type for res.jsonp
  • set proper charset in Content-Type for res.send
  • update connect to 2.17.1
    • fix res.charset appending charset when content-type has one
    • deps: express-session@1.2.0
    • deps: morgan@1.1.1
    • deps: serve-index@1.0.3

3.7.0 / 2014-05-18

  • proper proxy trust with app.set('trust proxy', trust)
    • app.set('trust proxy', 1) trust first hop
    • app.set('trust proxy', 'loopback') trust loopback addresses
    • app.set('trust proxy', '10.0.0.1') trust single IP
    • app.set('trust proxy', '10.0.0.1/16') trust subnet
    • app.set('trust proxy', '10.0.0.1, 10.0.0.2') trust list
    • app.set('trust proxy', false) turn off
    • app.set('trust proxy', true) trust everything
  • update connect to 2.16.2
    • deprecate res.headerSent -- use res.headersSent
    • deprecate res.on("header") -- use on-headers module instead
    • fix edge-case in res.appendHeader that would append in wrong order
    • json: use body-parser
    • urlencoded: use body-parser
    • dep: bytes@1.0.0
    • dep: cookie-parser@1.1.0
    • dep: csurf@1.2.0
    • dep: express-session@1.1.0
    • dep: method-override@1.0.1

3.6.0 / 2014-05-09

  • deprecate app.del() -- use app.delete() instead
  • deprecate res.json(obj, status) -- use res.json(status, obj) instead
    • the edge-case res.json(status, num) requires res.status(status).json(num)
  • deprecate res.jsonp(obj, status) -- use res.jsonp(status, obj) instead
    • the edge-case res.jsonp(status, num) requires res.status(status).jsonp(num)
  • support PURGE method
    • add app.purge
    • add router.purge
    • include PURGE in app.all
  • update connect to 2.15.0
    • Add res.appendHeader
    • Call error stack even when response has been sent
    • Patch res.headerSent to return Boolean
    • Patch res.headersSent for node.js 0.8
    • Prevent default 404 handler after response sent
    • dep: compression@1.0.2
    • dep: connect-timeout@1.1.0
    • dep: debug@^0.8.0
    • dep: errorhandler@1.0.1
    • dep: express-session@1.0.4
    • dep: morgan@1.0.1
    • dep: serve-favicon@2.0.0
    • dep: serve-index@1.0.2
  • update debug to 0.8.0
    • add enable() method
    • change from stderr to stdout
  • update methods to 1.0.0
    • add PURGE
  • update mkdirp to 0.5.0

3.5.3 / 2014-05-08

  • fix req.host for IPv6 literals
  • fix res.jsonp error if callback param is object

3.5.2 / 2014-04-24

  • update connect to 2.14.5
  • update cookie to 0.1.2
  • update mkdirp to 0.4.0
  • update send to 0.3.0

3.5.1 / 2014-03-25

  • pin less-middleware in generated app

3.5.0 / 2014-03-06

  • bump deps

3.4.8 / 2014-01-13

  • prevent incorrect automatic OPTIONS responses #1868 @dpatti
  • update binary and examples for jade 1.0 #1876 @yossi, #1877 @reqshark, #1892 @matheusazzi
  • throw 400 in case of malformed paths @rlidwka

3.4.7 / 2013-12-10

  • update connect

3.4.6 / 2013-12-01

  • update connect (raw-body)

3.4.5 / 2013-11-27

  • update connect
  • res.location: remove leading ./ #1802 @kapouer
  • res.redirect: fix `res.redirect('toString') #1829 @michaelficarra
  • res.send: always send ETag when content-length > 0
  • router: add Router.all() method

3.4.4 / 2013-10-29

  • update connect
  • update supertest
  • update methods
  • express(1): replace bodyParser() with urlencoded() and json() #1795 @chirag04

3.4.3 / 2013-10-23

  • update connect

3.4.2 / 2013-10-18

  • update connect
  • downgrade commander

3.4.1 / 2013-10-15

  • update connect
  • update commander
  • jsonp: check if callback is a function
  • router: wrap encodeURIComponent in a try/catch #1735 (@lxe)
  • res.format: now includes charset @1747 (@sorribas)
  • res.links: allow multiple calls @1746 (@sorribas)

3.4.0 / 2013-09-07

  • add res.vary(). Closes #1682
  • update connect

3.3.8 / 2013-09-02

  • update connect

3.3.7 / 2013-08-28

  • update connect

3.3.6 / 2013-08-27

  • Revert "remove charset from json responses. Closes #1631" (causes issues in some clients)
  • add: req.accepts take an argument list

3.3.4 / 2013-07-08

  • update send and connect

3.3.3 / 2013-07-04

  • update connect

3.3.2 / 2013-07-03

  • update connect
  • update send
  • remove .version export

3.3.1 / 2013-06-27

  • update connect

3.3.0 / 2013-06-26

  • update connect
  • add support for multiple X-Forwarded-Proto values. Closes #1646
  • change: remove charset from json responses. Closes #1631
  • change: return actual booleans from req.accept* functions
  • fix jsonp callback array throw

3.2.6 / 2013-06-02

  • update connect

3.2.5 / 2013-05-21

  • update connect
  • update node-cookie
  • add: throw a meaningful error when there is no default engine
  • change generation of ETags with res.send() to GET requests only. Closes #1619

