deps: update express to 5.2.1 #5

Open

minori wants to merge 1 commits from dependencies/update-express into main

pull from: dependencies/update-express

merge into: nhcarrigan:main

nhcarrigan:main

nhcarrigan:dependencies/update--types-node

nhcarrigan:dependencies/update-eslint

nhcarrigan:dependencies/update-dotenv

nhcarrigan:dependencies/update-typescript

nhcarrigan:dependencies/update-ts-mocha

nhcarrigan:dependencies/update-prisma

nhcarrigan:dependencies/update-prettier

nhcarrigan:dependencies/update-mocha

nhcarrigan:dependencies/update-discord.js

nhcarrigan:dependencies/update--prisma-client

nhcarrigan:dependencies/update-chai

nhcarrigan:dependencies/update--types-node-schedule

nhcarrigan:dependencies/update--types-mocha

nhcarrigan:dependencies/update--types-express

nhcarrigan:dependencies/update--types-chai

nhcarrigan:dependencies/update--nhcarrigan-typescript-config

nhcarrigan:dependencies/update--nhcarrigan-prettier-config

nhcarrigan:dependencies/update--nhcarrigan-eslint-config

nhcarrigan:dependencies/update-winston

Conversation 0 Commits 1 Files Changed 2

+344 -186

minori commented 2026-02-03 17:24:18 -08:00

Owner

Copy Link

Copy Source

Dependency Update

Updates express from 4.19.2 to 5.2.1.

Type

dependencies

Changelog

Changelog

v5.2.1

What's Changed

Important

The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6933

Full Changelog: https://github.com/expressjs/express/compare/v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in https://github.com/expressjs/express/pull/6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in https://github.com/expressjs/express/pull/6137
• increased code coverage of utils.js file by @ashish3011 in https://github.com/expressjs/express/pull/6386
• chore: remove duplicate word by @dufucun in https://github.com/expressjs/express/pull/6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in https://github.com/expressjs/express/pull/6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6496
• ci: add node.js 24 to test matrix by @Phillip9587 in https://github.com/expressjs/express/pull/6504
• ci: update codeql config by @Phillip9587 in https://github.com/expressjs/express/pull/6488
• chore: wider range for query test skip by @jonchurch in https://github.com/expressjs/express/pull/6512
• chore: fix typos in test by @noritaka1166 in https://github.com/expressjs/express/pull/6535
• ci: disable credential persistence for checkout actions by @mertssmnoglu in https://github.com/expressjs/express/pull/6522
• ci: allow manual triggering of workflow by @shivarm in https://github.com/expressjs/express/pull/6515
• test: add coverage for app.listen() variants by @kgarg1 in https://github.com/expressjs/express/pull/6476
• docs: move documentation and charters to the discussions and .github … by @bjohansebas in https://github.com/expressjs/express/pull/6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in https://github.com/expressjs/express/pull/6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in https://github.com/expressjs/express/pull/6548
• chore: enforce explicit Buffer import and add lint rule by @shivarm in https://github.com/expressjs/express/pull/6525
• chore: use node protocol for querystring by @shivarm in https://github.com/expressjs/express/pull/6520
• chore: fix typo by @mountdisk in https://github.com/expressjs/express/pull/6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in https://github.com/expressjs/express/pull/6618
• add deprecation warnings for redirect arguments undefined by @bjohansebas in https://github.com/expressjs/express/pull/6405
• ci: run CI when the markdown changes by @bjohansebas in https://github.com/expressjs/express/pull/6632
• doc: fix CONTRIBUTING link by @jonchurch in https://github.com/expressjs/express/pull/6653
• doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in https://github.com/expressjs/express/pull/6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in https://github.com/expressjs/express/pull/6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in https://github.com/expressjs/express/pull/6678
• lint: add --fix flag to automatic fix linting issue by @shivarm in https://github.com/expressjs/express/pull/6644
• chore: ignore yarn.lock file and update example by @shivarm in https://github.com/expressjs/express/pull/6588
• lib: use req.socket over deprecated req.connection by @bjohansebas in https://github.com/expressjs/express/pull/6705
• doc: update express app example by @shivarm in https://github.com/expressjs/express/pull/6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in https://github.com/expressjs/express/pull/6675
• Remove history.md from being packaged on publish by @sheplu in https://github.com/expressjs/express/pull/6780
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6797
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in https://github.com/expressjs/express/pull/6796
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in https://github.com/expressjs/express/pull/6795
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6794
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6793
• ci: add node.js 25 to test matrix by @Phillip9587 in https://github.com/expressjs/express/pull/6843
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6871
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6870
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in https://github.com/expressjs/express/pull/6869
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6868
• chore: switch badges from badgen.net to shields.io by @Phillip9587 in https://github.com/expressjs/express/pull/6900
• refactor: use cached slice in app.listen by @Tacit1 in https://github.com/expressjs/express/pull/6897
• Nominate to @efekrskl for triage team by @bjohansebas in https://github.com/expressjs/express/pull/6888
• docs: update emeritus triagers by @bjohansebas in https://github.com/expressjs/express/pull/6890
• fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in https://github.com/expressjs/express/pull/6922
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in https://github.com/expressjs/express/pull/6930
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in https://github.com/expressjs/express/pull/6929
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6928
• Release: 5.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6920

New Contributors

• @ashish3011 made their first contribution in https://github.com/expressjs/express/pull/6386
• @dufucun made their first contribution in https://github.com/expressjs/express/pull/6456
• @noritaka1166 made their first contribution in https://github.com/expressjs/express/pull/6535
• @mertssmnoglu made their first contribution in https://github.com/expressjs/express/pull/6522
• @shivarm made their first contribution in https://github.com/expressjs/express/pull/6515
• @kgarg1 made their first contribution in https://github.com/expressjs/express/pull/6476
• @mountdisk made their first contribution in https://github.com/expressjs/express/pull/6609
• @ShubhamOulkar made their first contribution in https://github.com/expressjs/express/pull/6601
• @sheplu made their first contribution in https://github.com/expressjs/express/pull/6780
• @Tacit1 made their first contribution in https://github.com/expressjs/express/pull/6897

Full Changelog: https://github.com/expressjs/express/compare/v5.1.0...v5.2.0

v4.22.1

What's Changed

Important

The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6934

Full Changelog: https://github.com/expressjs/express/compare/4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @sazk07 in https://github.com/expressjs/express/pull/6190
• ci: add support for Node.js@23.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6080
• Method functions with no path should error by @wesleytodd in https://github.com/expressjs/express/pull/5957
• ci: updated github actions ci workflow by @Phillip9587 in https://github.com/expressjs/express/pull/6323
• ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in https://github.com/expressjs/express/pull/6336
• Backport: ci: add node.js 24 to test matrix by @Phillip9587 in https://github.com/expressjs/express/pull/6506
• chore(4.x): wider range for query test skip by @jonchurch in https://github.com/expressjs/express/pull/6513
• use tilde notation for certain dependencies by @UlisesGascon in https://github.com/expressjs/express/pull/6905
• deps: qs@6.14.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6909
• deps: use tilde notation for qs by @Phillip9587 in https://github.com/expressjs/express/pull/6919
• Release: 4.22.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6921

Full Changelog: https://github.com/expressjs/express/compare/4.21.2...4.22.0

v5.0.1

What's Changed

• remove --bail from test script by @jonchurch in https://github.com/expressjs/express/pull/5962
• Nominate @bjohansebas to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/6009
• Link and update captains by @blakeembrey in https://github.com/expressjs/express/pull/6013
• Update cookie semver lock to address CVE-2024-47764 by @joshbuker in https://github.com/expressjs/express/pull/6017
• Release: 5.0.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6032

Full Changelog: https://github.com/expressjs/express/compare/v5.0.0...5.0.1

v5.1.0

What's Changed

• Update captains by @UlisesGascon in https://github.com/expressjs/express/pull/6027
• build: Node.js 23.0 by @bjohansebas in https://github.com/expressjs/express/pull/6075
• Add funding field (v5) by @bjohansebas in https://github.com/expressjs/express/pull/6064
• ✅ add discarded middleware test by @ctcpip in https://github.com/expressjs/express/pull/5819
• update homepage link http to https by @bjohansebas in https://github.com/expressjs/express/pull/5920
• Improve readme by @bjohansebas in https://github.com/expressjs/express/pull/5994
• Add bjohansebas as repo captain for expressjs.com by @crandmck in https://github.com/expressjs/express/pull/6058
• Remove Object.setPrototypeOf polyfill by @Phillip9587 in https://github.com/expressjs/express/pull/6081
• fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in https://github.com/expressjs/express/pull/6071
• docs: Add DCO by @UlisesGascon in https://github.com/expressjs/express/pull/6048
• cleanup: remove promise support check from tests by @Phillip9587 in https://github.com/expressjs/express/pull/6148
• Use loop for acceptParams by @blakeembrey in https://github.com/expressjs/express/pull/6066
• Improve documentation step in release process by @bjohansebas in https://github.com/expressjs/express/pull/6150
• cleanup: remove unnecessary require for global Buffer by @Phillip9587 in https://github.com/expressjs/express/pull/6146
• cleanup: remove AsyncLocalStorage check by @Phillip9587 in https://github.com/expressjs/express/pull/6147
• update history.md for acceptParams change by @jonchurch in https://github.com/expressjs/express/pull/6177
• docs: add @rxmarbles to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/6151
• refactor: improve readability by @sazk07 in https://github.com/expressjs/express/pull/6173
• docs: clarify the security process in the triage role by @bjohansebas in https://github.com/expressjs/express/pull/6217
• chore: replace methods dependency with standard library by @jonkoops in https://github.com/expressjs/express/pull/6196
• Remove utils-merge dependency - use spread syntax instead by @Phillip9587 in https://github.com/expressjs/express/pull/6091
• fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in https://github.com/expressjs/express/pull/6211
• refactor: prefix built-in node module imports by @slagiewka in https://github.com/expressjs/express/pull/6236
• fix: remove download size badges by @wesleytodd in https://github.com/expressjs/express/pull/6266
• Remove unused depd dependency by @jonkoops in https://github.com/expressjs/express/pull/6197
• fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @hamirmahal in https://github.com/expressjs/express/pull/6256
• Add support for OSSF scorecard reporting by @UlisesGascon in https://github.com/expressjs/express/pull/5431
• docs: add @Phillip9587 to the triage team by @bjohansebas in https://github.com/expressjs/express/pull/6276
• fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in https://github.com/expressjs/express/pull/6297
• docs: include team email in the security policy by @UlisesGascon in https://github.com/expressjs/express/pull/6278
• refactor: simplify normalizeTypes function by @Ayoub-Mabrouk in https://github.com/expressjs/express/pull/6097
• ci: updated github actions ci workflow by @Phillip9587 in https://github.com/expressjs/express/pull/6314
• ci: fix npm install --include typo by @Phillip9587 in https://github.com/expressjs/express/pull/6324
• ci: updated scorecard actions by @Phillip9587 in https://github.com/expressjs/express/pull/6322
• build(deps): use carat notation for dependency versions by @dpopp07 in https://github.com/expressjs/express/pull/6317
• chore(deps): update debug to ^4.4.0 by @Phillip9587 in https://github.com/expressjs/express/pull/6313
• docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in https://github.com/expressjs/express/pull/6333
• feat(deps): body-parser@^2.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6332
• feat(deps): router@^2.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6331
• Update repo captains by @UlisesGascon in https://github.com/expressjs/express/pull/6234
• deps: upgrade nyc by @agungjati in https://github.com/expressjs/express/pull/6122
• fix (deps): update deps by @wesleytodd in https://github.com/expressjs/express/pull/6337
• response: add support for ETag option in res.sendFile by @juanarbol in https://github.com/expressjs/express/pull/6073
• Update multiple links to use https instead of http by @Phillip9587 in https://github.com/expressjs/express/pull/6338
• Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in https://github.com/expressjs/express/pull/4885
• docs: update emeritus triagers by @UlisesGascon in https://github.com/expressjs/express/pull/6345
• docs: update guidance for triager nominations by @bjohansebas in https://github.com/expressjs/express/pull/6349
• docs: clarify guidelines for becoming a committer by @bjohansebas in https://github.com/expressjs/express/pull/6364
• Nominate @dpopp07 to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/6352
• fix(deps): qs@^6.14.0 by @wesleytodd in https://github.com/expressjs/express/pull/6374
• Add dependabot by @UlisesGascon in https://github.com/expressjs/express/pull/5435
• fix dependabot config by @bjohansebas in https://github.com/expressjs/express/pull/6392
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 by @dependabot in https://github.com/expressjs/express/pull/6398
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in https://github.com/expressjs/express/pull/6397
• feat(deps): finalhandler@2.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6373
• build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 by @dependabot in https://github.com/expressjs/express/pull/6399
• deps: body-parser@^2.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6419
• deps: type-is@^2.0.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6420
• deps: router@^2.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6417
• ci: use full SHAs for github action versions by @Phillip9587 in https://github.com/expressjs/express/pull/6415
• doc: remove @mertcanaltin from Triagers by @mertcanaltin in https://github.com/expressjs/express/pull/6408
• deps: serve-static@^2.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6418
• 5.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6425

New Contributors

• @bhavya3024 made their first contribution in https://github.com/expressjs/express/pull/6071
• @jonkoops made their first contribution in https://github.com/expressjs/express/pull/6196
• @Abdel-Monaam-Aouini made their first contribution in https://github.com/expressjs/express/pull/6211
• @slagiewka made their first contribution in https://github.com/expressjs/express/pull/6236
• @hamirmahal made their first contribution in https://github.com/expressjs/express/pull/6256
• @pr4j3sh made their first contribution in https://github.com/expressjs/express/pull/6297
• @Ayoub-Mabrouk made their first contribution in https://github.com/expressjs/express/pull/6097
• @dpopp07 made their first contribution in https://github.com/expressjs/express/pull/6317
• @agungjati made their first contribution in https://github.com/expressjs/express/pull/6122
• @andvea made their first contribution in https://github.com/expressjs/express/pull/4885
• @dependabot made their first contribution in https://github.com/expressjs/express/pull/6398

Full Changelog: https://github.com/expressjs/express/compare/5.0.1...v5.1.0

4.21.2

What's Changed

• Add funding field (v4) by @bjohansebas in https://github.com/expressjs/express/pull/6065
• deps: path-to-regexp@0.1.11 by @blakeembrey in https://github.com/expressjs/express/pull/5956
• deps: bump path-to-regexp@0.1.12 by @jonchurch in https://github.com/expressjs/express/pull/6209
• Release: 4.21.2 by @UlisesGascon in https://github.com/expressjs/express/pull/6094

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in https://github.com/expressjs/express/pull/6029
• Release: 4.21.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @blakeembrey in https://github.com/expressjs/express/pull/5935
• finalhandler@1.3.1 by @wesleytodd in https://github.com/expressjs/express/pull/5954
• fix(deps): serve-static@1.16.2 by @wesleytodd in https://github.com/expressjs/express/pull/5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in https://github.com/expressjs/express/pull/5946

New Contributors

• @agadzinski93 made their first contribution in https://github.com/expressjs/express/pull/5946

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

v5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

• Node.js version support: Dropped support for Node.js versions before v18.
• Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• Promise support: Middleware can now return rejected promises, caught by the router as errors.
• body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

• 4.19.2 Staging by @wesleytodd in https://github.com/expressjs/express/pull/5561
• remove duplicate location test for data uri by @wesleytodd in https://github.com/expressjs/express/pull/5562
• feat: document beta releases expectations by @marco-ippolito in https://github.com/expressjs/express/pull/5565
• Cut down on duplicated CI runs by @jonchurch in https://github.com/expressjs/express/pull/5564
• Add a Threat Model by @UlisesGascon in https://github.com/expressjs/express/pull/5526
• Assign captain of encodeurl by @blakeembrey in https://github.com/expressjs/express/pull/5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in https://github.com/expressjs/express/pull/5587
• docs: update Security.md by @inigomarquinez in https://github.com/expressjs/express/pull/5590
• docs: update triage nomination policy by @UlisesGascon in https://github.com/expressjs/express/pull/5600
• Add CodeQL (SAST) by @UlisesGascon in https://github.com/expressjs/express/pull/5433
• docs: add UlisesGascon as triage initiative captain by @UlisesGascon in https://github.com/expressjs/express/pull/5605
• Use object with null prototype for various app properties by @EvanHahn in https://github.com/expressjs/express/pull/4861
• deps: encodeurl@~2.0.0 by @blakeembrey in https://github.com/expressjs/express/pull/5569
• skip QUERY method test by @jonchurch in https://github.com/expressjs/express/pull/5628
• ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in https://github.com/expressjs/express/pull/5639
• add support Node.js@22 in the CI by @mertcanaltin in https://github.com/expressjs/express/pull/5627
• doc: add table of contents, tc/triager lists to readme by @mertcanaltin in https://github.com/expressjs/express/pull/5619
• List and sort all projects, add captains by @blakeembrey in https://github.com/expressjs/express/pull/5653
• Call callback once on listen error by @wesleytodd in https://github.com/expressjs/express/pull/3216
• docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in https://github.com/expressjs/express/pull/5666
• ✨ bring back query tests for node 21 by @ctcpip in https://github.com/expressjs/express/pull/5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @jonchurch in https://github.com/expressjs/express/pull/5672
• skip QUERY tests for Node 21 only, still not supported by @jonchurch in https://github.com/expressjs/express/pull/5695
• 📝 update people, add ctcpip to TC by @ctcpip in https://github.com/expressjs/express/pull/5683
• remove minor version pinning from ci by @jonchurch in https://github.com/expressjs/express/pull/5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in https://github.com/expressjs/express/pull/5762
• Replace Appveyor windows testing with GHA by @jonchurch in https://github.com/expressjs/express/pull/5599
• Add OSSF Scorecard badge by @UlisesGascon in https://github.com/expressjs/express/pull/5436
• Throw on invalid status codes by @jonchurch in https://github.com/expressjs/express/pull/4212
• Use Array.flat instead of array-flatten by @almic in https://github.com/expressjs/express/pull/5677
• Adopt Node@18 as the minimum supported version by @UlisesGascon in https://github.com/expressjs/express/pull/5803
• Ignore expires and maxAge in res.clearCookie() by @jonchurch in https://github.com/expressjs/express/pull/5792
• send@1.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5786
• chore: upgrade debug dep from 3.10 to 4.3.6 by @carpasse in https://github.com/expressjs/express/pull/5829
• refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by @carpasse in https://github.com/expressjs/express/pull/5830
• update scorecard link by @bjohansebas in https://github.com/expressjs/express/pull/5814
• Nominate @IamLizu to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/5836
• deps: path-to-regexp@0.1.8 by @blakeembrey in https://github.com/expressjs/express/pull/5603
• docs: specify new instructions for question and discuss by @IamLizu in https://github.com/expressjs/express/pull/5835
• 5.x: Upgrading merge-descriptors with allowing minors by @RobinTail in https://github.com/expressjs/express/pull/5782
• 4.x: Upgrade merge-descriptors dependency by @RobinTail in https://github.com/expressjs/express/pull/5781
• WIP: serve-static@2 by @wesleytodd in https://github.com/expressjs/express/pull/5790
• chore: upgrade qs dp from 6.11.0 to 6.13.0 by @carpasse in https://github.com/expressjs/express/pull/5847
• Upgrade cookie signature by @IamLizu in https://github.com/expressjs/express/pull/5833
• accepts@2 by @wesleytodd in https://github.com/expressjs/express/pull/5881
• mime-types@3 by @wesleytodd in https://github.com/expressjs/express/pull/5882
• type-is@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5883
• content-disposition@^1.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5884
• fix(deps): finalhandler@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5899
• path-to-regexp@0.1.10 by @blakeembrey in https://github.com/expressjs/express/pull/5902
• update to fresh@^2.0.0 by @jonchurch in https://github.com/expressjs/express/pull/5916
• router@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5885
• Adopt Node@18 as the minimum supported version by @UlisesGascon in https://github.com/expressjs/express/pull/5595
• master -> 5.0 by @ctcpip in https://github.com/expressjs/express/pull/5785
• 🔧 update CI, remove unsupported versions, clean up by @ctcpip in https://github.com/expressjs/express/pull/5931
• Delete back as a magic string by @blakeembrey in https://github.com/expressjs/express/pull/5933
• Release 5.0 by @dougwilson in https://github.com/expressjs/express/pull/2237

