Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

• Node.js version support: Dropped support for Node.js versions before v18.
• Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• Promise support: Middleware can now return rejected promises, caught by the router as errors.
• body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

• 4.19.2 Staging by @wesleytodd in https://github.com/expressjs/express/pull/5561
• remove duplicate location test for data uri by @wesleytodd in https://github.com/expressjs/express/pull/5562
• feat: document beta releases expectations by @marco-ippolito in https://github.com/expressjs/express/pull/5565
• Cut down on duplicated CI runs by @jonchurch in https://github.com/expressjs/express/pull/5564
• Add a Threat Model by @UlisesGascon in https://github.com/expressjs/express/pull/5526
• Assign captain of encodeurl by @blakeembrey in https://github.com/expressjs/express/pull/5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in https://github.com/expressjs/express/pull/5587
• docs: update Security.md by @inigomarquinez in https://github.com/expressjs/express/pull/5590
• docs: update triage nomination policy by @UlisesGascon in https://github.com/expressjs/express/pull/5600
• Add CodeQL (SAST) by @UlisesGascon in https://github.com/expressjs/express/pull/5433
• docs: add UlisesGascon as triage initiative captain by @UlisesGascon in https://github.com/expressjs/express/pull/5605
• Use object with null prototype for various app properties by @EvanHahn in https://github.com/expressjs/express/pull/4861
• deps: encodeurl@~2.0.0 by @blakeembrey in https://github.com/expressjs/express/pull/5569
• skip QUERY method test by @jonchurch in https://github.com/expressjs/express/pull/5628
• ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in https://github.com/expressjs/express/pull/5639
• add support Node.js@22 in the CI by @mertcanaltin in https://github.com/expressjs/express/pull/5627
• doc: add table of contents, tc/triager lists to readme by @mertcanaltin in https://github.com/expressjs/express/pull/5619
• List and sort all projects, add captains by @blakeembrey in https://github.com/expressjs/express/pull/5653
• Call callback once on listen error by @wesleytodd in https://github.com/expressjs/express/pull/3216
• docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in https://github.com/expressjs/express/pull/5666
• ✨ bring back query tests for node 21 by @ctcpip in https://github.com/expressjs/express/pull/5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @jonchurch in https://github.com/expressjs/express/pull/5672
• skip QUERY tests for Node 21 only, still not supported by @jonchurch in https://github.com/expressjs/express/pull/5695
• 📝 update people, add ctcpip to TC by @ctcpip in https://github.com/expressjs/express/pull/5683

New Contributors

• @marco-ippolito made their first contribution in https://github.com/expressjs/express/pull/5565
• @inigomarquinez made their first contribution in https://github.com/expressjs/express/pull/5590
• @mertcanaltin made their first contribution in https://github.com/expressjs/express/pull/5627
• @ctcpip made their first contribution in https://github.com/expressjs/express/pull/5690
• @IamLizu made their first contribution in https://github.com/expressjs/express/pull/5762
• @almic made their first contribution in https://github.com/expressjs/express/pull/5677
• @carpasse made their first contribution in https://github.com/expressjs/express/pull/5829
• @bjohansebas made their first contribution in https://github.com/expressjs/express/pull/5814
• @RobinTail made their first contribution in https://github.com/expressjs/express/pull/5782

Full Changelog: https://github.com/expressjs/express/compare/v5.0.0-beta.3...v5.0.0