Express: In-place Express update to 4.15.5 still has old forwarded

The semver range already covers the patched version. Simply upgrading to 4.15.5 will force the new version of the dependency.

The plan is to include proxy-addr 2.0.2 in Express.js 4.16 on Monday Oct 2, but until then installing a fresh Express.js 4.15.5 will drop you forwarded 0.1.2 in your tree.

If it helps, here is what the forwarded tree looks like for an install of Express 4.15.5:

$ npm i express
+ [email protected]
added 42 packages in 3.213s

$ npm ls forwarded
express-3432
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] 

Let me know if there is still something you need or if there is something preventing you from picking up the correct version of forwarded in your installation of 4.15.5, and I'm happy to get you onto the correct version 👍

Ok, so I've been experimenting a bit, and definitely with npm@5 getting a simple command to bump forwarded on a non-clean express install is not straight forward. The only command that actually worked was npm i --no-save [email protected], but that assumes what you actually need to do.

I think that even if this causes the "mime" fixed to be delayed, juggling around the dependencies more and getting an Express 4.15.6 that have all semver ranges to not allow forwarded < 0.1.2 may be the only ideal way to resolve this for a lot of folks.

This certainly will make me think about bothering with semver ranges at all any more. Having ranges instead of a specific version adds risk to the install, but it's generally been argued that the trade off of getting security updates is worth it. This seems to indicate that it really only helps users who don't already have it installed, and the existing user base cannot take advantage of it as easily :(

Yes, that is an interesting paradox. Thank you so much for your help.
You rock, digging into it like this. Sorry I did not get back to you sooner.

Express.js 4.16.0 is out now where the forwarded ranges don't include anything below 0.1.2 🎉