3.2.4 / 2013-05-09

  • fix req.subdomains when no Host is present
  • fix req.host when no Host is present, return undefined

3.2.3 / 2013-05-07

  • update connect / qs

3.2.2 / 2013-05-03

  • update qs

3.2.1 / 2013-04-29

  • add app.VERB() paths array deprecation warning
  • update connect
  • update qs and remove all ~ semver crap
  • fix: accept number as value of Signed Cookie

3.2.0 / 2013-04-15

  • add "view" constructor setting to override view behaviour
  • add req.acceptsEncoding(name)
  • add req.acceptedEncodings
  • revert cookie signature change causing session race conditions
  • fix sorting of Accept values of the same quality

3.1.2 / 2013-04-12

  • add support for custom Accept parameters
  • update cookie-signature

3.1.1 / 2013-04-01

  • add X-Forwarded-Host support to req.host
  • fix relative redirects
  • update mkdirp
  • update buffer-crc32
  • remove legacy app.configure() method from app template.

3.1.0 / 2013-01-25

  • add support for leading "." in "view engine" setting
  • add array support to res.set()
  • add node 0.8.x to travis.yml
  • add "subdomain offset" setting for tweaking req.subdomains
  • add res.location(url) implementing res.redirect()-like setting of Location
  • use app.get() for x-powered-by setting for inheritance
  • fix colons in passwords for req.auth

3.0.6 / 2013-01-04

  • add http verb methods to Router
  • update connect
  • fix mangling of the res.cookie() options object
  • fix jsonp whitespace escape. Closes #1132

3.0.5 / 2012-12-19

  • add throwing when a non-function is passed to a route
  • fix: explicitly remove Transfer-Encoding header from 204 and 304 responses
  • revert "add 'etag' option"

3.0.4 / 2012-12-05

  • add 'etag' option to disable res.send() Etags
  • add escaping of urls in text/plain in res.redirect() for old browsers interpreting as html
  • change crc32 module for a more liberal license
  • update connect

3.0.3 / 2012-11-13

  • update connect
  • update cookie module
  • fix cookie max-age

3.0.2 / 2012-11-08

  • add OPTIONS to cors example. Closes #1398
  • fix route chaining regression. Closes #1397

3.0.1 / 2012-11-01

  • update connect

3.0.0 / 2012-10-23

  • add make clean
  • add "Basic" check to req.auth
  • add req.auth test coverage
  • add cb && cb(payload) to res.jsonp(). Closes #1374
  • add backwards compat for res.redirect() status. Closes #1336
  • add support for res.json() to retain previously defined Content-Types. Closes #1349
  • update connect
  • change res.redirect() to utilize a pathname-relative Location again. Closes #1382
  • remove non-primitive string support for res.send()
  • fix view-locals example. Closes #1370
  • fix route-separation example

3.0.0rc5 / 2012-09-18

  • update connect
  • add redis search example
  • add static-files example
  • add "x-powered-by" setting (app.disable('x-powered-by'))
  • add "application/octet-stream" redirect Accept test case. Closes #1317

3.0.0rc4 / 2012-08-30

  • add res.jsonp(). Closes #1307
  • add "verbose errors" option to error-pages example
  • add another route example to express(1) so people are not so confused
  • add redis online user activity tracking example
  • update connect dep
  • fix etag quoting. Closes #1310
  • fix error-pages 404 status
  • fix jsonp callback char restrictions
  • remove old OPTIONS default response

3.0.0rc3 / 2012-08-13

  • update connect dep
  • fix signed cookies to work with connect.cookieParser() ("s:" prefix was missing) [tnydwrds]
  • fix res.render() clobbering of "locals"

3.0.0rc2 / 2012-08-03

  • add CORS example
  • update connect dep
  • deprecate .createServer() & remove old stale examples
  • fix: escape res.redirect() link
  • fix vhost example

3.0.0rc1 / 2012-07-24

  • add more examples to view-locals
  • add scheme-relative redirects (res.redirect("//foo.com")) support
  • update cookie dep
  • update connect dep
  • update send dep
  • fix express(1) -h flag, use -H for hogan. Closes #1245
  • fix res.sendfile() socket error handling regression

3.0.0beta7 / 2012-07-16

  • update connect dep for send() root normalization regression

3.0.0beta6 / 2012-07-13

  • add err.view property for view errors. Closes #1226
  • add "jsonp callback name" setting
  • add support for "/foo/:bar*" non-greedy matches
  • change res.sendfile() to use send() module
  • change res.send to use "response-send" module
  • remove app.locals.use and res.locals.use, use regular middleware

3.0.0beta5 / 2012-07-03

  • add "make check" support
  • add route-map example
  • add res.json(obj, status) support back for BC
  • add "methods" dep, remove internal methods module
  • update connect dep
  • update auth example to utilize cores pbkdf2
  • updated tests to use "supertest"

3.0.0beta4 / 2012-06-25

  • Added req.auth
  • Added req.range(size)
  • Added res.links(obj)
  • Added res.send(body, status) support back for backwards compat
  • Added .default() support to res.format()
  • Added 2xx / 304 check to req.fresh
  • Revert "Added + support to the router"
  • Fixed res.send() freshness check, respect res.statusCode

