Releases · expressjs/express (original) (raw)
v4.22.2
What's Changed
- fix: restore >20 array parsing for
req.queryrepeated keys (8d09bfe6)- This also unifies array-cap behavior across notations. Indexed notation (
a[0]=...) was historically capped at qs's defaultarrayLimitof 20 even in older qs versions; after this change it also allows up to 1000 items.
- This also unifies array-cap behavior across notations. Indexed notation (
- deps: qs@~6.15.1
- deps: body-parser@~1.20.5
New Contributors
- @suuuuuuminnnnnn made their first contribution in #7021
- @SAY-5 made their first contribution in #7181
Full Changelog: v4.22.1...v4.22.2
v5.2.1
What's Changed
Important
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
- Release: 5.2.1 by @UlisesGascon in #6933
Full Changelog: v5.2.0...v5.2.1
v5.2.0
Important: Security
- Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
What's Changed
- build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in #6429
- Refactor: simplify
acceptsLanguagesimplementation using spread operator by @Ayoub-Mabrouk in #6137 - increased code coverage of utils.js file by @ashish3011 in #6386
- chore: remove duplicate word by @dufucun in #6456
- build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in #6498
- build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in #6497
- build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in #6496
- ci: add node.js 24 to test matrix by @Phillip9587 in #6504
- ci: update codeql config by @Phillip9587 in #6488
- chore: wider range for query test skip by @jonchurch in #6512
- chore: fix typos in test by @noritaka1166 in #6535
- ci: disable credential persistence for checkout actions by @mertssmnoglu in #6522
- ci: allow manual triggering of workflow by @shivarm in #6515
- test: add coverage for app.listen() variants by @kgarg1 in #6476
- docs: move documentation and charters to the discussions and .github … by @bjohansebas in #6427
- build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in #6549
- build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in #6548
- chore: enforce explicit
Bufferimport and add lint rule by @shivarm in #6525 - chore: use node protocol for querystring by @shivarm in #6520
- chore: fix typo by @mountdisk in #6609
- build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in #6618
- add deprecation warnings for redirect arguments undefined by @bjohansebas in #6405
- ci: run CI when the markdown changes by @bjohansebas in #6632
- doc: fix CONTRIBUTING link by @jonchurch in #6653
- doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in #6601
- build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in #6679
- build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in #6678
- lint: add --fix flag to automatic fix linting issue by @shivarm in #6644
- chore: ignore yarn.lock file and update example by @shivarm in #6588
- lib: use req.socket over deprecated req.connection by @bjohansebas in #6705
- doc: update express app example by @shivarm in #6718
- build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in #6675
- Remove history.md from being packaged on publish by @sheplu in #6780
- build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #6797
- build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in #6796
- build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #6795
- build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in #6794
- build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in #6793
- ci: add node.js 25 to test matrix by @Phillip9587 in #6843
- build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #6871
- build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in #6870
- build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #6869
- build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #6868
- chore: switch badges from badgen.net to shields.io by @Phillip9587 in #6900
- refactor: use cached slice in app.listen by @Tacit1 in #6897
- Nominate to @efekrskl for triage team by @bjohansebas in #6888
- docs: update emeritus triagers by @bjohansebas in #6890
- fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in #6922
- build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in #6930
- build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in #6929
- build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #6928
- Release: 5.2.0 by @UlisesGascon in #6920
New Contributors
- @ashish3011 made their first contribution in #6386
- @dufucun made their first contribution in #6456
- @noritaka1166 made their first contribution in #6535
- @mertssmnoglu made their first contribution in #6522
- @shivarm made their first contribution in #6515
- @kgarg1 made their first contribution in #6476
- @mountdisk made their first contribution in #6609
- @ShubhamOulkar made their first contribution in #6601
- @sheplu made their first contribution in #6780
- @Tacit1 made their first contribution in #6897
Full Changelog: v5.1.0...v5.2.0
v4.22.1
What's Changed
Important
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
- Release: 4.22.1 by @UlisesGascon in #6934
Full Changelog: 4.22.0...v4.22.1
4.22.0
Important: Security
- Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
What's Changed
- Refactor: improve readability by @sazk07 in #6190
