What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6934

**F...

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6933

**Full...

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in https://github.com/expressjs/express/pull/6429
• Refactor: simplify `accep...

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @sazk07 in https://github.com/expressjs/express/pull/6190
• ci: add support for Node.js@23.0 by @UlisesGascon in https://github...

What's Changed

• Update captains by @UlisesGascon in https://github.com/expressjs/express/pull/6027
• build: Node.js 23.0 by @bjohansebas in https://github.com/expressjs/express/pull/6075
• Add funding field (v5) by @bjohansebas in https://github.com/expressjs/express/pull/6064
• ✅ add discarded middleware test by @ctcpip in https://github.com/expressjs/express/pull/5819
• update homepage...

What's Changed

• Add funding field (v4) by @bjohansebas in https://github.com/expressjs/express/pull/6065
• deps: path-to-regexp@0.1.11 by @blakeembrey in https://github.com/expressjs/express/pull/5956
• deps: bump path-to-regexp@0.1.12 by @jonchurch in https://github.com/expressjs/express/pull/6209
• Release: 4.21.2 by @UlisesGascon in https://github.com/expressjs/express/pull/6094

**...

What's Changed

• remove --bail from test script by @jonchurch in https://github.com/expressjs/express/pull/5962
• Nominate @bjohansebas to the triage team by @UlisesGascon in https://github.com/expressjs/express/pull/6009
• Link and update captains by @blakeembrey in https://github.com/expressjs/express/pull/6013
• Update cookie semver lock to address CVE-2024-47764 by @joshbuker in https...

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in https://github.com/expressjs/express/pull/6029
• Release: 4.21.1 by @UlisesGascon in https://github.com/expressjs/express/pull/6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

What's Changed

• Deprecate "back" magic string in redirects by @blakeembrey in https://github.com/expressjs/express/pull/5935
• finalhandler@1.3.1 by @wesleytodd in https://github.com/expressjs/express/pull/5954
• fix(deps): serve-static@1.16.2 by @wesleytodd in https://github.com/expressjs/express/pull/5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in...

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official [Express v5 release blog...