v4.22.2

What's Changed

• fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
  • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
• deps: qs@~6.15.1
• deps: body-parser@~1.20.5

New Contributors

• @suuuuuuminnnnnn made their first contribution in #7021
• @SAY-5 made their first contribution in #7181

Full Changelog: v4.22.1...v4.22.2

v5.2.1

What's Changed

Important

The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @UlisesGascon in #6933

Full Changelog: v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in #6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in #6137
• increased code coverage of utils.js file by @ashish3011 in #6386
• chore: remove duplicate word by @dufucun in #6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in #6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in #6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in #6496
• ci: add node.js 24 to test matrix by @Phillip9587 in #6504
• ci: update codeql config by @Phillip9587 in #6488
• chore: wider range for query test skip by @jonchurch in #6512
• chore: fix typos in test by @noritaka1166 in #6535
• ci: disable credential persistence for checkout actions by @mertssmnoglu in #6522
• ci: allow manual triggering of workflow by @shivarm in #6515
• test: add coverage for app.listen() variants by @kgarg1 in #6476
• docs: move documentation and charters to the discussions and .github … by @bjohansebas in #6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in #6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in #6548
• chore: enforce explicit Buffer import and add lint rule by @shivarm in #6525
• chore: use node protocol for querystring by @shivarm in #6520
• chore: fix typo by @mountdisk in #6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in #6618
• add deprecation warnings for redirect arguments undefined by @bjohansebas in #6405
• ci: run CI when the markdown changes by @bjohansebas in #6632
• doc: fix CONTRIBUTING link by @jonchurch in #6653
• doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in #6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in #6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in #6678
• lint: add --fix flag to automatic fix linting issue by @shivarm in #6644
• chore: ignore yarn.lock file and update example by @shivarm in #6588
• lib: use req.socket over deprecated req.connection by @bjohansebas in #6705
• doc: update express app example by @shivarm in #6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in #6675
• Remove history.md from being packaged on publish by @sheplu in #6780
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #6797
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in #6796
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #6795
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in #6794
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in #6793
• ci: add node.js 25 to test matrix by @Phillip9587 in #6843
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #6871
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in #6870
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #6869
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #6868
• chore: switch badges from badgen.net to shields.io by @Phillip9587 in #6900
• refactor: use cached slice in app.listen by @Tacit1 in #6897
• Nominate to @efekrskl for triage team by @bjohansebas in #6888
• docs: update emeritus triagers by @bjohansebas in #6890
• fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in #6922
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in #6930
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in #6929
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #6928
• Release: 5.2.0 by @UlisesGascon in #6920

New Contributors

• @ashish3011 made their first contribution in #6386
• @dufucun made their first contribution in #6456
• @noritaka1166 made their first contribution in #6535
• @mertssmnoglu made their first contribution in #6522
• @shivarm made their first contribution in #6515
• @kgarg1 made their first contribution in #6476
• @mountdisk made their first contribution in #6609
• @ShubhamOulkar made their first contribution in #6601
• @sheplu made their first contribution in #6780
• @Tacit1 made their first contribution in #6897

Full Changelog: v5.1.0...v5.2.0

v4.22.1

What's Changed

Important

The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @UlisesGascon in #6934

Full Changelog: 4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @sazk07 in #6190
• ci: add support for Node.js@23.0 by @UlisesGascon in #6080
• Method functions with no path should error by @wesleytodd in #5957
• ci: updated github actions ci workflow by @Phillip9587 in #6323
• ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in #6336
• Backport: ci: add node.js 24 to test matrix by @Phillip9587 in #6506
• chore(4.x): wider range for query test skip by @jonchurch in #6513
• use tilde notation for certain dependencies by @UlisesGascon in #6905
• deps: qs@6.14.0 by @UlisesGascon in #6909
• deps: use tilde notation for qs by @Phillip9587 in #6919
• Release: 4.22.0 by @UlisesGascon in #6921

Full Changelog: 4.21.2...4.22.0

5.0.1

What's Changed

• remove --bail from test script by @jonchurch in #5962
• Nominate @bjohansebas to the triage team by @UlisesGascon in #6009
• Link and update captains by @blakeembrey in #6013
• Update cookie semver lock to address CVE-2024-47764 by @joshbuker in #6017
• Release: 5.0.1 by @UlisesGascon in #6032

