express 5.0.0

npm / express / 5.0.0 source ↗

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

• Node.js version support: Dropped support for Node.js versions before v18.
• Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• Promise support: Middleware can now return rejected promises, caught by the router as errors.
• body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

• 4.19.2 Staging by @wesleytodd in https://github.com/expressjs/express/pull/5561
• remove duplicate location test for data uri by @wesleytodd in https://github.com/expressjs/express/pull/5562
• feat: document beta releases expectations by @marco-ippolito in https://github.com/expressjs/express/pull/5565
• Cut down on duplicated CI runs by @jonchurch in https://github.com/expressjs/express/pull/5564
• Add a Threat Model by @UlisesGascon in https://github.com/expressjs/express/pull/5526
• Assign captain of encodeurl by @blakeembrey in https://github.com/expressjs/express/pull/5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in https://github.com/expressjs/express/pull/5587
• docs: update Security.md by @inigomarquinez in https://github.com/expressjs/express/pull/5590
• docs: update triage nomination policy by @UlisesGascon in https://github.com/expressjs/express/pull/5600
• Add CodeQL (SAST) by @UlisesGascon in https://github.com/expressjs/express/pull/5433
• docs: add UlisesGascon as triage initiative captain by @UlisesGascon in https://github.com/expressjs/express/pull/5605
• Use object with null prototype for various app properties by @EvanHahn in https://github.com/expressjs/express/pull/4861
• deps: encodeurl@~2.0.0 by @blakeembrey in https://github.com/expressjs/express/pull/5569
• skip QUERY method test by @jonchurch in https://github.com/expressjs/express/pull/5628
• ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in https://github.com/expressjs/express/pull/5639
• add support Node.js@22 in the CI by @mertcanaltin in https://github.com/expressjs/express/pull/5627
• doc: add table of contents, tc/triager lists to readme by @mertcanaltin in https://github.com/expressjs/express/pull/5619
• List and sort all projects, add captains by @blakeembrey in https://github.com/expressjs/express/pull/5653
• Call callback once on listen error by @wesleytodd in https://github.com/expressjs/express/pull/3216
• docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in https://github.com/expressjs/express/pull/5666
• ✨ bring back query tests for node 21 by @ctcpip in https://github.com/expressjs/express/pull/5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @jonchurch in https://github.com/expressjs/express/pull/5672
• skip QUERY tests for Node 21 only, still not supported by @jonchurch in https://github.com/expressjs/express/pull/5695
• 📝 update people, add ctcpip to TC by @ctcpip in https://github.com/expressjs/express/pull/5683
• remove minor version pinning from ci by @jonchurch in https://github.com/expressjs/express/pull/5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in https://github.com/expressjs/express/pull/5762
• Replace Appveyor windows testing with GHA by @jonchurch in https://github.com/expressjs/express/pull/5599
• Add OSSF Scorecard badge by @UlisesGascon in https://github.com/expressjs/express/pull/5436
• Throw on invalid status codes by @jonchurch in https://github.com/expressjs/express/pull/4212
• Use Array.flat instead of array-flatten by @almic in https://github.com/expressjs/express/pull/5677
• Adopt Node@18 as the minimum supported version by @UlisesGascon in https://github.com/expressjs/express/pull/5803
• Ignore expires and maxAge in res.clearCookie() by @jonchurch in https://github.com/expressjs/express/pull/5792
• send@1.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5786
• chore: upgrade debug dep from 3.10 to 4.3.6 by @carpasse in https://github.com/expressjs/express/pull/5829
• refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by @carpasse in https://github.com/expressjs/express/pull/5830
• update scorecard link by @bjohansebas in https://github.com/expressjs/express/pull/5814
• Nominate @IamLizu to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/5836
• deps: path-to-regexp@0.1.8 by @blakeembrey in https://github.com/expressjs/express/pull/5603
• docs: specify new instructions for question and discuss by @IamLizu in https://github.com/expressjs/express/pull/5835
• 5.x: Upgrading merge-descriptors with allowing minors by @RobinTail in https://github.com/expressjs/express/pull/5782
• 4.x: Upgrade merge-descriptors dependency by @RobinTail in https://github.com/expressjs/express/pull/5781
• WIP: serve-static@2 by @wesleytodd in https://github.com/expressjs/express/pull/5790
• chore: upgrade qs dp from 6.11.0 to 6.13.0 by @carpasse in https://github.com/expressjs/express/pull/5847
• Upgrade cookie signature by @IamLizu in https://github.com/expressjs/express/pull/5833
• accepts@2 by @wesleytodd in https://github.com/expressjs/express/pull/5881
• mime-types@3 by @wesleytodd in https://github.com/expressjs/express/pull/5882
• type-is@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5883
• content-disposition@^1.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5884
• fix(deps): finalhandler@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5899
• path-to-regexp@0.1.10 by @blakeembrey in https://github.com/expressjs/express/pull/5902
• update to fresh@^2.0.0 by @jonchurch in https://github.com/expressjs/express/pull/5916
• router@^2.0.0 by @wesleytodd in https://github.com/expressjs/express/pull/5885
• Adopt Node@18 as the minimum supported version by @UlisesGascon in https://github.com/expressjs/express/pull/5595
• master -> 5.0 by @ctcpip in https://github.com/expressjs/express/pull/5785
• 🔧 update CI, remove unsupported versions, clean up by @ctcpip in https://github.com/expressjs/express/pull/5931
• Delete back as a magic string by @blakeembrey in https://github.com/expressjs/express/pull/5933
• Release 5.0 by @dougwilson in https://github.com/expressjs/express/pull/2237

New Contributors

• @marco-ippolito made their first contribution in https://github.com/expressjs/express/pull/5565
• @inigomarquinez made their first contribution in https://github.com/expressjs/express/pull/5590
• @mertcanaltin made their first contribution in https://github.com/expressjs/express/pull/5627
• @ctcpip made their first contribution in https://github.com/expressjs/express/pull/5690
• @IamLizu made their first contribution in https://github.com/expressjs/express/pull/5762
• @almic made their first contribution in https://github.com/expressjs/express/pull/5677
• @carpasse made their first contribution in https://github.com/expressjs/express/pull/5829
• @bjohansebas made their first contribution in https://github.com/expressjs/express/pull/5814
• @RobinTail made their first contribution in https://github.com/expressjs/express/pull/5782

Full Changelog: https://github.com/expressjs/express/compare/v5.0.0-beta.3...v5.0.0