Merge pull request #26 from expressjs/master

Create a new pull request by comparing changes across two branches

Author: GulajavaMinistudio

.github/workflows/ci.yml

@@ -30,7 +30,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 'lts/*'
-          persist-credentials: false
 
       - name: Install dependencies
         run: npm install --ignore-scripts --only=dev

.github/workflows/scorecard.yml

@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '16 21 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2
+        with:
+          sarif_file: results.sarif

History.md

@@ -1,7 +1,14 @@
 unreleased
 ========================
 
+* Remove `utils-merge` dependency - use spread syntax instead
 * Remove `Object.setPrototypeOf` polyfill
+* cleanup: remove AsyncLocalStorage check from tests
+* cleanup: remove unnecessary require for global Buffer
+* perf: use loop for acceptParams
+* Replace `methods` dependency with standard library
+* refactor: prefix built-in node module imports
+* Remove unused `depd` dependency
 
 5.0.1 / 2024-10-08
 ==========

Readme.md

@@ -20,7 +20,6 @@
 
 
 [![NPM Version][npm-version-image]][npm-url]
-[![NPM Install Size][npm-install-size-image]][npm-install-size-url]
 [![NPM Downloads][npm-downloads-image]][npm-downloads-url]
 [![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]
 
@@ -210,7 +209,9 @@ The original author of Express is [TJ Holowaychuk](https://github.com/tj)
 * [dakshkhetan](https://github.com/dakshkhetan) - **Daksh Khetan** (he/him)
 * [lucasraziel](https://github.com/lucasraziel) - **Lucas Soares Do Rego**
 * [IamLizu](https://github.com/IamLizu) - **S M Mahmudul Hasan** (he/him)
+* [Phillip9587](https://github.com/Phillip9587) - **Phillip Barta**
 * [Sushmeet](https://github.com/Sushmeet) - **Sushmeet Sunger**
+* [rxmarbles](https://github.com/rxmarbles) **Rick Markins** (He/him)
 
 <details>
 <summary>Triagers emeriti members</summary>
@@ -256,8 +257,6 @@ The original author of Express is [TJ Holowaychuk](https://github.com/tj)
 [github-actions-ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
 [npm-downloads-image]: https://badgen.net/npm/dm/express
 [npm-downloads-url]: https://npmcharts.com/compare/express?minimal=true
-[npm-install-size-image]: https://badgen.net/packagephobia/install/express
-[npm-install-size-url]: https://packagephobia.com/result?p=express
 [npm-url]: https://npmjs.org/package/express
 [npm-version-image]: https://badgen.net/npm/v/express
 [ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/express/badge

Release-Process.md

@@ -129,9 +129,10 @@ $ git merge --ff-only <proposal-branch>
 <release-branch> - see "Release branch" of "Branches" above.
 <proposal-branch> - see "Proposal branch" of "Non-patch flow" above.
 
-**NOTE:** You may need to rebase the proposal branch to allow a fast-forward
-          merge. Using a fast-forward merge keeps the history clean as it does
-          not introduce merge commits.
+> [!NOTE]
+> You may need to rebase the proposal branch to allow a fast-forward
+> merge. Using a fast-forward merge keeps the history clean as it does
+> not introduce merge commits.
 
 ### Step 3. Update the History.md and package.json to the new version number
 
@@ -189,11 +190,13 @@ $ npm login <npm-username>
 $ npm publish
 ```
 
-**NOTE:** The version number to publish will be picked up automatically from
-          package.json.
+> [!NOTE]
+> The version number to publish will be picked up automatically from 
+> package.json.
           
 ### Step 7. Update documentation website
 
-The documentation website https://expressjs.com/ documents the current release version in various places.  For a new release:
-1. Change the value of `current_version` in https://github.com/expressjs/expressjs.com/blob/gh-pages/_data/express.yml to match the latest version number.
-2. Add a new section to the change log.  For example, for a 4.x release, https://github.com/expressjs/expressjs.com/blob/gh-pages/en/changelog/4x.md,
+The documentation website https://expressjs.com/ documents the current release version in various places. To update these, follow these steps:
+
+1. Manually run the [`Update External Docs` workflow](https://github.com/expressjs/expressjs.com/actions/workflows/update-external-docs.yml) in expressjs.com repository.
+2. Add a new section to the [changelog](https://github.com/expressjs/expressjs.com/blob/gh-pages/en/changelog/index.md) in the expressjs.com website.

Triager-Guide.md

@@ -68,3 +68,5 @@ If you have questions feel free to reach out to any of the TC members.
 - For recurring issues, it is helpful to create functional examples to demonstrate (publish as gists or a repo)
 - Review and identify the maintainers. If necessary, at-mention one or more of them if you are unsure what to do
 - Make sure all your interactions are professional, welcoming, and respectful to the parties involved.
+- When an issue refers to security concerns, responsibility is delegated to the repository captain or the security group in any public communication. 
+  - If an issue has been open for a long time, the person in charge should be contacted internally through the private Slack chat.

examples/auth/index.js

@@ -6,7 +6,7 @@
 
 var express = require('../..');
 var hash = require('pbkdf2-password')()
-var path = require('path');
+var path = require('node:path');
 var session = require('express-session');
 
 var app = module.exports = express();

examples/auth/views/head.ejs

@@ -10,7 +10,7 @@
         font: 13px Helvetica, Arial, sans-serif;
       }
       .error {
-          color: red
+          color: red;
       }
       .success {
           color: green;

examples/downloads/index.js

@@ -5,7 +5,7 @@
  */
 
 var express = require('../../');
-var path = require('path');
+var path = require('node:path');
 
 var app = module.exports = express();
 

examples/ejs/index.js

@@ -5,7 +5,7 @@
  */
 
 var express = require('../../');
-var path = require('path');
+var path = require('node:path');
 
 var app = module.exports = express();