Update dependency express to v5 #31

Open

mars3142 wants to merge 1 commits from renovate/express-5.x into main

pull from: renovate/express-5.x

merge into: model-railway:main

model-railway:main

model-railway:renovate/axios-1.x-lockfile

model-railway:renovate/joi-18.x

model-railway:renovate/actions-checkout-6.x

model-railway:renovate/express-4.x-lockfile

model-railway:renovate/canvas-3.x-lockfile

model-railway:renovate/zard-0.x

model-railway:renovate/nodemon-3.x-lockfile

model-railway:renovate/cors-2.x-lockfile

model-railway:renovate/google-cloud-profiler-6.x-lockfile

Conversation 0 Commits 1 Files Changed 2

+329 -351

mars3142 commented 2026-04-19 20:19:02 +00:00

Owner

Copy Link

Copy Source

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	major	^4.21.2 → ^5.0.0

---

Release Notes

expressjs/express (express)

v5.2.1

Compare Source

=======================

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

v5.2.0

Compare Source

========================

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

v5.1.0

Compare Source

========================

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

v5.0.1

Compare Source

==========

• Update cookie semver lock to address CVE-2024-47764

v5.0.0

Compare Source

=========================

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@​1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@​4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@​6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

v4.22.1

Compare Source

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in #​6934

Full Changelog: https://github.com/expressjs/express/compare/4.22.0...v4.22.1

v4.22.0

Compare Source

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in #​6190
• ci: add support for Node.js@​23.0 by @​UlisesGascon in #​6080
• Method functions with no path should error by @​wesleytodd in #​5957
• ci: updated github actions ci workflow by @​Phillip9587 in #​6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in #​6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in #​6506
• chore(4.x): wider range for query test skip by @​jonchurch in #​6513
• use tilde notation for certain dependencies by @​UlisesGascon in #​6905
• deps: qs@​6.14.0 by @​UlisesGascon in #​6909
• deps: use tilde notation for qs by @​Phillip9587 in #​6919
• Release: 4.22.0 by @​UlisesGascon in #​6921

