Bump the express group with 3 updates #8530

dependabot · 2025-10-20T08:37:39Z

Bumps the express group with 3 updates: express, express-http-proxy and express-session.

Updates express from 4.21.2 to 5.1.0

Release notes

v5.1.0

What's Changed

Update captains by @UlisesGascon in expressjs/express#6027

build: Node.js 23.0 by @bjohansebas in expressjs/express#6075

Add funding field (v5) by @bjohansebas in expressjs/express#6064

✅ add discarded middleware test by @ctcpip in expressjs/express#5819

update homepage link http to https by @bjohansebas in expressjs/express#5920

Improve readme by @bjohansebas in expressjs/express#5994

Add bjohansebas as repo captain for expressjs.com by @crandmck in expressjs/express#6058

Remove Object.setPrototypeOf polyfill by @Phillip9587 in expressjs/express#6081

fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in expressjs/express#6071

docs: Add DCO by @UlisesGascon in expressjs/express#6048

cleanup: remove promise support check from tests by @Phillip9587 in expressjs/express#6148

Use loop for acceptParams by @blakeembrey in expressjs/express#6066

Improve documentation step in release process by @bjohansebas in expressjs/express#6150

cleanup: remove unnecessary require for global Buffer by @Phillip9587 in expressjs/express#6146

cleanup: remove AsyncLocalStorage check by @Phillip9587 in expressjs/express#6147

update history.md for acceptParams change by @jonchurch in expressjs/express#6177

docs: add @rxmarbles to the triage team by @UlisesGascon in expressjs/express#6151

refactor: improve readability by @sazk07 in expressjs/express#6173

docs: clarify the security process in the triage role by @bjohansebas in expressjs/express#6217

chore: replace methods dependency with standard library by @jonkoops in expressjs/express#6196

Remove utils-merge dependency - use spread syntax instead by @Phillip9587 in expressjs/express#6091

fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in expressjs/express#6211

refactor: prefix built-in node module imports by @slagiewka in expressjs/express#6236

fix: remove download size badges by @wesleytodd in expressjs/express#6266

Remove unused depd dependency by @jonkoops in expressjs/express#6197

fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @hamirmahal in expressjs/express#6256

Add support for OSSF scorecard reporting by @UlisesGascon in expressjs/express#5431

docs: add @Phillip9587 to the triage team by @bjohansebas in expressjs/express#6276

fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in expressjs/express#6297

docs: include team email in the security policy by @UlisesGascon in expressjs/express#6278

refactor: simplify normalizeTypes function by @Ayoub-Mabrouk in expressjs/express#6097

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6314

ci: fix npm install --include typo by @Phillip9587 in expressjs/express#6324

ci: updated scorecard actions by @Phillip9587 in expressjs/express#6322

build(deps): use carat notation for dependency versions by @dpopp07 in expressjs/express#6317

chore(deps): update debug to ^4.4.0 by @Phillip9587 in expressjs/express#6313

docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in expressjs/express#6333

feat(deps): body-parser@^2.1.0 by @wesleytodd in expressjs/express#6332

feat(deps): router@^2.1.0 by @wesleytodd in expressjs/express#6331

Update repo captains by @UlisesGascon in expressjs/express#6234

deps: upgrade nyc by @agungjati in expressjs/express#6122

fix (deps): update deps by @wesleytodd in expressjs/express#6337

response: add support for ETag option in res.sendFile by @juanarbol in expressjs/express#6073

Update multiple links to use https instead of http by @Phillip9587 in expressjs/express#6338

Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in expressjs/express#4885

docs: update emeritus triagers by @UlisesGascon in expressjs/express#6345

docs: update guidance for triager nominations by @bjohansebas in expressjs/express#6349

docs: clarify guidelines for becoming a committer by @bjohansebas in expressjs/express#6364

... (truncated)

Changelog

Sourced from express's changelog.

5.1.0 / 2025-03-31

Add support for Uint8Array in res.send()

Add support for ETag option in res.sendFile()

Add support for multiple links with the same rel in res.links()

Add funding field to package.json

perf: use loop for acceptParams

refactor: prefix built-in node module imports

deps: remove setprototypeof

deps: remove safe-buffer

deps: remove utils-merge

deps: remove methods

deps: remove depd

deps: debug@^4.4.0

deps: body-parser@^2.2.0

deps: router@^2.2.0

deps: content-type@^1.0.5

deps: finalhandler@^2.1.0

deps: qs@^6.14.0

deps: [email protected]

deps: [email protected]

5.0.1 / 2024-10-08

Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

remove:

path-is-absolute dependency - use path.isAbsolute instead

breaking:

res.status() accepts only integers, and input must be greater than 99 and less than 1000

will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range

will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs

deps: [email protected]

res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.

change:

res.clearCookie will ignore user provided maxAge and expires options

deps: cookie-signature@^1.2.1

deps: [email protected]

deps: merge-descriptors@^2.0.0

deps: serve-static@^2.1.0

deps: [email protected]

deps: accepts@^2.0.0

deps: mime-types@^3.0.0

application/javascript => text/javascript

deps: type-is@^2.0.0

deps: content-disposition@^1.0.0

... (truncated)