New Contributors

• @marco-ippolito made their first contribution in https://github.com/expressjs/express/pull/5565
• @inigomarquinez made their first contribution in https://github.com/expressjs/express/pull/5590
• @mertcanaltin made their first contribution in https://github.com/expressjs/express/pull/5627
• @ctcpip made their first contribution in https://github.com/expressjs/express/pull/5690
• @IamLizu made their first contribution in https://github.com/expressjs/express/pull/5762
• @almic made their first contribution in https://github.com/expressjs/express/pull/5677
• @carpasse made their first contribution in https://github.com/expressjs/express/pull/5829
• @bjohansebas made their first contribution in https://github.com/expressjs/express/pull/5814
• @RobinTail made their first contribution in https://github.com/expressjs/express/pull/5782

Full Changelog: https://github.com/expressjs/express/compare/v5.0.0-beta.3...v5.0.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @wesleytodd in https://github.com/expressjs/express/pull/5561
• remove duplicate location test for data uri by @wesleytodd in https://github.com/expressjs/express/pull/5562
• feat: document beta releases expectations by @marco-ippolito in https://github.com/expressjs/express/pull/5565
• Cut down on duplicated CI runs by @jonchurch in https://github.com/expressjs/express/pull/5564
• Add a Threat Model by @UlisesGascon in https://github.com/expressjs/express/pull/5526
• Assign captain of encodeurl by @blakeembrey in https://github.com/expressjs/express/pull/5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in https://github.com/expressjs/express/pull/5587
• docs: update Security.md by @inigomarquinez in https://github.com/expressjs/express/pull/5590
• docs: update triage nomination policy by @UlisesGascon in https://github.com/expressjs/express/pull/5600
• Add CodeQL (SAST) by @UlisesGascon in https://github.com/expressjs/express/pull/5433
• docs: add UlisesGascon as triage initiative captain by @UlisesGascon in https://github.com/expressjs/express/pull/5605
• deps: encodeurl@~2.0.0 by @blakeembrey in https://github.com/expressjs/express/pull/5569
• skip QUERY method test by @jonchurch in https://github.com/expressjs/express/pull/5628
• ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in https://github.com/expressjs/express/pull/5639
• add support Node.js@22 in the CI by @mertcanaltin in https://github.com/expressjs/express/pull/5627
• doc: add table of contents, tc/triager lists to readme by @mertcanaltin in https://github.com/expressjs/express/pull/5619
• List and sort all projects, add captains by @blakeembrey in https://github.com/expressjs/express/pull/5653
• docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in https://github.com/expressjs/express/pull/5666
• ✨ bring back query tests for node 21 by @ctcpip in https://github.com/expressjs/express/pull/5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @jonchurch in https://github.com/expressjs/express/pull/5672
• skip QUERY tests for Node 21 only, still not supported by @jonchurch in https://github.com/expressjs/express/pull/5695
• 📝 update people, add ctcpip to TC by @ctcpip in https://github.com/expressjs/express/pull/5683
• remove minor version pinning from ci by @jonchurch in https://github.com/expressjs/express/pull/5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in https://github.com/expressjs/express/pull/5762
• Replace Appveyor windows testing with GHA by @jonchurch in https://github.com/expressjs/express/pull/5599
• Add OSSF Scorecard badge by @UlisesGascon in https://github.com/expressjs/express/pull/5436
• update scorecard link by @bjohansebas in https://github.com/expressjs/express/pull/5814
• Nominate @IamLizu to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/5836
• deps: path-to-regexp@0.1.8 by @blakeembrey in https://github.com/expressjs/express/pull/5603
• docs: specify new instructions for question and discuss by @IamLizu in https://github.com/expressjs/express/pull/5835
• 4.x: Upgrade merge-descriptors dependency by @RobinTail in https://github.com/expressjs/express/pull/5781
• path-to-regexp@0.1.10 by @blakeembrey in https://github.com/expressjs/express/pull/5902

New Contributors

• @marco-ippolito made their first contribution in https://github.com/expressjs/express/pull/5565
• @inigomarquinez made their first contribution in https://github.com/expressjs/express/pull/5590
• @mertcanaltin made their first contribution in https://github.com/expressjs/express/pull/5627
• @ctcpip made their first contribution in https://github.com/expressjs/express/pull/5690
• @bjohansebas made their first contribution in https://github.com/expressjs/express/pull/5814

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.20.0

v5.0.0-beta.3

Full Changelog: https://github.com/expressjs/express/compare/5.0.0-beta.2...v5.0.0-beta.3

5.0.0-beta.2

What's Changed

• lib: fix typo ocurred -> occurred by @caioagiani in https://github.com/expressjs/express/pull/4805
• examples: defend from privilege elevation by @KoyamaSohei in https://github.com/expressjs/express/pull/4120
• replace "replaces" with "replacer" in jsdoc by @apeltop in https://github.com/expressjs/express/pull/4843
• Add install size badge to README by @styfle in https://github.com/expressjs/express/pull/3710
• Replace deprecated String.prototype.substr() by @CommanderRoot in https://github.com/expressjs/express/pull/4860
• fix: remove deprecated html attribute by @Hashen110 in https://github.com/expressjs/express/pull/4866
• fix: parameter index is not described in JSDoc by @Hashen110 in https://github.com/expressjs/express/pull/4867
• fix: continue is unnecessary as the last statement in a loop by @Hashen110 in https://github.com/expressjs/express/pull/4868
• Deprecate non integer status codes in v4 by @jonchurch in https://github.com/expressjs/express/pull/4223
• Add root support in res.download() by @mmito in https://github.com/expressjs/express/pull/4855
• res.format(): call default using obj as the context by @shesek in https://github.com/expressjs/express/pull/3587
• Feature/4171 depd by @UlisesGascon in https://github.com/expressjs/express/pull/4174
• Validate maxAge appropriateness before use by @cjbarth in https://github.com/expressjs/express/pull/3936
• deps: statuses@2.0.1 by @3imed-jaberi in https://github.com/expressjs/express/pull/4336
• test: fix typo by @Hashen110 in https://github.com/expressjs/express/pull/4882
• docs: fix typo: http -> HTTP by @ghousemohamed in https://github.com/expressjs/express/pull/4872
• Update Security.md by @netcode in https://github.com/expressjs/express/pull/4890
• examples: add missing associated labels by @Hashen110 in https://github.com/expressjs/express/pull/4884
• Increase timeout for mocha to 7500 by @grisu48 in https://github.com/expressjs/express/pull/4887
• Release 4.18 by @dougwilson in https://github.com/expressjs/express/pull/4287
• Expanding the benchmark. by @denizy97 in https://github.com/expressjs/express/pull/4880
• examples: remove unused params by @alxdrg in https://github.com/expressjs/express/pull/4914
• Grammatically updated the express documentation for better comprehension by @REALSTEVEIG in https://github.com/expressjs/express/pull/4926
• Freenode is dead/dying by @theabhinavdas in https://github.com/expressjs/express/pull/5013
• Use https: protocol instead of deprecated git: protocol by @vcsjones in https://github.com/expressjs/express/pull/5032
• build: Node.js@16.18 and Node.js@18.12 by @abenhamdine in https://github.com/expressjs/express/pull/5034
• ci: update actions/checkout to v3 by @armujahid in https://github.com/expressjs/express/pull/5027
• test: remove unused function arguments in params by @raksbisht in https://github.com/expressjs/express/pull/5124
• Remove unused originalIndex from acceptParams by @raksbisht in https://github.com/expressjs/express/pull/5119
• Fixed typos by @raksbisht in https://github.com/expressjs/express/pull/5117
• examples: remove unused params by @raksbisht in https://github.com/expressjs/express/pull/5113
• fix: parameter str is not described in JSDoc by @raksbisht in https://github.com/expressjs/express/pull/5130
• fix: typos in History.md by @raksbisht in https://github.com/expressjs/express/pull/5131
• build : add Node.js@19.7 by @abenhamdine in https://github.com/expressjs/express/pull/5028
• test: remove unused function arguments in params by @raksbisht in https://github.com/expressjs/express/pull/5137
• use random port in test so it won't fail on already listening by @rluvaton in https://github.com/expressjs/express/pull/5162
• tests: use cb() instead of done() by @kristof-low in https://github.com/expressjs/express/pull/5233
• examples: remove multipart example by @riddlew in https://github.com/expressjs/express/pull/5195
• Update support Node.js@18 in the CI by @UlisesGascon in https://github.com/expressjs/express/pull/5490
• Fix favicon-related bug in cookie-sessions example by @DmytroKondrashov in https://github.com/expressjs/express/pull/5414
• Release 4.18.3 by @UlisesGascon in https://github.com/expressjs/express/pull/5505
• fix typo in release date by @UlisesGascon in https://github.com/expressjs/express/pull/5527
• docs: nominating @wesleytodd to be project captian by @wesleytodd in https://github.com/expressjs/express/pull/5511
• docs: loosen TC activity rules by @wesleytodd in https://github.com/expressjs/express/pull/5510
• Add note on how to update docs for new release by @crandmck in https://github.com/expressjs/express/pull/5541
• Release 4.19.0 by @wesleytodd in https://github.com/expressjs/express/pull/5551
• Fix ci after location patch by @wesleytodd in https://github.com/expressjs/express/pull/5552
• fixed un-edited version in history.md for 4.19.0 by @wesleytodd in https://github.com/expressjs/express/pull/5556

