The 4.14.1 patch release includes bug fixes and performance improvements, including:
Update to pillarjs/finalhandler module fixes an exception when Express handles an Error object which has a headers property that is not an object.
For a complete list of changes in this release, see History.md.
The 4.14.0 minor release includes bug fixes, security update, performance improvements, and other minor feature additions, including:
Starting with this version, Express supports Node.js 6.x.
Update to jshttp/negotiator module fixes a regular expression denial of service vulnerability.
res.sendFile now accepts two new options, acceptRanges and cacheControl.
acceptRanges (defaut is true), enables or disables accepting ranged requests. When disabled, the response does not send the Accept-Ranges header and ignores the contents of the Range request header.
cacheControl, (default is true), enables or disables the Cache-Control response header. Disabling it will ignore the maxAge option.
res.sendFile has also been updated to handle Range header and redirections better.
res.location and res.redirect will now URL-encode the URL string, if it is not already encoded.
The performance of res.json and res.jsonp methods has been improved in most cases.
The jshttp/cookie module (in addition to a number of other improvements) now supports the sameSite option to let you specify the SameSite cookie attribute. NOTE: This attribute has not yet been fully standardized, may change in the future, and many clients may ignore it.
The possible value for the sameSite option are:
true, which sets the SameSite attribute to Strict for strict same site enforcement.false, which does not set the SameSite attribute.'lax', which sets the SameSite attribute to Lax for lax same site enforcement.'strict', which sets the SameSite attribute to Strict for strict same site enforcement.Absolute path checking on Windows, which was incorrect for some cases, has been fixed.
IP address resolution with proxies has been greatly improved.
The req.range options object now includes a combine option (false by default), which when true, combines overlapping and adjacent ranges and returns them as if they were specified that way in the header.
For a complete list of changes in this release, see History.md.