Merge branch '5.0' into 5-merge

Author: ctcpip

.eslintrc.yml

@@ -1,6 +1,6 @@
 root: true
 env:
-  es6: true
+  es2022: true
   node: true
 rules:
   eol-last: error

History.md

@@ -1,3 +1,12 @@
+unreleased
+=========================
+* breaking:
+  * `res.status()` accepts only integers, and input must be greater than 99 and less than 1000
+    * will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range
+    * will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs
+* change:
+  - `res.clearCookie` will ignore user provided `maxAge` and `expires` options
+
 5.0.0-beta.3 / 2024-03-25
 =========================
 

lib/application.js

@@ -21,7 +21,6 @@ var http = require('http');
 var compileETag = require('./utils').compileETag;
 var compileQueryParser = require('./utils').compileQueryParser;
 var compileTrust = require('./utils').compileTrust;
-var flatten = require('array-flatten').flatten
 var merge = require('utils-merge');
 var resolve = require('path').resolve;
 var once = require('once')
@@ -34,6 +33,7 @@ var setPrototypeOf = require('setprototypeof')
  */
 
 var slice = Array.prototype.slice;
+var flatten = Array.prototype.flat;
 
 /**
  * Application prototype.
@@ -209,7 +209,7 @@ app.use = function use(fn) {
     }
   }
 
-  var fns = flatten(slice.call(arguments, offset));
+  var fns = flatten.call(slice.call(arguments, offset), Infinity);
 
   if (fns.length === 0) {
     throw new TypeError('app.use() requires a middleware function')

lib/response.js

@@ -15,7 +15,6 @@
 var Buffer = require('safe-buffer').Buffer
 var contentDisposition = require('content-disposition');
 var createError = require('http-errors')
-var deprecate = require('depd')('express');
 var encodeUrl = require('encodeurl');
 var escapeHtml = require('escape-html');
 var http = require('http');
@@ -50,17 +49,28 @@ var res = Object.create(http.ServerResponse.prototype)
 module.exports = res
 
 /**
- * Set status `code`.
+ * Set the HTTP status code for the response.
  *
- * @param {Number} code
- * @return {ServerResponse}
+ * Expects an integer value between 100 and 999 inclusive.
+ * Throws an error if the provided status code is not an integer or if it's outside the allowable range.
+ *
+ * @param {number} code - The HTTP status code to set.
+ * @return {ServerResponse} - Returns itself for chaining methods.
+ * @throws {TypeError} If `code` is not an integer.
+ * @throws {RangeError} If `code` is outside the range 100 to 999.
  * @public
  */
 
 res.status = function status(code) {
-  if ((typeof code === 'string' || Math.floor(code) !== code) && code > 99 && code < 1000) {
-    deprecate('res.status(' + JSON.stringify(code) + '): use res.status(' + Math.floor(code) + ') instead')
+  // Check if the status code is not an integer
+  if (!Number.isInteger(code)) {
+    throw new TypeError(`Invalid status code: ${JSON.stringify(code)}. Status code must be an integer.`);
   }
+  // Check if the status code is outside of Node's valid range
+  if (code < 100 || code > 999) {
+    throw new RangeError(`Invalid status code: ${JSON.stringify(code)}. Status code must be greater than 99 and less than 1000.`);
+  }
+
   this.statusCode = code;
   return this;
 };
@@ -175,7 +185,7 @@ res.send = function send(body) {
   }
 
   // freshness
-  if (req.fresh) this.statusCode = 304;
+  if (req.fresh) this.status(304);
 
   // strip irrelevant headers
   if (204 === this.statusCode || 304 === this.statusCode) {
@@ -307,7 +317,7 @@ res.jsonp = function jsonp(obj) {
 res.sendStatus = function sendStatus(statusCode) {
   var body = statuses.message[statusCode] || String(statusCode)
 
-  this.statusCode = statusCode;
+  this.status(statusCode);
   this.type('txt');
 
   return this.send(body);
@@ -690,15 +700,10 @@ res.get = function(field){
  */
 
 res.clearCookie = function clearCookie(name, options) {
-  if (options) {
-    if (options.maxAge) {
-      deprecate('res.clearCookie: Passing "options.maxAge" is deprecated. In v5.0.0 of Express, this option will be ignored, as res.clearCookie will automatically set cookies to expire immediately. Please update your code to omit this option.');
-    }
-    if (options.expires) {
-      deprecate('res.clearCookie: Passing "options.expires" is deprecated. In v5.0.0 of Express, this option will be ignored, as res.clearCookie will automatically set cookies to expire immediately. Please update your code to omit this option.');
-    }
-  }
-  var opts = merge({ expires: new Date(1), path: '/' }, options);
+  // Force cookie expiration by setting expires to the past
+  const opts = { path: '/', ...options, expires: new Date(1)};
+  // ensure maxAge is not passed
+  delete opts.maxAge
 
   return this.cookie(name, '', opts);
 };
@@ -841,7 +846,7 @@ res.redirect = function redirect(url) {
   });
 
   // Respond
-  this.statusCode = status;
+  this.status(status);
   this.set('Content-Length', Buffer.byteLength(body));
 
   if (this.req.method === 'HEAD') {

package.json

@@ -29,7 +29,6 @@
   ],
   "dependencies": {
     "accepts": "~1.3.8",
-    "array-flatten": "3.0.0",
     "body-parser": "2.0.0-beta.2",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
@@ -82,7 +81,7 @@
     "vhost": "~3.0.2"
   },
   "engines": {
-    "node": ">= 4"
+    "node": ">= 18"
   },
   "files": [
     "LICENSE",

test/res.clearCookie.js

@@ -33,35 +33,29 @@ describe('res', function(){
       .expect(200, done)
     })
 
-    it('should set expires when passed', function(done) {
-      var expiresAt = new Date()
+    it('should ignore maxAge', function(done){
       var app = express();
 
       app.use(function(req, res){
-        res.clearCookie('sid', { expires: expiresAt }).end();
+        res.clearCookie('sid', { path: '/admin', maxAge: 1000 }).end();
       });
 
       request(app)
       .get('/')
-      .expect('Set-Cookie', 'sid=; Path=/; Expires=' + expiresAt.toUTCString() )
+      .expect('Set-Cookie', 'sid=; Path=/admin; Expires=Thu, 01 Jan 1970 00:00:00 GMT')
       .expect(200, done)
     })
 
-    it('should set both maxAge and expires when passed', function(done) {
-      var maxAgeInMs = 10000
-      var expiresAt = new Date()
-      var expectedExpires = new Date(expiresAt.getTime() + maxAgeInMs)
+    it('should ignore user supplied expires param', function(done){
       var app = express();
 
       app.use(function(req, res){
-        res.clearCookie('sid', { expires: expiresAt, maxAge: maxAgeInMs }).end();
+        res.clearCookie('sid', { path: '/admin', expires: new Date() }).end();
       });
 
       request(app)
       .get('/')
-      // yes, this is the behavior. When we set a max-age, we also set expires to a date 10 sec ahead of expires
-      // even if we set max-age only, we will also set an expires 10 sec in the future
-      .expect('Set-Cookie', 'sid=; Max-Age=10; Path=/; Expires=' + expectedExpires.toUTCString())
+      .expect('Set-Cookie', 'sid=; Path=/admin; Expires=Thu, 01 Jan 1970 00:00:00 GMT')
       .expect(200, done)
     })
   })

test/res.sendStatus.js

@@ -28,5 +28,17 @@ describe('res', function () {
       .get('/')
       .expect(599, '599', done);
     })
+
+    it('should raise error for invalid status code', function (done) {
+      var app = express()
+
+      app.use(function (req, res) {
+        res.sendStatus(undefined).end()
+      })
+
+      request(app)
+        .get('/')
+        .expect(500, /TypeError: Invalid status code/, done)
+    })
   })
 })