3.0.0beta3 / 2012-06-15

  • Added hogan --hjs to express(1) [nullfirm]
  • Added another example to content-negotiation
  • Added fresh dep
  • Changed: res.send() always checks freshness
  • Fixed: expose connects mime module. Closes #1165

3.0.0beta2 / 2012-06-06

  • Added + support to the router
  • Added req.host
  • Changed req.param() to check route first
  • Update connect dep

3.0.0beta1 / 2012-06-01

  • Added res.format() callback to override default 406 behaviour
  • Fixed res.redirect() 406. Closes #1154

3.0.0alpha5 / 2012-05-30

  • Added req.ip
  • Added { signed: true } option to res.cookie()
  • Removed res.signedCookie()
  • Changed: dont reverse req.ips
  • Fixed "trust proxy" setting check for req.ips

3.0.0alpha4 / 2012-05-09

  • Added: allow [] in jsonp callback. Closes #1128
  • Added PORT env var support in generated template. Closes #1118 [benatkin]
  • Updated: connect 2.2.2

3.0.0alpha3 / 2012-05-04

  • Added public app.routes. Closes #887
  • Added view-locals example
  • Added mvc example
  • Added res.locals.use(). Closes #1120
  • Added conditional-GET support to res.send()
  • Added: coerce res.set() values to strings
  • Changed: moved static() in generated apps below router
  • Changed: res.send() only set ETag when not previously set
  • Changed connect 2.2.1 dep
  • Changed: make test now runs unit / acceptance tests
  • Fixed req/res proto inheritance

3.0.0alpha2 / 2012-04-26

  • Added make benchmark back
  • Added res.send() support for String objects
  • Added client-side data exposing example
  • Added res.header() and req.header() aliases for BC
  • Added express.createServer() for BC
  • Perf: memoize parsed urls
  • Perf: connect 2.2.0 dep
  • Changed: make expressInit() middleware self-aware
  • Fixed: use app.get() for all core settings
  • Fixed redis session example
  • Fixed session example. Closes #1105
  • Fixed generated express dep. Closes #1078

3.0.0alpha1 / 2012-04-15

  • Added app.locals.use(callback)
  • Added app.locals object
  • Added app.locals(obj)
  • Added res.locals object
  • Added res.locals(obj)
  • Added res.format() for content-negotiation
  • Added app.engine()
  • Added res.cookie() JSON cookie support
  • Added "trust proxy" setting
  • Added req.subdomains
  • Added req.protocol
  • Added req.secure
  • Added req.path
  • Added req.ips
  • Added req.fresh
  • Added req.stale
  • Added comma-delimited / array support for req.accepts()
  • Added debug instrumentation
  • Added res.set(obj)
  • Added res.set(field, value)
  • Added res.get(field)
  • Added app.get(setting). Closes #842
  • Added req.acceptsLanguage()
  • Added req.acceptsCharset()
  • Added req.accepted
  • Added req.acceptedLanguages
  • Added req.acceptedCharsets
  • Added "json replacer" setting
  • Added "json spaces" setting
  • Added X-Forwarded-Proto support to res.redirect(). Closes #92
  • Added --less support to express(1)
  • Added express.response prototype
  • Added express.request prototype
  • Added express.application prototype
  • Added app.path()
  • Added app.render()
  • Added res.type() to replace res.contentType()
  • Changed: res.redirect() to add relative support
  • Changed: enable "jsonp callback" by default
  • Changed: renamed "case sensitive routes" to "case sensitive routing"
  • Rewrite of all tests with mocha
  • Removed "root" setting
  • Removed res.redirect('home') support
  • Removed req.notify()
  • Removed app.register()
  • Removed app.redirect()
  • Removed app.is()
  • Removed app.helpers()
  • Removed app.dynamicHelpers()
  • Fixed res.sendfile() with non-GET. Closes #723
  • Fixed express(1) public dir for windows. Closes #866

2.5.9/ 2012-04-02

  • Added support for PURGE request method [pbuyle]
  • Fixed express(1) generated app app.address() before listening [mmalecki]

2.5.8 / 2012-02-08

  • Update mkdirp dep. Closes #991

2.5.7 / 2012-02-06

  • Fixed app.all duplicate DELETE requests [mscdex]

2.5.6 / 2012-01-13

  • Updated hamljs dev dep. Closes #953

2.5.5 / 2012-01-08

  • Fixed: set filename on cached templates [matthewleon]

2.5.4 / 2012-01-02

  • Fixed express(1) eol on 0.4.x. Closes #947

2.5.3 / 2011-12-30

  • Fixed req.is() when a charset is present

2.5.2 / 2011-12-10

  • Fixed: express(1) LF -> CRLF for windows

2.5.1 / 2011-11-17

  • Changed: updated connect to 1.8.x
  • Removed sass.js support from express(1)

2.5.0 / 2011-10-24

  • Added ./routes dir for generated app by default
  • Added npm install reminder to express(1) app gen
  • Added 0.5.x support
  • Removed make test-cov since it wont work with node 0.5.x
  • Fixed express(1) public dir for windows. Closes #866

