v5.2.1

What's Changed

Important

The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @UlisesGascon in #6933

Full Changelog: v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in #6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in #6137
• increased code coverage of utils.js file by @ashish3011 in #6386
• chore: remove duplicate word by @dufucun in #6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in #6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in #6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in #6496
• ci: add node.js 24 to test matrix by @Phillip9587 in #6504
• ci: update codeql config by @Phillip9587 in #6488
• chore: wider range for query test skip by @jonchurch in #6512
• chore: fix typos in test by @noritaka1166 in #6535
• ci: disable credential persistence for checkout actions by @mertssmnoglu in #6522
• ci: allow manual triggering of workflow by @shivarm in #6515
• test: add coverage for app.listen() variants by @kgarg1 in #6476
• docs: move documentation and charters to the discussions and .github … by @bjohansebas in #6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in #6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in #6548
• chore: enforce explicit Buffer import and add lint rule by @shivarm in #6525
• chore: use node protocol for querystring by @shivarm in #6520
• chore: fix typo by @mountdisk in #6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in #6618
• add deprecation warnings for redirect arguments undefined by @bjohansebas in #6405
• ci: run CI when the markdown changes by @bjohansebas in #6632
• doc: fix CONTRIBUTING link by @jonchurch in #6653
• doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in #6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in #6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in #6678
• lint: add --fix flag to automatic fix linting issue by @shivarm in #6644
• chore: ignore yarn.lock file and update example by @shivarm in #6588
• lib: use req.socket over deprecated req.connection by @bjohansebas in #6705
• doc: update express app example by @shivarm in #6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in #6675
• Remove history.md from being packaged on publish by @sheplu in #6780
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #6797
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in #6796
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #6795
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in #6794
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in #6793
• ci: add node.js 25 to test matrix by @Phillip9587 in #6843
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #6871
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in #6870
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #6869
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #6868
• chore: switch badges from badgen.net to shields.io by @Phillip9587 in #6900
• refactor: use cached slice in app.listen by @Tacit1 in #6897
• Nominate to @efekrskl for triage team by @bjohansebas in #6888
• docs: update emeritus triagers by @bjohansebas in #6890
• fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in #6922
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in #6930
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in #6929
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #6928
• Release: 5.2.0 by @UlisesGascon in #6920

New Contributors

• @ashish3011 made their first contribution in #6386
• @dufucun made their first contribution in #6456
• @noritaka1166 made their first contribution in #6535
• @mertssmnoglu made their first contribution in #6522
• @shivarm made their first contribution in #6515
• @kgarg1 made their first contribution in #6476
• @mountdisk made their first contribution in #6609
• @ShubhamOulkar made their first contribution in #6601
• @sheplu made their first contribution in #6780
• @Tacit1 made their first contribution in #6897

Full Changelog: v5.1.0...v5.2.0

v4.22.1

What's Changed

Important

The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @UlisesGascon in #6934

Full Changelog: 4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @sazk07 in #6190
• ci: add support for Node.js@23.0 by @UlisesGascon in #6080
• Method functions with no path should error by @wesleytodd in #5957
• ci: updated github actions ci workflow by @Phillip9587 in #6323
• ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in #6336
• Backport: ci: add node.js 24 to test matrix by @Phillip9587 in #6506
• chore(4.x): wider range for query test skip by @jonchurch in #6513
• use tilde notation for certain dependencies by @UlisesGascon in #6905
• deps: qs@6.14.0 by @UlisesGascon in #6909
• deps: use tilde notation for qs by @Phillip9587 in #6919
• Release: 4.22.0 by @UlisesGascon in #6921

Full Changelog: 4.21.2...4.22.0

5.0.1

What's Changed

• remove --bail from test script by @jonchurch in #5962
• Nominate @bjohansebas to the triage team by @UlisesGascon in #6009
• Link and update captains by @blakeembrey in #6013
• Update cookie semver lock to address CVE-2024-47764 by @joshbuker in #6017
• Release: 5.0.1 by @UlisesGascon in #6032