Full Changelog: https://github.com/expressjs/express/compare/4.21.2...4.22.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [express](https://expressjs.com/) ([source](https://github.com/expressjs/express)) | dependencies | major | [`^4.21.2` → `^5.0.0`](https://renovatebot.com/diffs/npm/express/4.21.2/5.2.1) | --- ### Release Notes <details> <summary>expressjs/express (express)</summary> ### [`v5.2.1`](https://github.com/expressjs/express/blob/HEAD/History.md#521--2025-12-01) [Compare Source](https://github.com/expressjs/express/compare/v5.2.0...v5.2.1) \======================= - Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) - The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release. ### [`v5.2.0`](https://github.com/expressjs/express/blob/HEAD/History.md#520--2025-12-01) [Compare Source](https://github.com/expressjs/express/compare/v5.1.0...v5.2.0) \======================== - Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) - deps: `body-parser@^2.2.1` - A deprecation warning was added when using `res.redirect` with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix. ### [`v5.1.0`](https://github.com/expressjs/express/blob/HEAD/History.md#510--2025-03-31) [Compare Source](https://github.com/expressjs/express/compare/v5.0.1...v5.1.0) \======================== - Add support for `Uint8Array` in `res.send()` - Add support for ETag option in `res.sendFile()` - Add support for multiple links with the same rel in `res.links()` - Add funding field to package.json - perf: use loop for acceptParams - refactor: prefix built-in node module imports - deps: remove `setprototypeof` - deps: remove `safe-buffer` - deps: remove `utils-merge` - deps: remove `methods` - deps: remove `depd` - deps: `debug@^4.4.0` - deps: `body-parser@^2.2.0` - deps: `router@^2.2.0` - deps: `content-type@^1.0.5` - deps: `finalhandler@^2.1.0` - deps: `qs@^6.14.0` - deps: `server-static@2.2.0` - deps: `type-is@2.0.1` ### [`v5.0.1`](https://github.com/expressjs/express/blob/HEAD/History.md#501--2024-10-08) [Compare Source](https://github.com/expressjs/express/compare/v5.0.0...v5.0.1) \========== - Update `cookie` semver lock to address [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764) ### [`v5.0.0`](https://github.com/expressjs/express/blob/HEAD/History.md#500--2024-09-10) [Compare Source](https://github.com/expressjs/express/compare/v4.22.1...v5.0.0) \========================= - remove: - `path-is-absolute` dependency - use `path.isAbsolute` instead - breaking: - `res.status()` accepts only integers, and input must be greater than 99 and less than 1000 - will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range - will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs - deps: send\@&#8203;1.0.0 - `res.redirect('back')` and `res.location('back')` is no longer a supported magic string, explicitly use `req.get('Referrer') || '/'`. - change: - `res.clearCookie` will ignore user provided `maxAge` and `expires` options - deps: cookie-signature@^1.2.1 - deps: debug\@&#8203;4.3.6 - deps: merge-descriptors@^2.0.0 - deps: serve-static@^2.1.0 - deps: qs\@&#8203;6.13.0 - deps: accepts@^2.0.0 - deps: mime-types@^3.0.0 - `application/javascript` => `text/javascript` - deps: type-is@^2.0.0 - deps: content-disposition@^1.0.0 - deps: finalhandler@^2.0.0 - deps: fresh@^2.0.0 - deps: body-parser@^2.0.1 - deps: send@^1.1.0 ### [`v4.22.1`](https://github.com/expressjs/express/releases/tag/v4.22.1) [Compare Source](https://github.com/expressjs/express/compare/4.22.0...v4.22.1) #### What's Changed > \[!IMPORTANT]\ > The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release. - Release: 4.22.1 by [@&#8203;UlisesGascon](https://github.com/UlisesGascon) in [#&#8203;6934](https://github.com/expressjs/express/pull/6934) **Full Changelog**: <https://github.com/expressjs/express/compare/4.22.0...v4.22.1> ### [`v4.22.0`](https://github.com/expressjs/express/releases/tag/4.22.0) [Compare Source](https://github.com/expressjs/express/compare/4.21.2...4.22.0) #### Important: Security - Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) #### What's Changed - Refactor: improve readability by [@&#8203;sazk07](https://github.com/sazk07) in [#&#8203;6190](https://github.com/expressjs/express/pull/6190) - ci: add support for Node.js\@&#8203;23.0 by [@&#8203;UlisesGascon](https://github.com/UlisesGascon) in [#&#8203;6080](https://github.com/expressjs/express/pull/6080) - Method functions with no path should error by [@&#8203;wesleytodd](https://github.com/wesleytodd) in [#&#8203;5957](https://github.com/expressjs/express/pull/5957) - ci: updated github actions ci workflow by [@&#8203;Phillip9587](https://github.com/Phillip9587) in [#&#8203;6323](https://github.com/expressjs/express/pull/6323) - ci: reorder `npm i` steps to fix ci for older node versions by [@&#8203;Phillip9587](https://github.com/Phillip9587) in [#&#8203;6336](https://github.com/expressjs/express/pull/6336) - Backport: ci: add node.js 24 to test matrix by [@&#8203;Phillip9587](https://github.com/Phillip9587) in [#&#8203;6506](https://github.com/expressjs/express/pull/6506) - chore(4.x): wider range for query test skip by [@&#8203;jonchurch](https://github.com/jonchurch) in [#&#8203;6513](https://github.com/expressjs/express/pull/6513) - use tilde notation for certain dependencies by [@&#8203;UlisesGascon](https://github.com/UlisesGascon) in [#&#8203;6905](https://github.com/expressjs/express/pull/6905) - deps: qs\@&#8203;6.14.0 by [@&#8203;UlisesGascon](https://github.com/UlisesGascon) in [#&#8203;6909](https://github.com/expressjs/express/pull/6909) - deps: use tilde notation for `qs` by [@&#8203;Phillip9587](https://github.com/Phillip9587) in [#&#8203;6919](https://github.com/expressjs/express/pull/6919) - Release: 4.22.0 by [@&#8203;UlisesGascon](https://github.com/UlisesGascon) in [#&#8203;6921](https://github.com/expressjs/express/pull/6921) **Full Changelog**: <https://github.com/expressjs/express/compare/4.21.2...4.22.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE0MC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

mars3142 added 1 commit 2026-04-19 20:19:03 +00:00

Update dependency express to v5 cf1598e5f4

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/express-5.x:renovate/express-5.x

git checkout renovate/express-5.x

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

mars3142 (Peter Siegmund)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: model-railway/cinema-display#31