2.4.7 / 2011-10-05

  • Added mkdirp to express(1). Closes #795
  • Added simple json-config example
  • Added shorthand for the parsed request's pathname via req.path
  • Changed connect dep to 1.7.x to fix npm issue...
  • Fixed res.redirect() HEAD support. [reported by xerox]
  • Fixed req.flash(), only escape args
  • Fixed absolute path checking on windows. Closes #829 [reported by andrewpmckenzie]

2.4.6 / 2011-08-22

  • Fixed multiple param callback regression. Closes #824 [reported by TroyGoode]

2.4.5 / 2011-08-19

  • Added support for routes to handle errors. Closes #809
  • Added app.routes.all(). Closes #803
  • Added "basepath" setting to work in conjunction with reverse proxies etc.
  • Refactored Route to use a single array of callbacks
  • Added support for multiple callbacks for app.param(). Closes #801 Closes #805
  • Changed: removed .call(self) for route callbacks
  • Dependency: qs >= 0.3.1
  • Fixed res.redirect() on windows due to join() usage. Closes #808

2.4.4 / 2011-08-05

  • Fixed res.header() intention of a set, even when undefined
  • Fixed *, value no longer required
  • Fixed res.send(204) support. Closes #771

2.4.3 / 2011-07-14

  • Added docs for status option special-case. Closes #739
  • Fixed options.filename, exposing the view path to template engines

2.4.2. / 2011-07-06

  • Revert "removed jsonp stripping" for XSS

2.4.1 / 2011-07-06

  • Added res.json() JSONP support. Closes #737
  • Added extending-templates example. Closes #730
  • Added "strict routing" setting for trailing slashes
  • Added support for multiple envs in app.configure() calls. Closes #735
  • Changed: res.send() using res.json()
  • Changed: when cookie path === null don't default it
  • Changed; default cookie path to "home" setting. Closes #731
  • Removed pids/logs creation from express(1)

2.4.0 / 2011-06-28

  • Added chainable res.status(code)
  • Added res.json(), an explicit version of res.send(obj)
  • Added simple web-service example

2.3.12 / 2011-06-22

  • #express is now on freenode! come join!
  • Added req.get(field, param)
  • Added links to Japanese documentation, thanks @hideyukisaito!
  • Added; the express(1) generated app outputs the env
  • Added content-negotiation example
  • Dependency: connect >= 1.5.1 < 2.0.0
  • Fixed view layout bug. Closes #720
  • Fixed; ignore body on 304. Closes #701

2.3.11 / 2011-06-04

  • Added npm test
  • Removed generation of dummy test file from express(1)
  • Fixed; express(1) adds express as a dep
  • Fixed; prune on prepublish

2.3.10 / 2011-05-27

  • Added req.route, exposing the current route
  • Added package.json generation support to express(1)
  • Fixed call to app.param() function for optional params. Closes #682

2.3.9 / 2011-05-25

  • Fixed bug-ish with ../' in res.partial()` calls

2.3.8 / 2011-05-24

  • Fixed app.options()

2.3.7 / 2011-05-23

  • Added route Collection, ex: app.get('/user/:id').remove();
  • Added support for app.param(fn) to define param logic
  • Removed app.param() support for callback with return value
  • Removed module.parent check from express(1) generated app. Closes #670
  • Refactored router. Closes #639

2.3.6 / 2011-05-20

  • Changed; using devDependencies instead of git submodules
  • Fixed redis session example
  • Fixed markdown example
  • Fixed view caching, should not be enabled in development

2.3.5 / 2011-05-20

  • Added export .view as alias for .View

2.3.4 / 2011-05-08

  • Added ./examples/say
  • Fixed res.sendfile() bug preventing the transfer of files with spaces

2.3.3 / 2011-05-03

  • Added "case sensitive routes" option.
  • Changed; split methods supported per rfc [slaskis]
  • Fixed route-specific middleware when using the same callback function several times

2.3.2 / 2011-04-27

  • Fixed view hints

2.3.1 / 2011-04-26

  • Added app.match() as app.match.all()
  • Added app.lookup() as app.lookup.all()
  • Added app.remove() for app.remove.all()
  • Added app.remove.VERB()
  • Fixed template caching collision issue. Closes #644
  • Moved router over from connect and started refactor

2.3.0 / 2011-04-25

  • Added options support to res.clearCookie()
  • Added res.helpers() as alias of res.locals()
  • Added; json defaults to UTF-8 with res.send(). Closes #632. [Daniel * Dependency connect >= 1.4.0
  • Changed; auto set Content-Type in res.attachement [Aaron Heckmann]
  • Renamed "cache views" to "view cache". Closes #628
  • Fixed caching of views when using several apps. Closes #637
  • Fixed gotcha invoking app.param() callbacks once per route middleware. Closes #638
  • Fixed partial lookup precedence. Closes #631 Shaw]

2.2.2 / 2011-04-12

  • Added second callback support for res.download() connection errors
  • Fixed filename option passing to template engine

2.2.1 / 2011-04-04

  • Added layout(path) helper to change the layout within a view. Closes #610

  • Fixed partial() collection object support. Previously only anything with .length would work. When .length is present one must still be aware of holes, however now { collection: {foo: 'bar'}} is valid, exposes keyInCollection and keysInCollection.