Full Changelog: v5.0.0...5.0.1

v5.1.0

What's Changed

• Update captains by @UlisesGascon in #6027
• build: Node.js 23.0 by @bjohansebas in #6075
• Add funding field (v5) by @bjohansebas in #6064
• ✅ add discarded middleware test by @ctcpip in #5819
• update homepage link http to https by @bjohansebas in #5920
• Improve readme by @bjohansebas in #5994
• Add bjohansebas as repo captain for expressjs.com by @crandmck in #6058
• Remove Object.setPrototypeOf polyfill by @Phillip9587 in #6081
• fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in #6071
• docs: Add DCO by @UlisesGascon in #6048
• cleanup: remove promise support check from tests by @Phillip9587 in #6148
• Use loop for acceptParams by @blakeembrey in #6066
• Improve documentation step in release process by @bjohansebas in #6150
• cleanup: remove unnecessary require for global Buffer by @Phillip9587 in #6146
• cleanup: remove AsyncLocalStorage check by @Phillip9587 in #6147
• update history.md for acceptParams change by @jonchurch in #6177
• docs: add @rxmarbles to the triage team by @UlisesGascon in #6151
• refactor: improve readability by @sazk07 in #6173
• docs: clarify the security process in the triage role by @bjohansebas in #6217
• chore: replace methods dependency with standard library by @jonkoops in #6196
• Remove utils-merge dependency - use spread syntax instead by @Phillip9587 in #6091
• fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in #6211
• refactor: prefix built-in node module imports by @slagiewka in #6236
• fix: remove download size badges by @wesleytodd in #6266
• Remove unused depd dependency by @jonkoops in #6197
• fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @hamirmahal in #6256
• Add support for OSSF scorecard reporting by @UlisesGascon in #5431
• docs: add @Phillip9587 to the triage team by @bjohansebas in #6276
• fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in #6297
• docs: include team email in the security policy by @UlisesGascon in #6278
• refactor: simplify normalizeTypes function by @Ayoub-Mabrouk in #6097
• ci: updated github actions ci workflow by @Phillip9587 in #6314
• ci: fix npm install --include typo by @Phillip9587 in #6324
• ci: updated scorecard actions by @Phillip9587 in #6322
• build(deps): use carat notation for dependency versions by @dpopp07 in #6317
• chore(deps): update debug to ^4.4.0 by @Phillip9587 in #6313
• docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in #6333
• feat(deps): body-parser@^2.1.0 by @wesleytodd in #6332
• feat(deps): router@^2.1.0 by @wesleytodd in #6331
• Update repo captains by @UlisesGascon in #6234
• deps: upgrade nyc by @agungjati in #6122
• fix (deps): update deps by @wesleytodd in #6337
• response: add support for ETag option in res.sendFile by @juanarbol in #6073
• Update multiple links to use https instead of http by @Phillip9587 in #6338
• Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in #4885
• docs: update emeritus triagers by @UlisesGascon in #6345
• docs: update guidance for triager nominations by @bjohansebas in #6349
• docs: clarify guidelines for becoming a committer by @bjohansebas in #6364
• Nominate @dpopp07 to the triage team by @UlisesGascon in #6352
• fix(deps): qs@^6.14.0 by @wesleytodd in #6374
• Add dependabot by @UlisesGascon in #5435
• fix dependabot config by @bjohansebas in #6392
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 by @dependabot in #6398
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in #6397
• feat(deps): finalhandler@2.1.0 by @wesleytodd in #6373
• build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 by @dependabot in #6399
• deps: body-parser@^2.2.0 by @UlisesGascon in #6419
• deps: type-is@^2.0.1 by @UlisesGascon in #6420
• deps: router@^2.2.0 by @UlisesGascon in #6417
• ci: use full SHAs for github action versions by @Phillip9587 in #6415
• doc: remove @mertcanaltin from Triagers by @mertcanaltin in #6408
• deps: serve-static@^2.2.0 by @UlisesGascon in #6418
• 5.1.0 by @wesleytodd in #6425

New Contributors

• @bhavya3024 made their first contribution in #6071
• @jonkoops made their first contribution in #6196
• @Abdel-Monaam-Aouini made their first contribution in #6211
• @slagiewka made their first contribution in #6236
• @hamirmahal made their first contribution in #6256
• @pr4j3sh made their first contribution in #6297
• @Ayoub-Mabrouk made their first contribution in #6097
• @dpopp07 made their first contribution in #6317
• @agungjati made their first contribution in #6122
• @andvea made their first contribution in #4885
• @dependabot made their first contribution in #6398

Full Changelog: 5.0.1...v5.1.0

4.21.2

What's Changed

• Add funding field (v4) by @bjohansebas in #6065
• deps: path-to-regexp@0.1.11 by @blakeembrey in #5956
• deps: bump path-to-regexp@0.1.12 by @jonchurch in #6209
• Release: 4.21.2 by @UlisesGascon in #6094

Full Changelog: 4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in #6029
• Release: 4.21.1 by @UlisesGascon in #6031