New Contributors

• @caioagiani made their first contribution in https://github.com/expressjs/express/pull/4805
• @apeltop made their first contribution in https://github.com/expressjs/express/pull/4843
• @styfle made their first contribution in https://github.com/expressjs/express/pull/3710
• @CommanderRoot made their first contribution in https://github.com/expressjs/express/pull/4860
• @Hashen110 made their first contribution in https://github.com/expressjs/express/pull/4866
• @mmito made their first contribution in https://github.com/expressjs/express/pull/4855
• @UlisesGascon made their first contribution in https://github.com/expressjs/express/pull/4174
• @cjbarth made their first contribution in https://github.com/expressjs/express/pull/3936
• @ghousemohamed made their first contribution in https://github.com/expressjs/express/pull/4872
• @netcode made their first contribution in https://github.com/expressjs/express/pull/4890
• @grisu48 made their first contribution in https://github.com/expressjs/express/pull/4887
• @denizy97 made their first contribution in https://github.com/expressjs/express/pull/4880
• @alxdrg made their first contribution in https://github.com/expressjs/express/pull/4914
• @REALSTEVEIG made their first contribution in https://github.com/expressjs/express/pull/4926
• @theabhinavdas made their first contribution in https://github.com/expressjs/express/pull/5013
• @vcsjones made their first contribution in https://github.com/expressjs/express/pull/5032
• @abenhamdine made their first contribution in https://github.com/expressjs/express/pull/5034
• @armujahid made their first contribution in https://github.com/expressjs/express/pull/5027
• @raksbisht made their first contribution in https://github.com/expressjs/express/pull/5124
• @rluvaton made their first contribution in https://github.com/expressjs/express/pull/5162
• @kristof-low made their first contribution in https://github.com/expressjs/express/pull/5233
• @riddlew made their first contribution in https://github.com/expressjs/express/pull/5195
• @DmytroKondrashov made their first contribution in https://github.com/expressjs/express/pull/5414
• @crandmck made their first contribution in https://github.com/expressjs/express/pull/5541

Full Changelog: https://github.com/expressjs/express/compare/v5.0.0-beta.1...5.0.0-beta.2

v5.0.0-beta.1

This is the first Express 5.0 beta release, based off 4.17.2 and includes
changes from 5.0.0-alpha.8.

• change:
  • Default "query parser" setting to 'simple'
  • Requires Node.js 4+
  • Use mime-types for file to content type mapping
• deps: array-flatten@3.0.0
• deps: body-parser@2.0.0-beta.1
  • req.body is no longer always initialized to {}
  • urlencoded parser now defaults extended to false
  • Use on-finished to determine when body read
• deps: router@2.0.0-beta.1
  • Add new ?, *, and + parameter modifiers
  • Internalize private router.process_params method
  • Matching group expressions are only RegExp syntax
  • Named matching groups no longer available by position in req.params
  • Regular expressions can only be used in a matching group
  • Remove debug dependency
  • Special * path segment behavior removed
  • deps: array-flatten@3.0.0
  • deps: parseurl@~1.3.3
  • deps: path-to-regexp@3.2.0
  • deps: setprototypeof@1.2.0
• deps: send@1.0.0-beta.1
  • Change dotfiles option default to 'ignore'
  • Remove hidden option; use dotfiles option instead
  • Use mime-types for file to content type mapping
  • deps: debug@3.1.0
• deps: serve-static@2.0.0-beta.1
  • Change dotfiles option default to 'ignore'
  • Remove hidden option; use dotfiles option instead
  • Use mime-types for file to content type mapping
  • deps: send@1.0.0-beta.1

5.0.0-alpha.8

This is the sixth Express 5.0 alpha release, based off 4.17.1 and includes
changes from 5.0.0-alpha.7.

5.0.0-alpha.7

This is the seventh Express 5.0 alpha release, based off 4.16.4 and includes
changes from 5.0.0-alpha.6.

The major change with this alpha is the basic support for returned, rejected
Promises in the router.

• remove:
  • path-to-regexp dependency
• deps: debug@3.1.0
  • Add DEBUG_HIDE_DATE environment variable
  • Change timer to per-namespace instead of global
  • Change non-TTY date format
  • Remove DEBUG_FD environment variable support
  • Support 256 namespace colors
• deps: router@2.0.0-alpha.1
  • Add basic support for returned, rejected Promises
  • Fix JSDoc for Router constructor
  • deps: debug@3.1.0
  • deps: parseurl@~1.3.2
  • deps: setprototypeof@1.1.0
  • deps: utils-merge@1.0.1

---

✨ This PR was created by Minori, your friendly dependency updater! 🌸

## Dependency Update Updates **express** from `4.19.2` to `5.2.1`. ### Type dependencies ### Changelog ## Changelog ### v5.2.1 ## What's Changed > [!IMPORTANT] > The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release. * Release: 5.2.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6933 **Full Changelog**: https://github.com/expressjs/express/compare/v5.2.0...v5.2.1 ### v5.2.0 ## Important: Security * Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) ## What's Changed * build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in https://github.com/expressjs/express/pull/6429 * Refactor: simplify `acceptsLanguages` implementation using spread operator by @Ayoub-Mabrouk in https://github.com/expressjs/express/pull/6137 * increased code coverage of utils.js file by @ashish3011 in https://github.com/expressjs/express/pull/6386 * chore: remove duplicate word by @dufucun in https://github.com/expressjs/express/pull/6456 * build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in https://github.com/expressjs/express/pull/6498 * build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6497 * build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6496 * ci: add node.js 24 to test matrix by @Phillip9587 in https://github.com/expressjs/express/pull/6504 * ci: update codeql config by @Phillip9587 in https://github.com/expressjs/express/pull/6488 * chore: wider range for query test skip by @jonchurch in https://github.com/expressjs/express/pull/6512 * chore: fix typos in test by @noritaka1166 in https://github.com/expressjs/express/pull/6535 * ci: disable credential persistence for checkout actions by @mertssmnoglu in https://github.com/expressjs/express/pull/6522 * ci: allow manual triggering of workflow by @shivarm in https://github.com/expressjs/express/pull/6515 * test: add coverage for app.listen() variants by @kgarg1 in https://github.com/expressjs/express/pull/6476 * docs: move documentation and charters to the discussions and .github … by @bjohansebas in https://github.com/expressjs/express/pull/6427 * build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in https://github.com/expressjs/express/pull/6549 * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in https://github.com/expressjs/express/pull/6548 * chore: enforce explicit `Buffer` import and add lint rule by @shivarm in https://github.com/expressjs/express/pull/6525 * chore: use node protocol for querystring by @shivarm in https://github.com/expressjs/express/pull/6520 * chore: fix typo by @mountdisk in https://github.com/expressjs/express/pull/6609 * build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in https://github.com/expressjs/express/pull/6618 * add deprecation warnings for redirect arguments undefined by @bjohansebas in https://github.com/expressjs/express/pull/6405 * ci: run CI when the markdown changes by @bjohansebas in https://github.com/expressjs/express/pull/6632 * doc: fix CONTRIBUTING link by @jonchurch in https://github.com/expressjs/express/pull/6653 * doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in https://github.com/expressjs/express/pull/6601 * build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in https://github.com/expressjs/express/pull/6679 * build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in https://github.com/expressjs/express/pull/6678 * lint: add --fix flag to automatic fix linting issue by @shivarm in https://github.com/expressjs/express/pull/6644 * chore: ignore yarn.lock file and update example by @shivarm in https://github.com/expressjs/express/pull/6588 * lib: use req.socket over deprecated req.connection by @bjohansebas in https://github.com/expressjs/express/pull/6705 * doc: update express app example by @shivarm in https://github.com/expressjs/express/pull/6718 * build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in https://github.com/expressjs/express/pull/6675 * Remove history.md from being packaged on publish by @sheplu in https://github.com/expressjs/express/pull/6780 * build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6797 * build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in https://github.com/expressjs/express/pull/6796 * build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in https://github.com/expressjs/express/pull/6795 * build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6794 * build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6793 * ci: add node.js 25 to test matrix by @Phillip9587 in https://github.com/expressjs/express/pull/6843 * build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6871 * build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6870 * build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in https://github.com/expressjs/express/pull/6869 * build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6868 * chore: switch badges from badgen.net to shields.io by @Phillip9587 in https://github.com/expressjs/express/pull/6900 * refactor: use cached slice in app.listen by @Tacit1 in https://github.com/expressjs/express/pull/6897 * Nominate to @efekrskl for triage team by @bjohansebas in https://github.com/expressjs/express/pull/6888 * docs: update emeritus triagers by @bjohansebas in https://github.com/expressjs/express/pull/6890 * fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in https://github.com/expressjs/express/pull/6922 * build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in https://github.com/expressjs/express/pull/6930 * build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in https://github.com/expressjs/express/pull/6929 * build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in https://github.com/expressjs/express/pull/6928 * Release: 5.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6920 ## New Contributors * @ashish3011 made their first contribution in https://github.com/expressjs/express/pull/6386 * @dufucun made their first contribution in https://github.com/expressjs/express/pull/6456 * @noritaka1166 made their first contribution in https://github.com/expressjs/express/pull/6535 * @mertssmnoglu made their first contribution in https://github.com/expressjs/express/pull/6522 * @shivarm made their first contribution in https://github.com/expressjs/express/pull/6515 * @kgarg1 made their first contribution in https://github.com/expressjs/express/pull/6476 * @mountdisk made their first contribution in https://github.com/expressjs/express/pull/6609 * @ShubhamOulkar made their first contribution in https://github.com/expressjs/express/pull/6601 * @sheplu made their first contribution in https://github.com/expressjs/express/pull/6780 * @Tacit1 made their first contribution in https://github.com/expressjs/express/pull/6897 **Full Changelog**: https://github.com/expressjs/express/compare/v5.1.0...v5.2.0 ### v4.22.1 ## What's Changed > [!IMPORTANT] > The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release. * Release: 4.22.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6934 **Full Changelog**: https://github.com/expressjs/express/compare/4.22.0...v4.22.1 ### 4.22.0 ## Important: Security * Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) ## What's Changed * Refactor: improve readability by @sazk07 in https://github.com/expressjs/express/pull/6190 * ci: add support for Node.js@23.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6080 * Method functions with no path should error by @wesleytodd in https://github.com/expressjs/express/pull/5957 * ci: updated github actions ci workflow by @Phillip9587 in https://github.com/expressjs/express/pull/6323 * ci: reorder `npm i` steps to fix ci for older node versions by @Phillip9587 in https://github.com/expressjs/express/pull/6336 * Backport: ci: add node.js 24 to test matrix by @Phillip9587 in https://github.com/expressjs/express/pull/6506 * chore(4.x): wider range for query test skip by @jonchurch in https://github.com/expressjs/express/pull/6513 * use tilde notation for certain dependencies by @UlisesGascon in https://github.com/expressjs/express/pull/6905 * deps: qs@6.14.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6909 * deps: use tilde notation for `qs` by @Phillip9587 in https://github.com/expressjs/express/pull/6919 * Release: 4.22.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6921 **Full Changelog**: https://github.com/expressjs/express/compare/4.21.2...4.22.0 ### v5.0.1 ## What's Changed * remove --bail from test script by @jonchurch in https://github.com/expressjs/express/pull/5962 * Nominate @bjohansebas to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/6009 * Link and update captains by @blakeembrey in https://github.com/expressjs/express/pull/6013 * Update `cookie` semver lock to address CVE-2024-47764 by @joshbuker in https://github.com/expressjs/express/pull/6017 * Release: 5.0.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6032 **Full Changelog**: https://github.com/expressjs/express/compare/v5.0.0...5.0.1 ### v5.1.0 ## What's Changed * Update captains by @UlisesGascon in https://github.com/expressjs/express/pull/6027 * build: Node.js 23.0 by @bjohansebas in https://github.com/expressjs/express/pull/6075 * Add funding field (v5) by @bjohansebas in https://github.com/expressjs/express/pull/6064 * ✅ add discarded middleware test by @ctcpip in https://github.com/expressjs/express/pull/5819 * update homepage link http to https by @bjohansebas in https://github.com/expressjs/express/pull/5920 * Improve readme by @bjohansebas in https://github.com/expressjs/express/pull/5994 * Add bjohansebas as repo captain for expressjs.com by @crandmck in https://github.com/expressjs/express/pull/6058 * Remove Object.setPrototypeOf polyfill by @Phillip9587 in https://github.com/expressjs/express/pull/6081 * fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in https://github.com/expressjs/express/pull/6071 * docs: Add DCO by @UlisesGascon in https://github.com/expressjs/express/pull/6048 * cleanup: remove promise support check from tests by @Phillip9587 in https://github.com/expressjs/express/pull/6148 * Use loop for acceptParams by @blakeembrey in https://github.com/expressjs/express/pull/6066 * Improve documentation step in release process by @bjohansebas in https://github.com/expressjs/express/pull/6150 * cleanup: remove unnecessary require for global Buffer by @Phillip9587 in https://github.com/expressjs/express/pull/6146 * cleanup: remove AsyncLocalStorage check by @Phillip9587 in https://github.com/expressjs/express/pull/6147 * update history.md for acceptParams change by @jonchurch in https://github.com/expressjs/express/pull/6177 * docs: add @rxmarbles to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/6151 * refactor: improve readability by @sazk07 in https://github.com/expressjs/express/pull/6173 * docs: clarify the security process in the triage role by @bjohansebas in https://github.com/expressjs/express/pull/6217 * chore: replace `methods` dependency with standard library by @jonkoops in https://github.com/expressjs/express/pull/6196 * Remove `utils-merge` dependency - use spread syntax instead by @Phillip9587 in https://github.com/expressjs/express/pull/6091 * fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in https://github.com/expressjs/express/pull/6211 * refactor: prefix built-in node module imports by @slagiewka in https://github.com/expressjs/express/pull/6236 * fix: remove download size badges by @wesleytodd in https://github.com/expressjs/express/pull/6266 * Remove unused `depd` dependency by @jonkoops in https://github.com/expressjs/express/pull/6197 * fix: usage of `Invalid action input 'persist-credentials'` for `actions/setup-node@v4` in `ci.yml` by @hamirmahal in https://github.com/expressjs/express/pull/6256 * Add support for OSSF scorecard reporting by @UlisesGascon in https://github.com/expressjs/express/pull/5431 * docs: add @Phillip9587 to the triage team by @bjohansebas in https://github.com/expressjs/express/pull/6276 * fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in https://github.com/expressjs/express/pull/6297 * docs: include team email in the security policy by @UlisesGascon in https://github.com/expressjs/express/pull/6278 * refactor: simplify `normalizeTypes` function by @Ayoub-Mabrouk in https://github.com/expressjs/express/pull/6097 * ci: updated github actions ci workflow by @Phillip9587 in https://github.com/expressjs/express/pull/6314 * ci: fix npm install --include typo by @Phillip9587 in https://github.com/expressjs/express/pull/6324 * ci: updated scorecard actions by @Phillip9587 in https://github.com/expressjs/express/pull/6322 * build(deps): use carat notation for dependency versions by @dpopp07 in https://github.com/expressjs/express/pull/6317 * chore(deps): update `debug` to ^4.4.0 by @Phillip9587 in https://github.com/expressjs/express/pull/6313 * docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in https://github.com/expressjs/express/pull/6333 * feat(deps): body-parser@^2.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6332 * feat(deps): router@^2.