TanStack
chore(deps): update dependency express to v5.2.0 [security]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| express (source) | ^4.21.2 -> ^5.0.0 |
||
| express (source) | 5.1.0 -> 5.2.0 |
GitHub Vulnerability Alerts
CVE-2024-51999
Impact
when using the extended query parser in express ('query parser': 'extended'), the request.query object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names
[!IMPORTANT]
the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser
Patches
the issue has been patched to ensure request.query is a plain object so request.query no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser
Workaround
this only impacts users using extended query parsing ('query parser': 'extended'), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:
provide qs directly and specify plainObjects: true
app.set('query parser',
function (str) {
return qs.parse(str, {
plainObjects: true
});
});
Release Notes
expressjs/express (express)
v5.2.0
========================
- Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
- deps:
body-parser@^2.2.1 - A deprecation warning was added when using
res.redirectwith undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.
v5.1.0
========================
- Add support for
Uint8Arrayinres.send() - Add support for ETag option in
res.sendFile() - Add support for multiple links with the same rel in
res.links() - Add funding field to package.json
- perf: use loop for acceptParams
- refactor: prefix built-in node module imports
- deps: remove
setprototypeof - deps: remove
safe-buffer - deps: remove
utils-merge - deps: remove
methods - deps: remove
depd - deps:
debug@^4.4.0 - deps:
body-parser@^2.2.0 - deps:
router@^2.2.0 - deps:
content-type@^1.0.5 - deps:
finalhandler@^2.1.0 - deps:
qs@^6.14.0 - deps:
[email protected] - deps:
[email protected]
v5.0.1
==========
- Update
cookiesemver lock to address CVE-2024-47764
v5.0.0
=========================
- remove:
path-is-absolutedependency - usepath.isAbsoluteinstead
- breaking:
res.status()accepts only integers, and input must be greater than 99 and less than 1000- will throw a
RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.for inputs outside this range - will throw a
TypeError: Invalid status code: ${code}. Status code must be an integer.for non integer inputs
- will throw a
- deps: send@β1.0.0
res.redirect('back')andres.location('back')is no longer a supported magic string, explicitly usereq.get('Referrer') || '/'.
- change:
res.clearCookiewill ignore user providedmaxAgeandexpiresoptions
- deps: cookie-signature@^1.2.1
- deps: debug@β4.3.6
- deps: merge-descriptors@^2.0.0
- deps: serve-static@^2.1.0
- deps: qs@β6.13.0
- deps: accepts@^2.0.0
- deps: mime-types@^3.0.0
application/javascript=>text/javascript
- deps: type-is@^2.0.0
- deps: content-disposition@^1.0.0
- deps: finalhandler@^2.0.0
- deps: fresh@^2.0.0
- deps: body-parser@^2.0.1
- deps: send@^1.1.0
v4.22.1
v4.22.0
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
Summary by CodeRabbit
- Chores
- Updated Express dependency to v5.0.0 across example projects and end-to-end tests.
βοΈ Tip: You can customize this high-level summary in your review settings.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Walkthrough
Express dependency upgraded from ^4.21.2 to ^5.0.0 across nine package.json files spanning e2e tests and example projects for React and Solid frameworks.
Changes
| Cohort / File(s) | Summary |
|---|---|
E2E Tests e2e/react-start/custom-basepath/package.json, e2e/solid-start/custom-basepath/package.json |
Express dependency upgraded from ^4.21.2 to ^5.0.0 |
React Examples examples/react/basic-ssr-file-based/package.json, examples/react/basic-ssr-streaming-file-based/package.json, examples/react/with-trpc-react-query/package.json, examples/react/with-trpc/package.json |
Express dependency upgraded from ^4.21.2 to ^5.0.0 across four example projects |
Solid Examples examples/solid/basic-ssr-file-based/package.json, examples/solid/basic-ssr-streaming-file-based/package.json, examples/solid/with-trpc/package.json |
Express dependency upgraded from ^4.21.2 to ^5.0.0 across three example projects |
Estimated code review effort
π― 1 (Trivial) | β±οΈ ~5 minutes
- Consider whether Express 5.0.0 introduces breaking changes that may affect the example projects or e2e tests
- Verify that examples and tests execute successfully with the major version upgrade
Suggested labels
package: start-server-core
Suggested reviewers
- birkskyum
Poem
π° A hop, a skip, through version five, Express now thrives, so fresh alive! From four to five, the bunny's quest, Dependencies updated, put to test! π
Pre-merge checks and finishing touches
β Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Title check | β οΈ Warning | The PR title states express is being updated to v5.2.0, but the raw summary shows updates to ^5.0.0 across all files, not v5.2.0. | Clarify whether the actual version being updated is ^5.0.0 or ^5.2.0, and ensure the title matches the actual changes in the changeset. |
β Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | β Passed | Check skipped - CodeRabbitβs high-level summary is enabled. |
| Docstring Coverage | β Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
β¨ Finishing touches
π§ͺ Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
- [ ] Commit unit tests in branch
renovate/npm-express-vulnerability
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
π€ Nx Cloud AI Fix Eligible
An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.
To disable these notifications, a workspace admin can disable them in workspace settings.
View your CI Pipeline Execution β for commit 4774401d2b514cb7528b795219db9747e006fa4b
| Command | Status | Duration | Result |
|---|---|---|---|
nx affected --targets=test:eslint,test:unit,tes... |
β Failed | 10m 33s | View β |
nx run-many --target=build --exclude=examples/*... |
β Failed | 1m 37s | View β |
βοΈ Nx Cloud last updated this comment at 2025-12-01 21:13:50 UTC
![nx-cloud[bot] avatar](https://avatars.githubusercontent.com/in/80458?v=4 "Published by a pub.dev verified publisher"){kind=small}
Edited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
β οΈ Warning: custom changes will be lost.