deps: Bump express from 4.22.2 to 5.2.1 by dependabot[bot] · Pull Request #1380 · UI5/cli

dependabot · 2026-05-11T08:29:34Z

Bumps express from 4.22.2 to 5.2.1.

Release notes

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 5.2.1 by @UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in expressjs/express#6429

Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in expressjs/express#6137

increased code coverage of utils.js file by @ashish3011 in expressjs/express#6386

chore: remove duplicate word by @dufucun in expressjs/express#6456

build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in expressjs/express#6498

build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in expressjs/express#6497

build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in expressjs/express#6496

ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6504

ci: update codeql config by @Phillip9587 in expressjs/express#6488

chore: wider range for query test skip by @jonchurch in expressjs/express#6512

chore: fix typos in test by @noritaka1166 in expressjs/express#6535

ci: disable credential persistence for checkout actions by @mertssmnoglu in expressjs/express#6522

ci: allow manual triggering of workflow by @shivarm in expressjs/express#6515

test: add coverage for app.listen() variants by @kgarg1 in expressjs/express#6476

docs: move documentation and charters to the discussions and .github … by @bjohansebas in expressjs/express#6427

build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in expressjs/express#6549

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in expressjs/express#6548

chore: enforce explicit Buffer import and add lint rule by @shivarm in expressjs/express#6525

chore: use node protocol for querystring by @shivarm in expressjs/express#6520

chore: fix typo by @mountdisk in expressjs/express#6609

build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in expressjs/express#6618

add deprecation warnings for redirect arguments undefined by @bjohansebas in expressjs/express#6405

ci: run CI when the markdown changes by @bjohansebas in expressjs/express#6632

doc: fix CONTRIBUTING link by @jonchurch in expressjs/express#6653

doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in expressjs/express#6601

build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in expressjs/express#6679

build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in expressjs/express#6678

lint: add --fix flag to automatic fix linting issue by @shivarm in expressjs/express#6644

chore: ignore yarn.lock file and update example by @shivarm in expressjs/express#6588

lib: use req.socket over deprecated req.connection by @bjohansebas in expressjs/express#6705

doc: update express app example by @shivarm in expressjs/express#6718

build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in expressjs/express#6675

Remove history.md from being packaged on publish by @sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: body-parser@^2.2.1

A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

Add support for Uint8Array in res.send()

Add support for ETag option in res.sendFile()

Add support for multiple links with the same rel in res.links()

Add funding field to package.json

perf: use loop for acceptParams

refactor: prefix built-in node module imports

deps: remove setprototypeof

deps: remove safe-buffer

deps: remove utils-merge

deps: remove methods

deps: remove depd

deps: debug@^4.4.0

deps: body-parser@^2.2.0

deps: router@^2.2.0

deps: content-type@^1.0.5

deps: finalhandler@^2.1.0

deps: qs@^6.14.0

deps: [email protected]

deps: [email protected]

5.0.1 / 2024-10-08

Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

remove:

path-is-absolute dependency - use path.isAbsolute instead

breaking:

res.status() accepts only integers, and input must be greater than 99 and less than 1000

will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range

will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs

deps: [email protected]

... (truncated)

Commits

dbac741 5.2.1
697547c Revert "sec: security patch for CVE-2024-51999"
4007ad1 Release: 5.2.0 (#6920)
2f64f68 sec: security patch for CVE-2024-51999
ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
758d435 deps: body-parser@^2.2.1 (#6922)
77bcd52 docs: update emeritus triagers (#6890)
f33caf1 Nominate to @efekrskl for triage team (#6888)
Additional commits viewable in compare view

Bumps [express](https://github.com/expressjs/express) from 4.22.2 to 5.2.1. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@v4.22.2...v5.2.1) --- updated-dependencies: - dependency-name: express dependency-version: 5.2.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot Bot added dependencies Automated dependency update javascript Pull requests that update Javascript code labels May 11, 2026

dependabot Bot changed the title ~~deps: Bump express from 4.22.1 to 5.2.1~~ deps: Bump express from 4.22.2 to 5.2.1 May 26, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/express-5.2.1 branch from b42cb38 to 9b012c3 Compare May 26, 2026 05:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps: Bump express from 4.22.2 to 5.2.1#1380

deps: Bump express from 4.22.2 to 5.2.1#1380
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/express-5.2.1

dependabot Bot commented on behalf of github May 11, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.2.1

What's Changed

v5.2.0

Important: Security

What's Changed

5.2.1 / 2025-12-01

5.2.0 / 2025-12-01

5.1.0 / 2025-03-31

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 11, 2026 •

edited

Loading