  • Performance improved with better view caching

  • Removed request and response locals

  • Changed; errorHandler page title is now Express instead of Connect

2.2.0 / 2011-03-30

  • Added app.lookup.VERB(), ex app.lookup.put('/user/:id'). Closes #606
  • Added app.match.VERB(), ex app.match.put('/user/12'). Closes #606
  • Added app.VERB(path) as alias of app.lookup.VERB().
  • Dependency connect >= 1.2.0

2.1.1 / 2011-03-29

  • Added; expose err.view object when failing to locate a view
  • Fixed res.partial() call next(err) when no callback is given [reported by aheckmann]
  • Fixed; res.send(undefined) responds with 204 [aheckmann]

2.1.0 / 2011-03-24

  • Added <root>/_?<name> partial lookup support. Closes #447
  • Added request, response, and app local variables
  • Added settings local variable, containing the app's settings
  • Added req.flash() exception if req.session is not available
  • Added res.send(bool) support (json response)
  • Fixed stylus example for latest version
  • Fixed; wrap try/catch around res.render()

2.0.0 / 2011-03-17

  • Fixed up index view path alternative.
  • Changed; res.locals() without object returns the locals

2.0.0rc3 / 2011-03-17

  • Added res.locals(obj) to compliment res.local(key, val)
  • Added res.partial() callback support
  • Fixed recursive error reporting issue in res.render()

2.0.0rc2 / 2011-03-17

  • Changed; partial() "locals" are now optional
  • Fixed SlowBuffer support. Closes #584 [reported by tyrda01]
  • Fixed .filename view engine option [reported by drudge]
  • Fixed blog example
  • Fixed {req,res}.app reference when mounting [Ben Weaver]

2.0.0rc / 2011-03-14

  • Fixed; expose HTTPSServer constructor
  • Fixed express(1) default test charset. Closes #579 [reported by secoif]
  • Fixed; default charset to utf-8 instead of utf8 for lame IE [reported by NickP]

2.0.0beta3 / 2011-03-09

  • Added support for res.contentType() literal The original res.contentType('.json'), res.contentType('application/json'), and res.contentType('json') will work now.
  • Added res.render() status option support back
  • Added charset option for res.render()
  • Added .charset support (via connect 1.0.4)
  • Added view resolution hints when in development and a lookup fails
  • Added layout lookup support relative to the page view. For example while rendering ./views/user/index.jade if you create ./views/user/layout.jade it will be used in favour of the root layout.
  • Fixed res.redirect(). RFC states absolute url [reported by unlink]
  • Fixed; default res.send() string charset to utf8
  • Removed Partial constructor (not currently used)

2.0.0beta2 / 2011-03-07

  • Added res.render() .locals support back to aid in migration process
  • Fixed flash example

2.0.0beta / 2011-03-03

  • Added HTTPS support
  • Added res.cookie() maxAge support
  • Added req.header() Referrer / Referer special-case, either works
  • Added mount support for res.redirect(), now respects the mount-point
  • Added union() util, taking place of merge(clone()) combo
  • Added stylus support to express(1) generated app
  • Added secret to session middleware used in examples and generated app
  • Added res.local(name, val) for progressive view locals
  • Added default param support to req.param(name, default)
  • Added app.disabled() and app.enabled()
  • Added app.register() support for omitting leading ".", either works
  • Added res.partial(), using the same interface as partial() within a view. Closes #539
  • Added app.param() to map route params to async/sync logic
  • Added; aliased app.helpers() as app.locals(). Closes #481
  • Added extname with no leading "." support to res.contentType()
  • Added cache views setting, defaulting to enabled in "production" env
  • Added index file partial resolution, eg: partial('user') may try views/user/index.jade.
  • Added req.accepts() support for extensions
  • Changed; res.download() and res.sendfile() now utilize Connect's static file server connect.static.send().
  • Changed; replaced connect.utils.mime() with npm mime module
  • Changed; allow req.query to be pre-defined (via middleware or other parent
  • Changed view partial resolution, now relative to parent view
  • Changed view engine signature. no longer engine.render(str, options, callback), now engine.compile(str, options) -> Function, the returned function accepts fn(locals).
  • Fixed req.param() bug returning Array.prototype methods. Closes #552
  • Fixed; using Stream#pipe() instead of sys.pump() in res.sendfile()
  • Fixed; using qs module instead of querystring
  • Fixed; strip unsafe chars from jsonp callbacks
  • Removed "stream threshold" setting

1.0.8 / 2011-03-01

  • Allow req.query to be pre-defined (via middleware or other parent app)
  • "connect": ">= 0.5.0 < 1.0.0". Closes #547
  • Removed the long deprecated EXPRESS_ENV support

1.0.7 / 2011-02-07

  • Fixed render() setting inheritance. Mounted apps would not inherit "view engine"

1.0.6 / 2011-02-07

  • Fixed view engine setting bug when period is in dirname

1.0.5 / 2011-02-05

  • Added secret to generated app session() call

1.0.4 / 2011-02-05

  • Added qs dependency to package.json
  • Fixed namespaced require()s for latest connect support

1.0.3 / 2011-01-13

  • Remove unsafe characters from JSONP callback names [Ryan Grove]

1.0.2 / 2011-01-10

  • Removed nested require, using connect.router

1.0.1 / 2010-12-29

  • Fixed for middleware stacked via createServer() previously the foo middleware passed to createServer(foo) would not have access to Express methods such as res.send() or props like req.query etc.