Full Changelog: 4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @blakeembrey in #5935
• finalhandler@1.3.1 by @wesleytodd in #5954
• fix(deps): serve-static@1.16.2 by @wesleytodd in #5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in #5946

New Contributors

• @agadzinski93 made their first contribution in #5946

Full Changelog: 4.20.0...4.21.0

5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

• Node.js version support: Dropped support for Node.js versions before v18.
• Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• Promise support: Middleware can now return rejected promises, caught by the router as errors.
• body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

• 4.19.2 Staging by @wesleytodd in #5561
• remove duplicate location test for data uri by @wesleytodd in #5562
• feat: document beta releases expectations by @marco-ippolito in #5565
• Cut down on duplicated CI runs by @jonchurch in #5564
• Add a Threat Model by @UlisesGascon in #5526
• Assign captain of encodeurl by @blakeembrey in #5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in #5587
• docs: update Security.md by @inigomarquinez in #5590
• docs: update triage nomination policy by @UlisesGascon in #5600
• Add CodeQL (SAST) by @UlisesGascon in #5433
• docs: add UlisesGascon as triage initiative captain by @UlisesGascon in #5605
• Use object with null prototype for various app properties by @EvanHahn in #4861
• deps: encodeurl@~2.0.0 by @blakeembrey in #5569
• skip QUERY method test by @jonchurch in #5628
• ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in #5639
• add support Node.js@22 in the CI by @mertcanaltin in #5627
• doc: add table of contents, tc/triager lists to readme by @mertcanaltin in #5619
• List and sort all projects, add captains by @blakeembrey in #5653
• Call callback once on listen error by @wesleytodd in #3216
• docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in #5666
• ✨ bring back query tests for node 21 by @ctcpip in #5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @jonchurch in #5672
• skip QUERY tests for Node 21 only, still not supported by @jonchurch in #5695
• 📝 update people, add ctcpip to TC by @ctcpip in #5683
• remove minor version pinning from ci by @jonchurch in #5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in #5762
• Replace Appveyor windows testing with GHA by @jonchurch in #5599
• Add OSSF Scorecard badge by @UlisesGascon in #5436
• Throw on invalid status codes by @jonchurch in #4212
• Use Array.flat instead of array-flatten by @almic in #5677
• Adopt Node@18 as the minimum supported version by @UlisesGascon in #5803
• Ignore expires and maxAge in res.clearCookie() by @jonchurch in #5792
• send@1.0.0 by @wesleytodd in #5786
• chore: upgrade debug dep from 3.10 to 4.3.6 by @carpasse in #5829
• refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by @carpasse in #5830
• update scorecard link by @bjohansebas in #5814
• Nominate @IamLizu to the triage team by @UlisesGascon in #5836
• deps: path-to-regexp@0.1.8 by @blakeembrey in #5603
• docs: specify new instructions for question and discuss by @IamLizu in #5835
• 5.x: Upgrading merge-descriptors with allowing minors by @RobinTail in #5782
• 4.x: Upgrade merge-descriptors dependency by @RobinTail in #5781
• WIP: serve-static@2 by @wesleytodd in #5790
• chore: upgrade qs dp from 6.11.0 to 6.13.0 by @carpasse in #5847
• Upgrade cookie signature by @IamLizu in #5833
• accepts@2 by @wesleytodd in #5881
• mime-types@3 by @wesleytodd in #5882
• type-is@^2.0.0 by @wesleytodd in #5883
• content-disposition@^1.0.0 by @wesleytodd in #5884
• fix(deps): finalhandler@^2.0.0 by @wesleytodd in #5899
• path-to-regexp@0.1.10 by @blakeembrey in #5902
• update to fresh@^2.0.0 by @jonchurch in #5916
• router@^2.0.0 by @wesleytodd in #5885
• Adopt Node@18 as the minimum supported version by @UlisesGascon in #5595
• master -> 5.0 by @ctcpip in #5785
• 🔧 update CI, remove unsupported versions, clean up by @ctcpip in #5931
• Delete back as a magic string by @blakeembrey in #5933
• Release 5.0 by @dougwilson in #2237

New Contributors

• @marco-ippolito made their first contribution in #5565
• @inigomarquinez made their first contribution in #5590
• @mertcanaltin made their first contribution in #5627
• @ctcpip made their first contribution in #5690
• @IamLizu made their first contribution in #5762
• @almic made their first contribution in #5677
• @carpasse made their first contribution in #5829
• @bjohansebas made their first contribution in #5814
• @RobinTail made their first contribution in #5782

Full Changelog: v5.0.0-beta.3...v5.0.0