[PR #91] Update dependency express to v5 #218

New issue

Open

opened 2026-03-01 18:44:10 +03:00 by kerem · 0 comments

kerem commented

2026-03-01 18:44:10 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netbootxyz/webapp/pull/91
Author: @renovate[bot]
Created: 3/31/2025
Status: 🔄 Open

Base: master ← Head: renovate/express-5.x

📝 Commits (1)

a3bfb2a Update dependency express to v5

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 package.json (+1 -1)

📄 Description

This PR contains the following updates:

Package	Change	Age	Confidence
express (source)	`4.21.2` → `5.2.1`

Release Notes

expressjs/express (express)

`v5.2.1`

Compare Source

=======================

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

`v5.2.0`

Compare Source

========================

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
deps: body-parser@^2.2.1
A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

`v5.1.0`

Compare Source

========================

Add support for Uint8Array in res.send()
Add support for ETag option in res.sendFile()
Add support for multiple links with the same rel in res.links()
Add funding field to package.json
perf: use loop for acceptParams
refactor: prefix built-in node module imports
deps: remove setprototypeof
deps: remove safe-buffer
deps: remove utils-merge
deps: remove methods
deps: remove depd
deps: debug@^4.4.0
deps: body-parser@^2.2.0
deps: router@^2.2.0
deps: content-type@^1.0.5
deps: finalhandler@^2.1.0
deps: qs@^6.14.0
deps: server-static@2.2.0
deps: type-is@2.0.1

`v5.0.1`

Compare Source

==========

Update cookie semver lock to address CVE-2024-47764

`v5.0.0`

Compare Source

=========================

remove:
- path-is-absolute dependency - use path.isAbsolute instead
breaking:
- res.status() accepts only integers, and input must be greater than 99 and less than 1000
  - will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
  - will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
- deps: send@1.0.0
- res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
change:
- res.clearCookie will ignore user provided maxAge and expires options
deps: cookie-signature@^1.2.1
deps: debug@4.3.6
deps: merge-descriptors@^2.0.0
deps: serve-static@^2.1.0
deps: qs@6.13.0
deps: accepts@^2.0.0
deps: mime-types@^3.0.0
- application/javascript => text/javascript
deps: type-is@^2.0.0
deps: content-disposition@^1.0.0
deps: finalhandler@^2.0.0
deps: fresh@^2.0.0
deps: body-parser@^2.0.1
deps: send@^1.1.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netbootxyz/webapp/pull/91 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 3/31/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `renovate/express-5.x` --- ### 📝 Commits (1) - [`a3bfb2a`](https://github.com/netbootxyz/webapp/commit/a3bfb2a4e683e04d42e3ee2aff753e6401ee7f0f) Update dependency express to v5 ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+1 -1) </details> ### 📄 Description This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [express](https://expressjs.com/) ([source](https://redirect.github.com/expressjs/express)) | [`4.21.2` → `5.2.1`](https://renovatebot.com/diffs/npm/express/4.21.2/5.2.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/express/5.2.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.21.2/5.2.1?slim=true) | --- ### Release Notes <details> <summary>expressjs/express (express)</summary> ### [`v5.2.1`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#521--2025-12-01) [Compare Source](https://redirect.github.com/expressjs/express/compare/v5.2.0...v5.2.1) \======================= - Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://redirect.github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) ### [`v5.2.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#520--2025-12-01) [Compare Source](https://redirect.github.com/expressjs/express/compare/v5.1.0...v5.2.0) \======================== - Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://redirect.github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) - deps: `body-parser@^2.2.1` - A deprecation warning was added when using `res.redirect` with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix. ### [`v5.1.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#510--2025-03-31) [Compare Source](https://redirect.github.com/expressjs/express/compare/v5.0.1...v5.1.0) \======================== - Add support for `Uint8Array` in `res.send()` - Add support for ETag option in `res.sendFile()` - Add support for multiple links with the same rel in `res.links()` - Add funding field to package.json - perf: use loop for acceptParams - refactor: prefix built-in node module imports - deps: remove `setprototypeof` - deps: remove `safe-buffer` - deps: remove `utils-merge` - deps: remove `methods` - deps: remove `depd` - deps: `debug@^4.4.0` - deps: `body-parser@^2.2.0` - deps: `router@^2.2.0` - deps: `content-type@^1.0.5` - deps: `finalhandler@^2.1.0` - deps: `qs@^6.14.0` - deps: `server-static@2.2.0` - deps: `type-is@2.0.1` ### [`v5.0.1`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#501--2024-10-08) [Compare Source](https://redirect.github.com/expressjs/express/compare/v5.0.0...v5.0.1) \========== - Update `cookie` semver lock to address [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764) ### [`v5.0.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#500--2024-09-10) [Compare Source](https://redirect.github.com/expressjs/express/compare/v4.22.1...v5.0.0) \========================= - remove: - `path-is-absolute` dependency - use `path.isAbsolute` instead - breaking: - `res.status()` accepts only integers, and input must be greater than 99 and less than 1000 - will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range - will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs - deps: send\@1.0.0 - `res.redirect('back')` and `res.location('back')` is no longer a supported magic string, explicitly use `req.get('Referrer') || '/'`. - change: - `res.clearCookie` will ignore user provided `maxAge` and `expires` options - deps: cookie-signature@^1.2.1 - deps: debug\@4.3.6 - deps: merge-descriptors@^2.0.0 - deps: serve-static@^2.1.0 - deps: qs\@6.13.0 - deps: accepts@^2.0.0 - deps: mime-types@^3.0.0 - `application/javascript` => `text/javascript` - deps: type-is@^2.0.0 - deps: content-disposition@^1.0.0 - deps: finalhandler@^2.0.0 - deps: fresh@^2.0.0 - deps: body-parser@^2.0.1 - deps: send@^1.1.0 ### [`v4.22.1`](https://redirect.github.com/expressjs/express/compare/4.22.0...12fae14531a78f19a2caaa5d4f58d9b01eaf3194) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.22.0...v4.22.1) ### [`v4.22.0`](https://redirect.github.com/expressjs/express/compare/4.21.2...49744abd1120484fe64d7bde1cd3197c32523b6e) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.21.2...4.22.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/netbootxyz/webapp).  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>