- ci: add support for Node.js@23.0 by @UlisesGascon in #6080
- Method functions with no path should error by @wesleytodd in #5957
- ci: updated github actions ci workflow by @Phillip9587 in #6323
- ci: reorder
npm isteps to fix ci for older node versions by @Phillip9587 in #6336 - Backport: ci: add node.js 24 to test matrix by @Phillip9587 in #6506
- chore(4.x): wider range for query test skip by @jonchurch in #6513
- use tilde notation for certain dependencies by @UlisesGascon in #6905
- deps: qs@6.14.0 by @UlisesGascon in #6909
- deps: use tilde notation for
qsby @Phillip9587 in #6919 - Release: 4.22.0 by @UlisesGascon in #6921
Full Changelog: 4.21.2...4.22.0
5.0.1
v5.1.0
What's Changed
- Update captains by @UlisesGascon in #6027
- build: Node.js 23.0 by @bjohansebas in #6075
- Add funding field (v5) by @bjohansebas in #6064
- ✅ add discarded middleware test by @ctcpip in #5819
- update homepage link http to https by @bjohansebas in #5920
- Improve readme by @bjohansebas in #5994
- Add bjohansebas as repo captain for expressjs.com by @crandmck in #6058
- Remove Object.setPrototypeOf polyfill by @Phillip9587 in #6081
- fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in #6071
- docs: Add DCO by @UlisesGascon in #6048
- cleanup: remove promise support check from tests by @Phillip9587 in #6148
- Use loop for acceptParams by @blakeembrey in #6066
- Improve documentation step in release process by @bjohansebas in #6150
- cleanup: remove unnecessary require for global Buffer by @Phillip9587 in #6146
- cleanup: remove AsyncLocalStorage check by @Phillip9587 in #6147
- update history.md for acceptParams change by @jonchurch in #6177
- docs: add @rxmarbles to the triage team by @UlisesGascon in #6151
- refactor: improve readability by @sazk07 in #6173
- docs: clarify the security process in the triage role by @bjohansebas in #6217
- chore: replace
methodsdependency with standard library by @jonkoops in #6196 - Remove
utils-mergedependency - use spread syntax instead by @Phillip9587 in #6091 - fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in #6211
- refactor: prefix built-in node module imports by @slagiewka in #6236
- fix: remove download size badges by @wesleytodd in #6266
- Remove unused
depddependency by @jonkoops in #6197 - fix: usage of
Invalid action input 'persist-credentials'foractions/setup-node@v4inci.ymlby @hamirmahal in #6256 - Add support for OSSF scorecard reporting by @UlisesGascon in #5431
- docs: add @Phillip9587 to the triage team by @bjohansebas in #6276
- fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in #6297
- docs: include team email in the security policy by @UlisesGascon in #6278
- refactor: simplify
normalizeTypesfunction by @Ayoub-Mabrouk in #6097 - ci: updated github actions ci workflow by @Phillip9587 in #6314
- ci: fix npm install --include typo by @Phillip9587 in #6324
- ci: updated scorecard actions by @Phillip9587 in #6322
- build(deps): use carat notation for dependency versions by @dpopp07 in #6317
- chore(deps): update
debugto ^4.4.0 by @Phillip9587 in #6313 - docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in #6333
- feat(deps): body-parser@^2.1.0 by @wesleytodd in #6332
- feat(deps): router@^2.1.0 by @wesleytodd in #6331
- Update repo captains by @UlisesGascon in #6234
- deps: upgrade nyc by @agungjati in #6122
- fix (deps): update deps by @wesleytodd in #6337
- response: add support for ETag option in res.sendFile by @juanarbol in #6073
- Update multiple links to use
httpsinstead ofhttpby @Phillip9587 in #6338 - Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in #4885
- docs: update emeritus triagers by @UlisesGascon in #6345
- docs: update guidance for triager nominations by @bjohansebas in #6349
- docs: clarify guidelines for becoming a committer by @bjohansebas in #6364
- Nominate @dpopp07 to the triage team by @UlisesGascon in #6352
- fix(deps): qs@^6.14.0 by @wesleytodd in #6374
- Add dependabot by @UlisesGascon in #5435
- fix dependabot config by @bjohansebas in #6392
- build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 by @dependabot in #6398
- build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in #6397
- feat(deps): finalhandler@2.1.0 by @wesleytodd in #6373
- build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 by @dependabot in #6399
- deps: body-parser@^2.2.0 by @UlisesGascon in #6419
- deps: type-is@^2.0.1 by @UlisesGascon in #6420
- deps: router@^2.2.0 by @UlisesGascon in #6417
- ci: use full SHAs for github action versions by @Phillip9587 in #6415
- doc: remove @mertcanaltin from Triagers by @mertcanaltin in #6408
- deps: serve-static@^2.2.0 by @UlisesGascon in #6418
- 5.1.0 by @wesleytodd in #6425
New Contributors
- @bhavya3024 made their first contribution in #6071
- @jonkoops made their first contribution in #6196
- @Abdel-Monaam-Aouini made their first contribution in #6211
- @slagiewka made their first contribution in #6236
- @hamirmahal made their first contribution in #6256
- @pr4j3sh made their first contribution in #6297
- @Ayoub-Mabrouk made their first contribution in #6097
- @dpopp07 made their first contribution in #6317
- @agungjati made their first contribution in #6122
- @andvea made their first contribution in #4885
- @dependabot made their first contribution in #6398
Full Changelog: 5.0.1...v5.1.0