Backlog for next releases

[UlisesGascon]

This is the current releases backlog in terms of status and priorities

Important notes:

• The state of the backlog is always reflected in the latest edition of this message.
• Packages and releases are prioritized based on user impact, with security updates and hotfixes considered the most critical.
• Some packages require maintenance releases, as it has been several years since their last update. These items are considered low priority.
• Ideally, each release has a clear leader.

Security Releases (Highest priority)

We intentionally do not disclose more details. This helps us organize the backlog more effectively, as not everyone is aware of which security patches are currently in progress.

• [x] body-parser (repo, npm)
  • [x] semver-patch: https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4
  • [x] 2.2.1: https://github.com/expressjs/body-parser/pull/659
• [x] express (repo, npm)
  • [x] semver-minor: https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6
  • [x] release: https://github.com/expressjs/express/pull/6921
  • [x] release: https://github.com/expressjs/express/pull/6920
• [ ] multiparty (repo, npm)
  • [ ] semver-minor: https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94

This is organized in a specific order to ensure we apply patches on the latest versions. For example, Express depends on body-parser.

High Priority

The community is waiting for these releases, which contain patches and features that we need to ship soon.

• [ ] cors (repo, npm)
  • Priority: https://github.com/expressjs/cors/issues/346
  • Lead: @ulisesGascon / @efekrskl
• [ ] compressible (repo, npm):
  • Proposal 2.0.19: https://github.com/jshttp/compressible/pull/32
  • Lead: @UlisesGascon
• [ ] on-finished (repo, npm):
  • semver-major: https://github.com/jshttp/on-finished/issues/57
  • Lead: @Phillip9587 / @UlisesGascon
• [ ] mime-db (repo, npm):
  • [ ] Backlog: https://github.com/jshttp/mime-db/issues/414
  • [ ] Create a release proposal PR
  • Lead: @UlisesGascon
• [x] iconv-lite (repo, npm):
  • Release: https://github.com/pillarjs/iconv-lite/pull/359
  • Release: 1.x (TBC)
  • Lead: @bjohansebas
• [x] content-disposition (repo, npm):
  • Proposal 1.0.1: https://github.com/jshttp/content-disposition/pull/58
  • Lead: @Phillip9587 / @UlisesGascon
• [x] mime-types (repo, npm):
  • Proposal 3.0.2 https://github.com/jshttp/mime-types/pull/169
  • Lead: @UlisesGascon
• [x] http-errors (repo, npm):
  • Motivation: This would deduplicate the statuses package in our dependency tree: npm graph
  • Proposal 2.0.1 https://github.com/jshttp/http-errors/pull/140
  • Lead: @UlisesGascon
• [x] serve-static (repo, npm)
  • Lead: @UlisesGascon
  • Priority: https://github.com/expressjs/serve-static/pull/227
  • Release: https://github.com/expressjs/serve-static/pull/228
  • Release: https://github.com/expressjs/serve-static/pull/229
• [x] send (repo, npm)
  • Lead: @UlisesGascon
  • Priority: https://github.com/pillarjs/send/pull/279
  • Release: https://github.com/pillarjs/send/pull/281
  • Release: https://github.com/pillarjs/send/pull/280
• [x] finalhandler (repo, npm)
  • Lead: @UlisesGascon
  • Priority: https://github.com/pillarjs/finalhandler/pull/118 and https://github.com/pillarjs/finalhandler/pull/119
  • Release: https://github.com/pillarjs/finalhandler/pull/120
  • Release: https://github.com/pillarjs/finalhandler/pull/121
• [x] body-parser (repo, npm)
  • Lead: @UlisesGascon
  • Priority: https://github.com/expressjs/body-parser/pull/668
  • Release: https://github.com/expressjs/body-parser/pull/672
  • 2.2.2: https://github.com/expressjs/body-parser/pull/691
• [x] cookie (repo, npm)
  • Lead: @blakeembrey
  • [email protected]: https://github.com/jshttp/cookie/releases/tag/v1.1.0

Medium Priority

The community is waiting for these releases, which include patches and features that we can release without urgency. In some cases, the release backlog is not yet ready.

• [ ] multer (repo, npm):
  • semver-major and semver-patch pending: https://github.com/expressjs/multer/issues/1310
  • Lead: @bjohansebas / @UlisesGascon / @LinusU
• [ ] compression (repo, npm):
  • semver-major: https://github.com/expressjs/compression/issues/234
  • Lead: @bjohansebas / @ulisesgascon
• [ ] express-session (repo, npm):
  • semver-major: https://github.com/expressjs/session/issues/1006
  • Lead: @UlisesGascon / @bjohansebas
• [ ] response-time (repo, npm)
  • semver-major: https://github.com/expressjs/response-time/issues/25
  • Lead: @carpasse / @UlisesGascon
• [ ] basic-auth-connect (repo, npm):
  • semver-major: https://github.com/expressjs/basic-auth-connect/issues/8
  • Lead: @UlisesGascon
• [ ] hbs (repo, npm)
  • semver-major: https://github.com/pillarjs/hbs/tree/5.0
  • Lead: @UlisesGascon / @mfdebian
• [ ] on-headers (repo, npm):
  • semver-major: https://github.com/jshttp/on-headers/issues/18
  • Lead: @bjohansebas / @UlisesGascon
• [ ] content-type (repo, npm):
  • semver-major: https://github.com/jshttp/content-type/issues/27
  • Lead: @Phillip9587 / @UlisesGascon
• [ ] basic-auth (repo, npm):
  • semver-major: https://github.com/jshttp/basic-auth/issues/70
  • Lead: @Phillip9587 / @UlisesGascon
• [x] errorhandler (repo, npm)
  • Lead: @UlisesGascon / @nanotower
• [ ] cookies (repo, npm)
  • semver-major proposal: https://github.com/pillarjs/cookies/pull/48
  • Lead: @UlisesGascon / @imangas
• [ ] http-assert (repo, npm)
  • Motivation: https://github.com/jshttp/http-assert/pull/37
  • Lead: @UlisesGascon

Backlog

We need to plan the release content. These releases are considered blocked until we gain more traction.

• serve-index (repo, npm)
• method-override (repo, npm)
• vhost (repo, npm)
• parseurl (repo, npm)
• csrf (repo, npm)
• resolve-path (repo, npm)
• media-typer (repo, npm)
• vary (repo, npm)
• methods (repo, npm)
• range-parser (repo, npm)
• proxy-addr (repo, npm)
• etag (repo, npm)
• http-errors (repo, npm)
• forwarded (repo, npm)
  • semver-major proposal: https://github.com/jshttp/forwarded/pull/1

On hold

We released a version recently, but we can prepare a new one containing the remaining open issues, dependency upgrades, and other improvements.

• morgan (repo, npm)
• serve-favicon (repo, npm)
• connect-timeout (repo, npm)
• statuses (repo, npm)
• fresh (repo, npm)
• negotiator (repo, npm)
• type-is (repo, npm)
• encodeurl (repo, npm)
• iconv-lite (repo, npm)
• router (repo, npm)
• cookie-parser (repo, npm)
• cookie-session (repo, npm)
• path-to-regexp (repo, npm)