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6331 * Update repo captains by @UlisesGascon in https://github.com/expressjs/express/pull/6234 * deps: upgrade nyc by @agungjati in https://github.com/expressjs/express/pull/6122 * fix (deps): update deps by @wesleytodd in https://github.com/expressjs/express/pull/6337 * response: add support for ETag option in res.sendFile by @juanarbol in https://github.com/expressjs/express/pull/6073 * Update multiple links to use `https` instead of `http` by @Phillip9587 in https://github.com/expressjs/express/pull/6338 * Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in https://github.com/expressjs/express/pull/4885 * docs: update emeritus triagers by @UlisesGascon in https://github.com/expressjs/express/pull/6345 * docs: update guidance for triager nominations by @bjohansebas in https://github.com/expressjs/express/pull/6349 * docs: clarify guidelines for becoming a committer by @bjohansebas in https://github.com/expressjs/express/pull/6364 * Nominate @dpopp07 to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/6352 * fix(deps): qs@^6.14.0 by @wesleytodd in https://github.com/expressjs/express/pull/6374 * Add dependabot by @UlisesGascon in https://github.com/expressjs/express/pull/5435 * fix dependabot config by @bjohansebas in https://github.com/expressjs/express/pull/6392 * build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 by @dependabot in https://github.com/expressjs/express/pull/6398 * build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in https://github.com/expressjs/express/pull/6397 * feat(deps): finalhandler@2.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6373 * build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 by @dependabot in https://github.com/expressjs/express/pull/6399 * deps: body-parser@^2.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6419 * deps: type-is@^2.0.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6420 * deps: router@^2.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6417 * ci: use full SHAs for github action versions by @Phillip9587 in https://github.com/expressjs/express/pull/6415 * doc: remove @mertcanaltin from Triagers by @mertcanaltin in https://github.com/expressjs/express/pull/6408 * deps: serve-static@^2.2.0 by @UlisesGascon in https://github.com/expressjs/express/pull/6418 * 5.1.0 by @wesleytodd in https://github.com/expressjs/express/pull/6425 ## New Contributors * @bhavya3024 made their first contribution in https://github.com/expressjs/express/pull/6071 * @jonkoops made their first contribution in https://github.com/expressjs/express/pull/6196 * @Abdel-Monaam-Aouini made their first contribution in https://github.com/expressjs/express/pull/6211 * @slagiewka made their first contribution in https://github.com/expressjs/express/pull/6236 * @hamirmahal made their first contribution in https://github.com/expressjs/express/pull/6256 * @pr4j3sh made their first contribution in https://github.com/expressjs/express/pull/6297 * @Ayoub-Mabrouk made their first contribution in https://github.com/expressjs/express/pull/6097 * @dpopp07 made their first contribution in https://github.com/expressjs/express/pull/6317 * @agungjati made their first contribution in https://github.com/expressjs/express/pull/6122 * @andvea made their first contribution in https://github.com/expressjs/express/pull/4885 * @dependabot made their first contribution in https://github.com/expressjs/express/pull/6398 **Full Changelog**: https://github.com/expressjs/express/compare/5.0.1...v5.1.0 ### 4.21.2 ## What's Changed * Add funding field (v4) by @bjohansebas in https://github.com/expressjs/express/pull/6065 * deps: path-to-regexp@0.1.11 by @blakeembrey in https://github.com/expressjs/express/pull/5956 * deps: bump path-to-regexp@0.1.12 by @jonchurch in https://github.com/expressjs/express/pull/6209 * Release: 4.21.2 by @UlisesGascon in https://github.com/expressjs/express/pull/6094 **Full Changelog**: https://github.com/expressjs/express/compare/4.21.1...4.21.2 ### 4.21.1 ## What's Changed * Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in https://github.com/expressjs/express/pull/6029 * Release: 4.21.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6031 **Full Changelog**: https://github.com/expressjs/express/compare/4.21.0...4.21.1 ### 4.21.0 ## What's Changed * Deprecate `"back"` magic string in redirects by @blakeembrey in https://github.com/expressjs/express/pull/5935 * finalhandler@1.3.1 by @wesleytodd in https://github.com/expressjs/express/pull/5954 * fix(deps): serve-static@1.16.2 by @wesleytodd in https://github.com/expressjs/express/pull/5951 * Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in https://github.com/expressjs/express/pull/5946 ## New Contributors * @agadzinski93 made their first contribution in https://github.com/expressjs/express/pull/5946 **Full Changelog**: https://github.com/expressjs/express/compare/4.20.0...4.21.0 ### v5.0.0 # Express v5.0.0 🎉 **Express v5 is finally here!** 🎉 After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability. For detailed information, please check out the official [Express v5 release blog post](https://expressjs.com/2024/10/15/v5-release.html). ## Most relevant details ### Major Changes in v5 - **Node.js version support**: Dropped support for Node.js versions before v18. - **Routing changes**: Updated to `path-to-regexp@8.x`, removing sub-expression regex patterns for security reasons (ReDoS mitigation). - **Promise support**: Middleware can now return rejected promises, caught by the router as errors. - **`body-parser` changes**: Several improvements including the ability to customize `urlencoded` body depth and defaulting `extended` to `false`. - **Deprecated API methods removed**: Removed old, deprecated API method signatures from Express v3/v4. For a complete list of breaking changes and API deprecations, see the [migration guide](https://expressjs.com/en/guide/migrating-5.html). ### Security Updates This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the [security release notes](https://expressjs.com/2024/09/29/security-releases.html). ### Migration Be sure to check out our [migration guide](https://expressjs.com/en/guide/migrating-5.html) for instructions on how to update your applications from Express v4 to v5. ### Security Guidance For best practices, we recommend reviewing the [Threat Model](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects. ## What's Changed * 4.19.2 Staging by @wesleytodd in https://github.com/expressjs/express/pull/5561 * remove duplicate location test for data uri by @wesleytodd in https://github.com/expressjs/express/pull/5562 * feat: document beta releases expectations by @marco-ippolito in https://github.com/expressjs/express/pull/5565 * Cut down on duplicated CI runs by @jonchurch in https://github.com/expressjs/express/pull/5564 * Add a Threat Model by @UlisesGascon in https://github.com/expressjs/express/pull/5526 * Assign captain of encodeurl by @blakeembrey in https://github.com/expressjs/express/pull/5579 * Nominate jonchurch as repo captain for `http-errors`, `expressjs.com`, `morgan`, `cors`, `body-parser` by @jonchurch in https://github.com/expressjs/express/pull/5587 * docs: update Security.md by @inigomarquinez in https://github.com/expressjs/express/pull/5590 * docs: update triage nomination policy by @UlisesGascon in https://github.com/expressjs/express/pull/5600 * Add CodeQL (SAST) by @UlisesGascon in https://github.com/expressjs/express/pull/5433 * docs: add UlisesGascon as triage initiative captain by @UlisesGascon in https://github.com/expressjs/express/pull/5605 * Use object with null prototype for various app properties by @EvanHahn in https://github.com/expressjs/express/pull/4861 * deps: encodeurl@~2.0.0 by @blakeembrey in https://github.com/expressjs/express/pull/5569 * skip QUERY method test by @jonchurch in https://github.com/expressjs/express/pull/5628 * ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in https://github.com/expressjs/express/pull/5639 * add support Node.js@22 in the CI by @mertcanaltin in https://github.com/expressjs/express/pull/5627 * doc: add table of contents, tc/triager lists to readme by @mertcanaltin in https://github.com/expressjs/express/pull/5619 * List and sort all projects, add captains by @blakeembrey in https://github.com/expressjs/express/pull/5653 * Call callback once on listen error by @wesleytodd in https://github.com/expressjs/express/pull/3216 * docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in https://github.com/expressjs/express/pull/5666 * ✨ bring back query tests for node 21 by @ctcpip in https://github.com/expressjs/express/pull/5690 * [v4] Deprecate `res.clearCookie` accepting `options.maxAge` and `options.expires` by @jonchurch in https://github.com/expressjs/express/pull/5672 * skip QUERY tests for Node 21 only, still not supported by @jonchurch in https://github.com/expressjs/express/pull/5695 * 📝 update people, add ctcpip to TC by @ctcpip in https://github.com/expressjs/express/pull/5683 * remove minor version pinning from ci by @jonchurch in https://github.com/expressjs/express/pull/5722 * Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in https://github.com/expressjs/express/pull/5762 * Replace Appveyor windows testing with GHA by @jonchurch in https://github.com/expressjs/express/pull/5599 * Add OSSF Scorecard badge by @UlisesGascon in https://github.com/expressjs/express/pull/5436 * Throw on invalid status codes by @jonchurch in https://github.com/expressjs/express/pull/4212 * Use Array.flat instead of array-flatten by @almic in https://github.com/expressjs/express/pull/5677 * Adopt Node@18 as the minimum supported version by @UlisesGascon in https://github.com/expressjs/express/pull/5803 * Ignore `expires` and `maxAge` in `res.clearCookie()` by @jonchurch in https://github.com/expressjs/express/pull/5792 * send@1.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5786 * chore: upgrade `debug` dep from 3.10 to 4.3.6 by @carpasse in https://github.com/expressjs/express/pull/5829 * refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by @carpasse in https://github.com/expressjs/express/pull/5830 * update scorecard link by @bjohansebas in https://github.com/expressjs/express/pull/5814 * Nominate @IamLizu to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/5836 * deps: path-to-regexp@0.1.8 by @blakeembrey in https://github.com/expressjs/express/pull/5603 * docs: specify new instructions for `question` and `discuss` by @IamLizu in https://github.com/expressjs/express/pull/5835 * 5.x: Upgrading `merge-descriptors` with allowing minors by @RobinTail in https://github.com/expressjs/express/pull/5782 * 4.x: Upgrade `merge-descriptors` dependency by @RobinTail in https://github.com/expressjs/express/pull/5781 * WIP: serve-static@2 by @wesleytodd in https://github.com/expressjs/express/pull/5790 * chore: upgrade qs dp from 6.11.0 to 6.13.0 by @carpasse in https://github.com/expressjs/express/pull/5847 * Upgrade cookie signature by @IamLizu in https://github.com/expressjs/express/pull/5833 * accepts@2 by @wesleytodd in https://github.com/expressjs/express/pull/5881 * mime-types@3 by @wesleytodd in https://github.com/expressjs/express/pull/5882 * type-is@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5883 * content-disposition@^1.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5884 * fix(deps): finalhandler@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5899 * path-to-regexp@0.1.10 by @blakeembrey in https://github.com/expressjs/express/pull/5902 * update to `fresh@^2.0.0` by @jonchurch in https://github.com/expressjs/express/pull/5916 * router@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5885 * Adopt Node@18 as the minimum supported version by @UlisesGascon in https://github.com/expressjs/express/pull/5595 * master -> 5.0 by @ctcpip in https://github.com/expressjs/express/pull/5785 * 🔧 update CI, remove unsupported versions, clean up by @ctcpip in https://github.com/expressjs/express/pull/5931 * Delete `back` as a magic string by @blakeembrey in https://github.com/expressjs/express/pull/5933 * Release 5.0 by @dougwilson in https://github.com/expressjs/express/pull/2237 ## New Contributors * @marco-ippolito made their first contribution in https://github.com/expressjs/express/pull/5565 * @inigomarquinez made their first contribution in https://github.com/expressjs/express/pull/5590 * @mertcanaltin made their first contribution in https://github.com/expressjs/express/pull/5627 * @ctcpip made their first contribution in https://github.com/expressjs/express/pull/5690 * @IamLizu made their first contribution in https://github.com/expressjs/express/pull/5762 * @almic made their first contribution in https://github.com/expressjs/express/pull/5677 * @carpasse made their first contribution in https://github.com/expressjs/express/pull/5829 * @bjohansebas made their first contribution in https://github.com/expressjs/express/pull/5814 * @RobinTail made their first contribution in https://github.com/expressjs/express/pull/5782 **Full Changelog**: https://github.com/expressjs/express/compare/v5.0.0-beta.3...v5.0.0 ### 4.20.0 ## What's Changed ### Important * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) * Remove link renderization in html while using `res.redirect` ### Other Changes * 4.19.2 Staging by @wesleytodd in https://github.com/expressjs/express/pull/5561 * remove duplicate location test for data uri by @wesleytodd in https://github.com/expressjs/express/pull/5562 * feat: document beta releases expectations by @marco-ippolito