Full Changelog: v5.0.0...5.0.1

v5.1.0

What's Changed

• Update captains by @UlisesGascon in #6027
• build: Node.js 23.0 by @bjohansebas in #6075
• Add funding field (v5) by @bjohansebas in #6064
• ✅ add discarded middleware test by @ctcpip in #5819
• update homepage link http to https by @bjohansebas in #5920
• Improve readme by @bjohansebas in #5994
• Add bjohansebas as repo captain for expressjs.com by @crandmck in #6058
• Remove Object.setPrototypeOf polyfill by @Phillip9587 in #6081
• fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in #6071
• docs: Add DCO by @UlisesGascon in #6048
• cleanup: remove promise support check from tests by @Phillip9587 in #6148
• Use loop for acceptParams by @blakeembrey in #6066
• Improve documentation step in release process by @bjohansebas in #6150
• cleanup: remove unnecessary require for global Buffer by @Phillip9587 in #6146
• cleanup: remove AsyncLocalStorage check by @Phillip9587 in #6147
• update history.md for acceptParams change by @jonchurch in #6177
• docs: add @rxmarbles to the triage team by @UlisesGascon in #6151
• refactor: improve readability by @sazk07 in #6173
• docs: clarify the security process in the triage role by @bjohansebas in #6217
• chore: replace methods dependency with standard library by @jonkoops in #6196
• Remove utils-merge dependency - use spread syntax instead by @Phillip9587 in #6091
• fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in #6211
• refactor: prefix built-in node module imports by @slagiewka in #6236
• fix: remove download size badges by @wesleytodd in #6266
• Remove unused depd dependency by @jonkoops in #6197
• fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @hamirmahal in #6256
• Add support for OSSF scorecard reporting by @UlisesGascon in #5431
• docs: add @Phillip9587 to the triage team by @bjohansebas in #6276
• fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in #6297
• docs: include team email in the security policy by @UlisesGascon in #6278
• refactor: simplify normalizeTypes function by @Ayoub-Mabrouk in #6097
• ci: updated github actions ci workflow by @Phillip9587 in #6314
• ci: fix npm install --include typo by @Phillip9587 in #6324
• ci: updated scorecard actions by @Phillip9587 in #6322
• build(deps): use carat notation for dependency versions by @dpopp07 in #6317
• chore(deps): update debug to ^4.4.0 by @Phillip9587 in #6313
• docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in #6333
• feat(deps): body-parser@^2.1.0 by @wesleytodd in #6332
• feat(deps): router@^2.1.0 by @wesleytodd in #6331
• Update repo captains by @UlisesGascon in #6234
• deps: upgrade nyc by @agungjati in #6122
• fix (deps): update deps by @wesleytodd in #6337
• response: add support for ETag option in res.sendFile by @juanarbol in #6073
• Update multiple links to use https instead of http by @Phillip9587 in #6338
• Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in #4885
• docs: update emeritus triagers by @UlisesGascon in #6345
• docs: update guidance for triager nominations by @bjohansebas in #6349
• docs: clarify guidelines for becoming a committer by @bjohansebas in #6364
• Nominate @dpopp07 to the triage team by @UlisesGascon in #6352
• fix(deps): qs@^6.14.0 by @wesleytodd in #6374
• Add dependabot by @UlisesGascon in #5435
• fix dependabot config by @bjohansebas in #6392
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 by @dependabot in #6398
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in #6397
• feat(deps): finalhandler@2.1.0 by @wesleytodd in #6373
• build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 by @dependabot in #6399
• deps: body-parser@^2.2.0 by @UlisesGascon in #6419
• deps: type-is@^2.0.1 by @UlisesGascon in #6420
• deps: router@^2.2.0 by @UlisesGascon in #6417
• ci: use full SHAs for github action versions by @Phillip9587 in #6415
• doc: remove @mertcanaltin from Triagers by @mertcanaltin in #6408
• deps: serve-static@^2.2.0 by @UlisesGascon in #6418
• 5.1.0 by @wesleytodd in #6425

New Contributors

• @bhavya3024 made their first contribution in #6071
• @jonkoops made their first contribution in #6196
• @Abdel-Monaam-Aouini made their first contribution in #6211
• @slagiewka made their first contribution in #6236
• @hamirmahal made their first contribution in #6256
• @pr4j3sh made their first contribution in #6297
• @Ayoub-Mabrouk made their first contribution in #6097
• @dpopp07 made their first contribution in #6317
• @agungjati made their first contribution in #6122
• @andvea made their first contribution in #4885
• @dependabot made their first contribution in #6398

Full Changelog: 5.0.1...v5.1.0

4.21.2

What's Changed

• Add funding field (v4) by @bjohansebas in #6065
• deps: path-to-regexp@0.1.11 by @blakeembrey in #5956
• deps: bump path-to-regexp@0.1.12 by @jonchurch in #6209
• Release: 4.21.2 by @UlisesGascon in #6094

Full Changelog: 4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in #6029
• Release: 4.21.1 by @UlisesGascon in #6031

Full Changelog: 4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @blakeembrey in #5935
• finalhandler@1.3.1 by @wesleytodd in #5954
• fix(deps): serve-static@1.16.2 by @wesleytodd in #5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in #5946

New Contributors

• @agadzinski93 made their first contribution in #5946

Full Changelog: 4.20.0...4.21.0