Skip to content

deps: Bump express from 4.22.2 to 5.2.1#1380

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/express-5.2.1
Open

deps: Bump express from 4.22.2 to 5.2.1#1380
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/express-5.2.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown
Contributor

Bumps express from 4.22.2 to 5.2.1.

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • deps: body-parser@^2.2.1
  • A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0

... (truncated)

Commits

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Automated dependency update javascript Pull requests that update Javascript code labels May 11, 2026
@dependabot dependabot Bot changed the title deps: Bump express from 4.22.1 to 5.2.1 deps: Bump express from 4.22.2 to 5.2.1 May 26, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/express-5.2.1 branch 2 times, most recently from 9b012c3 to 130a157 Compare June 1, 2026 09:30
@RandomByte RandomByte requested review from a team and removed request for a team July 10, 2026 07:30
@d3xter666

Copy link
Copy Markdown
Member

@dependabot recreate

---
updated-dependencies:
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/express-5.2.1 branch from 130a157 to ac57c6e Compare July 13, 2026 11:01
@dependabot dependabot Bot requested a review from a team July 13, 2026 11:01
@d3xter666 d3xter666 added the blocked Pull requests that are blocked label Jul 13, 2026
@d3xter666

Copy link
Copy Markdown
Member

@ui5/server itself is safe — all 212 tests pass, live app works fine.

The blocker is the custom middleware ecosystem.

Express v5 passes its full req/res prototype to every middleware mounted via app.use(). Any custom middleware using removed v4 APIs breaks silently at runtime — no compile errors, tests may still pass, but specific endpoints fail in production.

Top 3 Real-World Hits

Breaking pattern Affected middleware types
req.connection.remoteAddress Auth, logging, proxy middlewares
req.host → must use req.hostname Host-based routing
Nested query strings (req.query.filter.type) Filtering middlewares — default parser changed from qs to URLSearchParams

Other Silent Traps

  • Wildcard routes: /api/* must become /api/{*path}
  • res.send(200) removed → use res.sendStatus(200)
  • res.sendfile() removed → use res.sendFile()

Bottom Line

Safe to merge for the core server. Risky for downstream consumers — any project with custom middleware must audit for the three patterns above before upgrading.
Maybe, we can consider it for v5 and list all the breaking changes that will be introduced.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

blocked Pull requests that are blocked dependencies Automated dependency update javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant