Skip to content

chore(deps): bump express and @types/express#301

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-b251156d90
Closed

chore(deps): bump express and @types/express#301
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-b251156d90

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 15, 2026
edited
Loading

Bumps express and @types/express. These dependencies needed to be updated together.
Updates express from 4.21.2 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • deps: body-parser@^2.2.1
  • A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0

... (truncated)

Commits

Updates @types/express from 4.17.23 to 5.0.6

Commits

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 15, 2026
@dependabot dependabot Bot requested review from a team as code owners April 15, 2026 09:23
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 15, 2026
@dependabot
chore(deps): bump express and @types/express
d6875d5 
Bumps [express](https://github.com/expressjs/express) and [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express). These dependencies needed to be updated together.

Updates `express` from 4.21.2 to 5.2.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.21.2...v5.2.1)

Updates `@types/express` from 4.17.23 to 5.0.6
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express)

---
updated-dependencies:
- dependency-name: "@types/express"
  dependency-version: 5.0.6
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-b251156d90 branch from 2bd67f2 to d6875d5 Compare April 29, 2026 15:28
@aaitor
Copy link
Copy Markdown
Member

aaitor commented Apr 29, 2026

Closing — Express 4 → 5 is a major rewrite with breaking middleware/routing semantics that needs manual migration and a full E2E pass. The auto-merge workflow intentionally leaves majors for manual review. Re-open with @dependabot recreate when we schedule the migration.

@aaitor aaitor closed this Apr 29, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 29, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-b251156d90 branch April 29, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aaitor