Bump express from 4.22.2 to 5.2.1

[dependabot]

Bumps express from 4.22.2 to 5.2.1.

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @​UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @​dependabot[bot] in expressjs/express#6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @​Ayoub-Mabrouk in expressjs/express#6137
• increased code coverage of utils.js file by @​ashish3011 in expressjs/express#6386
• chore: remove duplicate word by @​dufucun in expressjs/express#6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @​dependabot[bot] in expressjs/express#6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/express#6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/express#6496
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6504
• ci: update codeql config by @​Phillip9587 in expressjs/express#6488
• chore: wider range for query test skip by @​jonchurch in expressjs/express#6512
• chore: fix typos in test by @​noritaka1166 in expressjs/express#6535
• ci: disable credential persistence for checkout actions by @​mertssmnoglu in expressjs/express#6522
• ci: allow manual triggering of workflow by @​shivarm in expressjs/express#6515
• test: add coverage for app.listen() variants by @​kgarg1 in expressjs/express#6476
• docs: move documentation and charters to the discussions and .github … by @​bjohansebas in expressjs/express#6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/express#6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/express#6548
• chore: enforce explicit Buffer import and add lint rule by @​shivarm in expressjs/express#6525
• chore: use node protocol for querystring by @​shivarm in expressjs/express#6520
• chore: fix typo by @​mountdisk in expressjs/express#6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/express#6618
• add deprecation warnings for redirect arguments undefined by @​bjohansebas in expressjs/express#6405
• ci: run CI when the markdown changes by @​bjohansebas in expressjs/express#6632
• doc: fix CONTRIBUTING link by @​jonchurch in expressjs/express#6653
• doc: update contributing guidelines and code of conduct links by @​ShubhamOulkar in expressjs/express#6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @​dependabot[bot] in expressjs/express#6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @​dependabot[bot] in expressjs/express#6678
• lint: add --fix flag to automatic fix linting issue by @​shivarm in expressjs/express#6644
• chore: ignore yarn.lock file and update example by @​shivarm in expressjs/express#6588
• lib: use req.socket over deprecated req.connection by @​bjohansebas in expressjs/express#6705
• doc: update express app example by @​shivarm in expressjs/express#6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/express#6675
• Remove history.md from being packaged on publish by @​sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0

... (truncated)

Commits

• dbac741 5.2.1
• 697547c Revert "sec: security patch for CVE-2024-51999"
• 4007ad1 Release: 5.2.0 (#6920)
• 2f64f68 sec: security patch for CVE-2024-51999
• ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
• 8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
• 30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
• 758d435 deps: body-parser@^2.2.1 (#6922)
• 77bcd52 docs: update emeritus triagers (#6890)
• f33caf1 Nominate to @​efekrskl for triage team (#6888)
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/media-typer	0.3.0	🟢 7.1	Details Check Score Reason Code-Review ⚠️ 2 Found 5/19 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 9 security policy file detected Contributors 🟢 10 project has 20 contributing companies or organizations CI-Tests 🟢 9 19 out of 21 merged PRs checked by a CI test -- score normalized to 9
npm/mime-db	1.52.0	🟢 7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 8 24 out of 30 merged PRs checked by a CI test -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 10 project has 28 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/mime-types	2.1.35	🟢 7.4	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dependency-Update-Tool 🟢 10 update tool detected Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 9 SAST tool detected but not run on all commits License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 9 security policy file detected CI-Tests 🟢 9 28 out of 29 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 26 contributing companies or organizations
npm/type-is	1.6.18	🟢 7.2	Details Check Score Reason Code-Review 🟢 7 Found 9/12 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 7 6 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 7 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found SAST 🟢 8 SAST tool detected but not run on all commits License 🟢 10 license file detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches CI-Tests 🟢 7 17 out of 23 merged PRs checked by a CI test -- score normalized to 7 Contributors 🟢 10 project has 25 contributing companies or organizations

Scanned Files

• package-lock.json

[Lomilar]

@dependabot rebase