in https://github.com/expressjs/express/pull/5565 * Cut down on duplicated CI runs by @jonchurch in https://github.com/expressjs/express/pull/5564 * Add a Threat Model by @UlisesGascon in https://github.com/expressjs/express/pull/5526 * Assign captain of encodeurl by @blakeembrey in https://github.com/expressjs/express/pull/5579 * Nominate jonchurch as repo captain for `http-errors`, `expressjs.com`, `morgan`, `cors`, `body-parser` by @jonchurch in https://github.com/expressjs/express/pull/5587 * docs: update Security.md by @inigomarquinez in https://github.com/expressjs/express/pull/5590 * docs: update triage nomination policy by @UlisesGascon in https://github.com/expressjs/express/pull/5600 * Add CodeQL (SAST) by @UlisesGascon in https://github.com/expressjs/express/pull/5433 * docs: add UlisesGascon as triage initiative captain by @UlisesGascon in https://github.com/expressjs/express/pull/5605 * deps: encodeurl@~2.0.0 by @blakeembrey in https://github.com/expressjs/express/pull/5569 * skip QUERY method test by @jonchurch in https://github.com/expressjs/express/pull/5628 * ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in https://github.com/expressjs/express/pull/5639 * add support Node.js@22 in the CI by @mertcanaltin in https://github.com/expressjs/express/pull/5627 * doc: add table of contents, tc/triager lists to readme by @mertcanaltin in https://github.com/expressjs/express/pull/5619 * List and sort all projects, add captains by @blakeembrey in https://github.com/expressjs/express/pull/5653 * docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in https://github.com/expressjs/express/pull/5666 * ✨ bring back query tests for node 21 by @ctcpip in https://github.com/expressjs/express/pull/5690 * [v4] Deprecate `res.clearCookie` accepting `options.maxAge` and `options.expires` by @jonchurch in https://github.com/expressjs/express/pull/5672 * skip QUERY tests for Node 21 only, still not supported by @jonchurch in https://github.com/expressjs/express/pull/5695 * 📝 update people, add ctcpip to TC by @ctcpip in https://github.com/expressjs/express/pull/5683 * remove minor version pinning from ci by @jonchurch in https://github.com/expressjs/express/pull/5722 * Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in https://github.com/expressjs/express/pull/5762 * Replace Appveyor windows testing with GHA by @jonchurch in https://github.com/expressjs/express/pull/5599 * Add OSSF Scorecard badge by @UlisesGascon in https://github.com/expressjs/express/pull/5436 * update scorecard link by @bjohansebas in https://github.com/expressjs/express/pull/5814 * Nominate @IamLizu to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/5836 * deps: path-to-regexp@0.1.8 by @blakeembrey in https://github.com/expressjs/express/pull/5603 * docs: specify new instructions for `question` and `discuss` by @IamLizu in https://github.com/expressjs/express/pull/5835 * 4.x: Upgrade `merge-descriptors` dependency by @RobinTail in https://github.com/expressjs/express/pull/5781 * path-to-regexp@0.1.10 by @blakeembrey in https://github.com/expressjs/express/pull/5902 ## New Contributors * @marco-ippolito made their first contribution in https://github.com/expressjs/express/pull/5565 * @inigomarquinez made their first contribution in https://github.com/expressjs/express/pull/5590 * @mertcanaltin made their first contribution in https://github.com/expressjs/express/pull/5627 * @ctcpip made their first contribution in https://github.com/expressjs/express/pull/5690 * @bjohansebas made their first contribution in https://github.com/expressjs/express/pull/5814 **Full Changelog**: https://github.com/expressjs/express/compare/4.19.1...4.20.0 ### v5.0.0-beta.3 **Full Changelog**: https://github.com/expressjs/express/compare/5.0.0-beta.2...v5.0.0-beta.3 ### 5.0.0-beta.2 ## What's Changed * lib: fix typo ocurred -> occurred by @caioagiani in https://github.com/expressjs/express/pull/4805 * examples: defend from privilege elevation by @KoyamaSohei in https://github.com/expressjs/express/pull/4120 * replace "replaces" with "replacer" in jsdoc by @apeltop in https://github.com/expressjs/express/pull/4843 * Add install size badge to README by @styfle in https://github.com/expressjs/express/pull/3710 * Replace deprecated String.prototype.substr() by @CommanderRoot in https://github.com/expressjs/express/pull/4860 * fix: remove deprecated html attribute by @Hashen110 in https://github.com/expressjs/express/pull/4866 * fix: parameter index is not described in JSDoc by @Hashen110 in https://github.com/expressjs/express/pull/4867 * fix: continue is unnecessary as the last statement in a loop by @Hashen110 in https://github.com/expressjs/express/pull/4868 * Deprecate non integer status codes in v4 by @jonchurch in https://github.com/expressjs/express/pull/4223 * Add root support in res.download() by @mmito in https://github.com/expressjs/express/pull/4855 * res.format(): call default using `obj` as the context by @shesek in https://github.com/expressjs/express/pull/3587 * Feature/4171 depd by @UlisesGascon in https://github.com/expressjs/express/pull/4174 * Validate `maxAge` appropriateness before use by @cjbarth in https://github.com/expressjs/express/pull/3936 * deps: statuses@2.0.1 by @3imed-jaberi in https://github.com/expressjs/express/pull/4336 * test: fix typo by @Hashen110 in https://github.com/expressjs/express/pull/4882 * docs: fix typo: http -> HTTP by @ghousemohamed in https://github.com/expressjs/express/pull/4872 * Update Security.md by @netcode in https://github.com/expressjs/express/pull/4890 * examples: add missing associated labels by @Hashen110 in https://github.com/expressjs/express/pull/4884 * Increase timeout for mocha to 7500 by @grisu48 in https://github.com/expressjs/express/pull/4887 * Release 4.18 by @dougwilson in https://github.com/expressjs/express/pull/4287 * Expanding the benchmark. by @denizy97 in https://github.com/expressjs/express/pull/4880 * examples: remove unused params by @alxdrg in https://github.com/expressjs/express/pull/4914 * Grammatically updated the express documentation for better comprehension by @REALSTEVEIG in https://github.com/expressjs/express/pull/4926 * Freenode is dead/dying by @theabhinavdas in https://github.com/expressjs/express/pull/5013 * Use https: protocol instead of deprecated git: protocol by @vcsjones in https://github.com/expressjs/express/pull/5032 * build: Node.js@16.18 and Node.js@18.12 by @abenhamdine in https://github.com/expressjs/express/pull/5034 * ci: update actions/checkout to v3 by @armujahid in https://github.com/expressjs/express/pull/5027 * test: remove unused function arguments in params by @raksbisht in https://github.com/expressjs/express/pull/5124 * Remove unused originalIndex from acceptParams by @raksbisht in https://github.com/expressjs/express/pull/5119 * Fixed typos by @raksbisht in https://github.com/expressjs/express/pull/5117 * examples: remove unused params by @raksbisht in https://github.com/expressjs/express/pull/5113 * fix: parameter str is not described in JSDoc by @raksbisht in https://github.com/expressjs/express/pull/5130 * fix: typos in History.md by @raksbisht in https://github.com/expressjs/express/pull/5131 * build : add Node.js@19.7 by @abenhamdine in https://github.com/expressjs/express/pull/5028 * test: remove unused function arguments in params by @raksbisht in https://github.com/expressjs/express/pull/5137 * use random port in test so it won't fail on already listening by @rluvaton in https://github.com/expressjs/express/pull/5162 * tests: use cb() instead of done() by @kristof-low in https://github.com/expressjs/express/pull/5233 * examples: remove multipart example by @riddlew in https://github.com/expressjs/express/pull/5195 * Update support Node.js@18 in the CI by @UlisesGascon in https://github.com/expressjs/express/pull/5490 * Fix favicon-related bug in cookie-sessions example by @DmytroKondrashov in https://github.com/expressjs/express/pull/5414 * Release 4.18.3 by @UlisesGascon in https://github.com/expressjs/express/pull/5505 * fix typo in release date by @UlisesGascon in https://github.com/expressjs/express/pull/5527 * docs: nominating @wesleytodd to be project captian by @wesleytodd in https://github.com/expressjs/express/pull/5511 * docs: loosen TC activity rules by @wesleytodd in https://github.com/expressjs/express/pull/5510 * Add note on how to update docs for new release by @crandmck in https://github.com/expressjs/express/pull/5541 * Release 4.19.0 by @wesleytodd in https://github.com/expressjs/express/pull/5551 * Fix ci after location patch by @wesleytodd in https://github.com/expressjs/express/pull/5552 * fixed un-edited version in history.md for 4.19.0 by @wesleytodd in https://github.com/expressjs/express/pull/5556 ## New Contributors * @caioagiani made their first contribution in https://github.com/expressjs/express/pull/4805 * @apeltop made their first contribution in https://github.com/expressjs/express/pull/4843 * @styfle made their first contribution in https://github.com/expressjs/express/pull/3710 * @CommanderRoot made their first contribution in https://github.com/expressjs/express/pull/4860 * @Hashen110 made their first contribution in https://github.com/expressjs/express/pull/4866 * @mmito made their first contribution in https://github.com/expressjs/express/pull/4855 * @UlisesGascon made their first contribution in https://github.com/expressjs/express/pull/4174 * @cjbarth made their first contribution in https://github.com/expressjs/express/pull/3936 * @ghousemohamed made their first contribution in https://github.com/expressjs/express/pull/4872 * @netcode made their first contribution in https://github.com/expressjs/express/pull/4890 * @grisu48 made their first contribution in https://github.com/expressjs/express/pull/4887 * @denizy97 made their first contribution in https://github.com/expressjs/express/pull/4880 * @alxdrg made their first contribution in https://github.com/expressjs/express/pull/4914 * @REALSTEVEIG made their first contribution in https://github.com/expressjs/express/pull/4926 * @theabhinavdas made their first contribution in https://github.com/expressjs/express/pull/5013 * @vcsjones made their first contribution in https://github.com/expressjs/express/pull/5032 * @abenhamdine made their first contribution in https://github.com/expressjs/express/pull/5034 * @armujahid made their first contribution in https://github.com/expressjs/express/pull/5027 * @raksbisht made their first contribution in https://github.com/expressjs/express/pull/5124 * @rluvaton made their first contribution in https://github.com/expressjs/express/pull/5162 * @kristof-low made their first contribution in https://github.com/expressjs/express/pull/5233 * @riddlew made their first contribution in https://github.com/expressjs/express/pull/5195 * @DmytroKondrashov made their first contribution in https://github.com/expressjs/express/pull/5414 * @crandmck made their first contribution in https://github.com/expressjs/express/pull/5541 **Full Changelog**: https://github.com/expressjs/express/compare/v5.0.0-beta.1...5.0.0-beta.2 ### v5.0.0-beta.1 This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8. * change: - Default "query parser" setting to `'simple'` - Requires Node.js 4+ - Use `mime-types` for file to content type mapping * deps: array-flatten@3.0.0 * deps: body-parser@2.0.0-beta.1 - `req.body` is no longer always initialized to `{}` - `urlencoded` parser now defaults `extended` to `false` - Use `on-finished` to determine when body read * deps: router@2.0.0-beta.1 - Add new `?`, `*`, and `+` parameter modifiers - Internalize private `router.process_params` method - Matching group expressions are only RegExp syntax - Named matching groups no longer available by position in `req.params` - Regular expressions can only be used in a matching group - Remove `debug` dependency - Special `*` path segment behavior removed - deps: array-flatten@3.0.0 - deps: parseurl@~1.3.3 - deps: path-to-regexp@3.2.0 - deps: setprototypeof@1.2.0 * deps: send@1.0.0-beta.1 - Change `dotfiles` option default to `'ignore'` - Remove `hidden` option; use `dotfiles` option instead - Use `mime-types` for file to content type mapping - deps: debug@3.1.0 * deps: serve-static@2.0.0-beta.1 - Change `dotfiles` option default to `'ignore'` - Remove `hidden` option; use `dotfiles` option instead - Use `mime-types` for file to content type mapping - deps: send@1.0.0-beta.1 ### 5.0.0-alpha.8 This is the sixth Express 5.0 alpha release, based off 4.17.1 and includes changes from 5.0.0-alpha.7. ### 5.0.0-alpha.7 This is the seventh Express 5.0 alpha release, based off 4.16.4 and includes changes from 5.0.0-alpha.6. The major change with this alpha is the basic support for returned, rejected Promises in the router. * remove: - `path-to-regexp` dependency * deps: debug@3.1.0 - Add `DEBUG_HIDE_DATE` environment variable - Change timer to per-namespace instead of global - Change non-TTY date format - Remove `DEBUG_FD` environment variable support - Support 256 namespace colors * deps: router@2.0.0-alpha.1 - Add basic support for returned, rejected Promises - Fix JSDoc for `Router` constructor - deps: debug@3.1.0 - deps: parseurl@~1.3.2 - deps: setprototypeof@1.1.0 - deps: utils-merge@1.0.1 --- ✨ This PR was created by Minori, your friendly dependency updater! 🌸

minori added 1 commit 2026-02-03 17:24:18 -08:00

deps: update express to 5.2.1 9a727f9208

Some required checks failed

Hide all checks

Node.js CI / CI (pull_request) Failing after 28s

Required

Details

Security Scan and Upload / Security & DefectDojo Upload (pull_request) Successful in 1m1s

Details

This pull request doesn't have enough required approvals yet. 0 of 1 approvals granted from users or teams on the allowlist.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin dependencies/update-express:dependencies/update-express

git checkout dependencies/update-express

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

aspect

code

Concerns the software code in the repository

aspect

dx

Concerns developers' experience with the codebase

aspect

interface

Concerns end-users' experience with the software

aspect

text

Concerns the documentation material in the repository

contribute

good first issue

A great opportunity for a team member to learn a new codebase

contribute

help wanted

Open for anyone on our team to grab.

contribute

staff only

Restricted to our executive leadership.

goal

addition

Addition of new feature

goal

fix

Bug fix

goal

improvement

Improvement to an existing feature

points

1

Very simple issue requiring minimal effort and complexity.

points

13

Extremely complex issue representing major undertakings. Should be broken down into smaller pieces.

points

2

Simple issue that requires a bit more thought or investigation.

points

3

Moderate complexity issue requiring more substantial work.

points

5

Complex issue requiring significant effort and expertise.

points

8

Very complex issue requiring extensive work and deep expertise.

priority

critical

1

Must be fixed ASAP

priority

high

2

Stalls work on the project or its dependents

priority

low

4

Low priority and doesn't need to be rushed

priority

medium

3

Not blocking but should be fixed soon

priority

none

5

No priority, should only be performed when a developer is available

status

awaiting triage

Has not been triaged & therefore, not ready for work

status

blocked

Blocked and therefore not ready for work

status

discarded

Will not be worked on

status

discontinued

Not suitable for work as repo is in maintenance

status

label work required

Needs proper labelling before it can be worked on

status

ready for dev

Ready for work

status

ticket work required

Needs more details before it can be worked on

talk

discussion

Open for discussions and feedback

talk

question

Can be resolved with an answer

time

1 day

Approximately one full day of development work.

time

1-2 weeks

One to two weeks of focused development effort.

time

2-3 days

Two to three days of development effort.

time

4-5 days

Approximately one week of development work.

time

<1 day

Less than one day of focused work. Quick fixes or simple tasks.

time

>2 weeks

More than two weeks of development work. Must be broken down into smaller pieces.

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

gurkirat hanna (Hanna Rose) hikari (Hikari) minori (Minori) naomi (Naomi Carrigan) rain teklu tim

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: nhcarrigan/a4p-bot#5