[Snyk] Upgrade express from 4.16.3 to 5.0.0 #316
+1,366
−390
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade express from 4.16.3 to 5.0.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 27 versions ahead of your current version.
The recommended version was released on 2 months ago.
Issues fixed by the recommended upgrade:
SNYK-JS-EXPRESS-6474509
SNYK-JS-EXPRESS-7926867
SNYK-JS-PATHTOREGEXP-7925106
SNYK-JS-SEND-7926862
SNYK-JS-SERVESTATIC-7926865
Release notes
Package name: express
Express v5.0.0
🎉 Express v5 is finally here! 🎉
After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.
For detailed information, please check out the official Express v5 release blog post.
Most relevant details
Major Changes in v5
path-to-regexp@8.x
, removing sub-expression regex patterns for security reasons (ReDoS mitigation).body-parser
changes: Several improvements including the ability to customizeurlencoded
body depth and defaultingextended
tofalse
.For a complete list of breaking changes and API deprecations, see the migration guide.
Security Updates
This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.
Migration
Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.
Security Guidance
For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.
What's Changed
http-errors
,expressjs.com
,morgan
,cors
,body-parser
by @ jonchurch in #5587res.clearCookie
acceptingoptions.maxAge
andoptions.expires
by @ jonchurch in #5672expires
andmaxAge
inres.clearCookie()
by @ jonchurch in #5792debug
dep from 3.10 to 4.3.6 by @ carpasse in #5829question
anddiscuss
by @ IamLizu in #5835merge-descriptors
with allowing minors by @ RobinTail in #5782merge-descriptors
dependency by @ RobinTail in #5781fresh@^2.0.0
by @ jonchurch in #5916back
as a magic string by @ blakeembrey in #5933New Contributors
Full Changelog: v5.0.0-beta.3...v5.0.0
Full Changelog: 5.0.0-beta.2...v5.0.0-beta.3
What's Changed
obj
as the context by @ shesek in #3587maxAge
appropriateness before use by @ cjbarth in #3936