1.0.0 / 2010-11-16

  • Added; deduce partial object names from the last segment. For example by default partial('forum/post', postObject) will give you the post object, providing a meaningful default.
  • Added http status code string representation to res.redirect() body
  • Added; res.redirect() supporting text/plain and text/html via Accept.
  • Added req.is() to aid in content negotiation
  • Added partial local inheritance [suggested by masylum]. Closes #102 providing access to parent template locals.
  • Added -s, --session[s] flag to express(1) to add session related middleware
  • Added --template flag to express(1) to specify the template engine to use.
  • Added --css flag to express(1) to specify the stylesheet engine to use (or just plain css by default).
  • Added app.all() support [thanks aheckmann]
  • Added partial direct object support. You may now partial('user', user) providing the "user" local, vs previously partial('user', { object: user }).
  • Added route-separation example since many people question ways to do this with CommonJS modules. Also view the blog example for an alternative.
  • Performance; caching view path derived partial object names
  • Fixed partial local inheritance precedence. [reported by Nick Poulden] Closes #454
  • Fixed jsonp support; text/javascript as per mailinglist discussion

1.0.0rc4 / 2010-10-14

  • Added NODE_ENV support, EXPRESS_ENV is deprecated and will be removed in 1.0.0
  • Added route-middleware support (very helpful, see the docs)
  • Added jsonp callback setting to enable/disable jsonp autowrapping [Dav Glass]
  • Added callback query check on response.send to autowrap JSON objects for simple webservice implementations [Dav Glass]
  • Added partial() support for array-like collections. Closes #434
  • Added support for swappable querystring parsers
  • Added session usage docs. Closes #443
  • Added dynamic helper caching. Closes #439 [suggested by maritz]
  • Added authentication example
  • Added basic Range support to res.sendfile() (and res.download() etc)
  • Changed; express(1) generated app using 2 spaces instead of 4
  • Default env to "development" again [aheckmann]
  • Removed context option is no more, use "scope"
  • Fixed; exposing ./support libs to examples so they can run without installs
  • Fixed mvc example

1.0.0rc3 / 2010-09-20

  • Added confirmation for express(1) app generation. Closes #391
  • Added extending of flash formatters via app.flashFormatters
  • Added flash formatter support. Closes #411
  • Added streaming support to res.sendfile() using sys.pump() when >= "stream threshold"
  • Added stream threshold setting for res.sendfile()
  • Added res.send() HEAD support
  • Added res.clearCookie()
  • Added res.cookie()
  • Added res.render() headers option
  • Added res.redirect() response bodies
  • Added res.render() status option support. Closes #425 [thanks aheckmann]
  • Fixed res.sendfile() responding with 403 on malicious path
  • Fixed res.download() bug; when an error occurs remove Content-Disposition
  • Fixed; mounted apps settings now inherit from parent app [aheckmann]
  • Fixed; stripping Content-Length / Content-Type when 204
  • Fixed res.send() 204. Closes #419
  • Fixed multiple Set-Cookie headers via res.header(). Closes #402
  • Fixed bug messing with error handlers when listenFD() is called instead of listen(). [thanks guillermo]

1.0.0rc2 / 2010-08-17

  • Added app.register() for template engine mapping. Closes #390
  • Added res.render() callback support as second argument (no options)
  • Added callback support to res.download()
  • Added callback support for res.sendfile()
  • Added support for middleware access via express.middlewareName() vs connect.middlewareName()
  • Added "partials" setting to docs
  • Added default expresso tests to express(1) generated app. Closes #384
  • Fixed res.sendfile() error handling, defer via next()
  • Fixed res.render() callback when a layout is used [thanks guillermo]
  • Fixed; make install creating ~/.node_libraries when not present
  • Fixed issue preventing error handlers from being defined anywhere. Closes #387

1.0.0rc / 2010-07-28

  • Added mounted hook. Closes #369

  • Added connect dependency to package.json

  • Removed "reload views" setting and support code development env never caches, production always caches.

  • Removed param in route callbacks, signature is now simply (req, res, next), previously (req, res, params, next). Use req.params for path captures, req.query for GET params.

  • Fixed "home" setting

  • Fixed middleware/router precedence issue. Closes #366

  • Fixed; configure() callbacks called immediately. Closes #368

1.0.0beta2 / 2010-07-23

  • Added more examples
  • Added; exporting Server constructor
  • Added Server#helpers() for view locals
  • Added Server#dynamicHelpers() for dynamic view locals. Closes #349
  • Added support for absolute view paths
  • Added; home setting defaults to Server#route for mounted apps. Closes #363
  • Added Guillermo Rauch to the contributor list
  • Added support for "as" for non-collection partials. Closes #341
  • Fixed install.sh, ensuring ~/.node_libraries exists. Closes #362 [thanks jf]
  • Fixed res.render() exceptions, now passed to next() when no callback is given [thanks guillermo]
  • Fixed instanceof Array checks, now Array.isArray()
  • Fixed express(1) expansion of public dirs. Closes #348
  • Fixed middleware precedence. Closes #345
  • Fixed view watcher, now async [thanks aheckmann]

1.0.0beta / 2010-07-15

  • Re-write
    • much faster
    • much lighter
    • Check ExpressJS.com for migration guide and updated docs

0.14.0 / 2010-06-15

  • Utilize relative requires
  • Added Static bufferSize option [aheckmann]
  • Fixed caching of view and partial subdirectories [aheckmann]
  • Fixed mime.type() comments now that ".ext" is not supported
  • Updated haml submodule
  • Updated class submodule
  • Removed bin/express

0.13.0 / 2010-06-01

  • Added node v0.1.97 compatibility
  • Added support for deleting cookies via Request#cookie('key', null)
  • Updated haml submodule
  • Fixed not-found page, now using charset utf-8
  • Fixed show-exceptions page, now using charset utf-8
  • Fixed view support due to fs.readFile Buffers
  • Changed; mime.type() no longer accepts ".type" due to node extname() changes

0.12.0 / 2010-05-22

  • Added node v0.1.96 compatibility
  • Added view helpers export which act as additional local variables
  • Updated haml submodule
  • Changed ETag; removed inode, modified time only
  • Fixed LF to CRLF for setting multiple cookies
  • Fixed cookie compilation; values are now urlencoded
  • Fixed cookies parsing; accepts quoted values and url escaped cookies

0.11.0 / 2010-05-06

  • Added support for layouts using different engines
    • this.render('page.html.haml', { layout: 'super-cool-layout.html.ejs' })
    • this.render('page.html.haml', { layout: 'foo' }) // assumes 'foo.html.haml'
    • this.render('page.html.haml', { layout: false }) // no layout
  • Updated ext submodule
  • Updated haml submodule
  • Fixed EJS partial support by passing along the context. Issue #307

0.10.1 / 2010-05-03

  • Fixed binary uploads.

0.10.0 / 2010-04-30

  • Added charset support via Request#charset (automatically assigned to 'UTF-8' when respond()'s encoding is set to 'utf8' or 'utf-8').
  • Added "encoding" option to Request#render(). Closes #299
  • Added "dump exceptions" setting, which is enabled by default.
  • Added simple ejs template engine support
  • Added error response support for text/plain, application/json. Closes #297
  • Added callback function param to Request#error()
  • Added Request#sendHead()
  • Added Request#stream()
  • Added support for Request#respond(304, null) for empty response bodies
  • Added ETag support to Request#sendfile()
  • Added options to Request#sendfile(), passed to fs.createReadStream()
  • Added filename arg to Request#download()
  • Performance enhanced due to pre-reversing plugins so that plugins.reverse() is not called on each request
  • Performance enhanced by preventing several calls to toLowerCase() in Router#match()
  • Changed; Request#sendfile() now streams
  • Changed; Renamed Request#halt() to Request#respond(). Closes #289
  • Changed; Using sys.inspect() instead of JSON.encode() for error output
  • Changed; run() returns the http.Server instance. Closes #298
  • Changed; Defaulting Server#host to null (INADDR_ANY)
  • Changed; Logger "common" format scale of 0.4f
  • Removed Logger "request" format
  • Fixed; Catching ENOENT in view caching, preventing error when "views/partials" is not found
  • Fixed several issues with http client
  • Fixed Logger Content-Length output
  • Fixed bug preventing Opera from retaining the generated session id. Closes #292

0.9.0 / 2010-04-14

  • Added DSL level error() route support
  • Added DSL level notFound() route support
  • Added Request#error()
  • Added Request#notFound()
  • Added Request#render() callback function. Closes #258
  • Added "max upload size" setting
  • Added "magic" variables to collection partials (__index__, __length__, __isFirst__, __isLast__). Closes #254
  • Added haml.js submodule; removed haml-js
  • Added callback function support to Request#halt() as 3rd/4th arg
  • Added preprocessing of route param wildcards using param(). Closes #251
  • Added view partial support (with collections etc.)
  • Fixed bug preventing falsey params (such as ?page=0). Closes #286
  • Fixed setting of multiple cookies. Closes #199
  • Changed; view naming convention is now NAME.TYPE.ENGINE (for example page.html.haml)
  • Changed; session cookie is now httpOnly
  • Changed; Request is no longer global
  • Changed; Event is no longer global
  • Changed; "sys" module is no longer global
  • Changed; moved Request#download to Static plugin where it belongs
  • Changed; Request instance created before body parsing. Closes #262
  • Changed; Pre-caching views in memory when "cache view contents" is enabled. Closes #253
  • Changed; Pre-caching view partials in memory when "cache view partials" is enabled
  • Updated support to node --version 0.1.90
  • Updated dependencies
  • Removed set("session cookie") in favour of use(Session, { cookie: { ... }})
  • Removed utils.mixin(); use Object#mergeDeep()

0.8.0 / 2010-03-19

  • Added coffeescript example app. Closes #242
  • Changed; cache api now async friendly. Closes #240
  • Removed deprecated 'express/static' support. Use 'express/plugins/static'

0.7.6 / 2010-03-19

  • Added Request#isXHR. Closes #229
  • Added make install (for the executable)
  • Added express executable for setting up simple app templates
  • Added "GET /public/*" to Static plugin, defaulting to /public
  • Added Static plugin
  • Fixed; Request#render() only calls cache.get() once
  • Fixed; Namespacing View caches with "view:"
  • Fixed; Namespacing Static caches with "static:"
  • Fixed; Both example apps now use the Static plugin
  • Fixed set("views"). Closes #239
  • Fixed missing space for combined log format
  • Deprecated Request#sendfile() and 'express/static'
  • Removed Server#running

0.7.5 / 2010-03-16

  • Added Request#flash() support without args, now returns all flashes
  • Updated ext submodule

0.7.4 / 2010-03-16

  • Fixed session reaper
  • Changed; class.js replacing js-oo Class implementation (quite a bit faster, no browser cruft)

0.7.3 / 2010-03-16

  • Added package.json
  • Fixed requiring of haml / sass due to kiwi removal

0.7.2 / 2010-03-16

  • Fixed GIT submodules (HAH!)

0.7.1 / 2010-03-16

  • Changed; Express now using submodules again until a PM is adopted
  • Changed; chat example using millisecond conversions from ext

0.7.0 / 2010-03-15

  • Added Request#pass() support (finds the next matching route, or the given path)
  • Added Logger plugin (default "common" format replaces CommonLogger)
  • Removed Profiler plugin
  • Removed CommonLogger plugin

0.6.0 / 2010-03-11

  • Added seed.yml for kiwi package management support

  • Added HTTP client query string support when method is GET. Closes #205

  • Added support for arbitrary view engines. For example "foo.engine.html" will now require('engine'), the exports from this module are cached after the first require().

  • Added async plugin support

  • Removed usage of RESTful route funcs as http client get() etc, use http.get() and friends

  • Removed custom exceptions

0.5.0 / 2010-03-10

  • Added ext dependency (library of js extensions)
  • Removed extname() / basename() utils. Use path module
  • Removed toArray() util. Use arguments.values
  • Removed escapeRegexp() util. Use RegExp.escape()
  • Removed process.mixin() dependency. Use utils.mixin()
  • Removed Collection
  • Removed ElementCollection
  • Shameless self promotion of ebook "Advanced JavaScript" (http://dev-mag.com) ;)

0.4.0 / 2010-02-11

  • Added flash() example to sample upload app
  • Added high level restful http client module (express/http)
  • Changed; RESTful route functions double as HTTP clients. Closes #69
  • Changed; throwing error when routes are added at runtime
  • Changed; defaulting render() context to the current Request. Closes #197
  • Updated haml submodule

0.3.0 / 2010-02-11

  • Updated haml / sass submodules. Closes #200
  • Added flash message support. Closes #64
  • Added accepts() now allows multiple args. fixes #117
  • Added support for plugins to halt. Closes #189
  • Added alternate layout support. Closes #119
  • Removed Route#run(). Closes #188
  • Fixed broken specs due to use(Cookie) missing

0.2.1 / 2010-02-05

  • Added "plot" format option for Profiler (for gnuplot processing)
  • Added request number to Profiler plugin
  • Fixed binary encoding for multipart file uploads, was previously defaulting to UTF8
  • Fixed issue with routes not firing when not files are present. Closes #184
  • Fixed process.Promise -> events.Promise

0.2.0 / 2010-02-03

  • Added parseParam() support for name[] etc. (allows for file inputs with "multiple" attr) Closes #180
  • Added Both Cache and Session option "reapInterval" may be "reapEvery". Closes #174
  • Added expiration support to cache api with reaper. Closes #133
  • Added cache Store.Memory#reap()
  • Added Cache; cache api now uses first class Cache instances
  • Added abstract session Store. Closes #172
  • Changed; cache Memory.Store#get() utilizing Collection
  • Renamed MemoryStore -> Store.Memory
  • Fixed use() of the same plugin several time will always use latest options. Closes #176

0.1.0 / 2010-02-03

  • Changed; Hooks (before / after) pass request as arg as well as evaluated in their context
  • Updated node support to 0.1.27 Closes #169
  • Updated dirname(__filename) -> __dirname
  • Updated libxmljs support to v0.2.0
  • Added session support with memory store / reaping
  • Added quick uid() helper
  • Added multi-part upload support
  • Added Sass.js support / submodule
  • Added production env caching view contents and static files
  • Added static file caching. Closes #136
  • Added cache plugin with memory stores
  • Added support to StaticFile so that it works with non-textual files.
  • Removed dirname() helper
  • Removed several globals (now their modules must be required)

0.0.2 / 2010-01-10

  • Added view benchmarks; currently haml vs ejs
  • Added Request#attachment() specs. Closes #116
  • Added use of node's parseQuery() util. Closes #123
  • Added make init for submodules
  • Updated Haml
  • Updated sample chat app to show messages on load
  • Updated libxmljs parseString -> parseHtmlString
  • Fixed make init to work with older versions of git
  • Fixed specs can now run independent specs for those who can't build deps. Closes #127
  • Fixed issues introduced by the node url module changes. Closes 126.
  • Fixed two assertions failing due to Collection#keys() returning strings
  • Fixed faulty Collection#toArray() spec due to keys() returning strings
  • Fixed make test now builds libxmljs.node before testing

0.0.1 / 2010-01-03

  • Initial release