Commits

cd7d439 5.1.0
4c4f3ea fix(deps): serve-static@^2.2.0 (#6418)
cb4c56e fix(docs): remove @mertcanaltin from Triagers (#6408)
7b44e1d ci: use full SHAs for github action versions
eb6d125 deps: router@^2.2.0 (#6417)
f1a2dc8 deps: type-is@^2.0.1 (#6420)
6b51e8e deps: body-parser@^2.2.0 (#6419)
1f311c5 build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 (#6399)
9e97144 feat(deps): [email protected] (#6373)
29d0980 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#6397)
Additional commits viewable in compare view

Updates express-http-proxy from 2.1.1 to 2.1.2

Commits

e2aeb52 2.1.2
9aa5905 update supertest
016afc8 update README for 2.1.2
7b792cf implement memory leak fix from http-proxy (#566)
b5d7dd0 [adhoc] Remove accidentally committed only. (#563)
ef7c956 Improve organization and rigor of tests (#562)
c5574ea Incremental cleanup and organization of test files. (#561)
2048e8f [548] Update docs and tests to show how to retain proxyRes headers.
23c5d51 Reduce timeouts where possible.
04a03b1 extract timeout
Additional commits viewable in compare view

Updates express-session from 1.18.1 to 1.18.2

Release notes

Sourced from express-session's releases.

v1.18.2

What's Changed

fix: Resolve test failure - Refresh server.crt with existing key extending expiry to Nov 21 03:28:10 2034 GMT by @BaileyFirman in expressjs/session#1003

feat: gencert script to regenerate the test ssl certs by @wesleytodd in expressjs/session#1015

chore: upgrade scorecard workflow pinned action versions by @carpasse in expressjs/session#1008

ci: add CodeQL (SAST) by @bjohansebas in expressjs/session#1005

[StepSecurity] Apply security best practices by @step-security-bot in expressjs/session#1047

build(deps-dev): bump mocha from 10.2.0 to 10.8.2 by @dependabot[bot] in expressjs/session#1061

build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot[bot] in expressjs/session#1048

build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 by @dependabot[bot] in expressjs/session#1050

build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in expressjs/session#1049

build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in expressjs/session#1052

build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/session#1051

chore: fix typos by @noritaka1166 in expressjs/session#1066

deps: [email protected] by @UlisesGascon in expressjs/session#1069

🔖 v1.18.2 by @ctcpip in expressjs/session#1070

New Contributors

@BaileyFirman made their first contribution in expressjs/session#1003

@wesleytodd made their first contribution in expressjs/session#1015

@carpasse made their first contribution in expressjs/session#1008

@step-security-bot made their first contribution in expressjs/session#1047

@dependabot[bot] made their first contribution in expressjs/session#1061

@noritaka1166 made their first contribution in expressjs/session#1066

@ctcpip made their first contribution in expressjs/session#1070

Full Changelog: expressjs/session@v1.18.1...v1.18.2

Changelog

Sourced from express-session's changelog.

1.18.2 / 2025-07-17

deps: [email protected]

deps: on-headers@~1.1.0

Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

d10709f 🔖 v1.18.2 (#1070)
5808783 deps: [email protected] (#1069)
b9fcad8 chore: fix typos (#1066)
a698c81 build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1051)
ec1957b build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 (#1052)
2caff6a build(deps): bump actions/checkout from 4.1.1 to 4.2.2 (#1049)
2633e88 build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 (#1050)
7e2c696 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#1048)
92dd300 build(deps-dev): bump mocha from 10.2.0 to 10.8.2 (#1061)
168271c fix(dependabot): do not update major versions
Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the express group with 3 updates: [express](https://github.com/expressjs/express), [express-http-proxy](https://github.com/villadora/express-http-proxy) and [express-session](https://github.com/expressjs/session). Updates `express` from 4.21.2 to 5.1.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.21.2...v5.1.0) Updates `express-http-proxy` from 2.1.1 to 2.1.2 - [Release notes](https://github.com/villadora/express-http-proxy/releases) - [Commits](villadora/express-http-proxy@v2.1.1...v2.1.2) Updates `express-session` from 1.18.1 to 1.18.2 - [Release notes](https://github.com/expressjs/session/releases) - [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md) - [Commits](expressjs/session@v1.18.1...v1.18.2) --- updated-dependencies: - dependency-name: express dependency-version: 5.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: express - dependency-name: express-http-proxy dependency-version: 2.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: express - dependency-name: express-session dependency-version: 1.18.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: express ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Oct 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the express group with 3 updates #8530

Bump the express group with 3 updates #8530

Uh oh!

dependabot bot commented on behalf of github Oct 20, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Bump the express group with 3 updates #8530

Are you sure you want to change the base?

Bump the express group with 3 updates #8530

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 20, 2025

v5.1.0

What's Changed

5.1.0 / 2025-03-31

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

v1.18.2

What's Changed

New Contributors

1.18.2 / 2025-07-17

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants