4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @wesleytodd in #5561
• remove duplicate location test for data uri by @wesleytodd in #5562
• feat: document beta releases expectations by @marco-ippolito in #5565
• Cut down on duplicated CI runs by @jonchurch in #5564
• Add a Threat Model by @UlisesGascon in #5526
• Assign captain of encodeurl by @blakeembrey in #5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in #5587
• docs: update Security.md by @inigomarquinez in #5590
• docs: update triage nomination policy by @UlisesGascon in #5600
• Add CodeQL (SAST) by @UlisesGascon in #5433
• docs: add UlisesGascon as triage initiative captain by @UlisesGascon in #5605
• deps: encodeurl@~2.0.0 by @blakeembrey in #5569
• skip QUERY method test by @jonchurch in #5628
• ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in #5639
• add support Node.js@22 in the CI by @mertcanaltin in #5627
• doc: add table of contents, tc/triager lists to readme by @mertcanaltin in #5619
• List and sort all projects, add captains by @blakeembrey in #5653
• docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in #5666
• ✨ bring back query tests for node 21 by @ctcpip in #5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @jonchurch in #5672
• skip QUERY tests for Node 21 only, still not supported by @jonchurch in #5695
• 📝 update people, add ctcpip to TC by @ctcpip in #5683
• remove minor version pinning from ci by @jonchurch in #5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in #5762
• Replace Appveyor windows testing with GHA by @jonchurch in #5599
• Add OSSF Scorecard badge by @UlisesGascon in #5436
• update scorecard link by @bjohansebas in #5814
• Nominate @IamLizu to the triage team by @UlisesGascon in #5836
• deps: [email protected] by @blakeembrey in #5603
• docs: specify new instructions for question and discuss by @IamLizu in #5835
• 4.x: Upgrade merge-descriptors dependency by @RobinTail in #5781
• [email protected] by @blakeembrey in #5902

New Contributors

• @marco-ippolito made their first contribution in #5565
• @inigomarquinez made their first contribution in #5590
• @mertcanaltin made their first contribution in #5627
• @ctcpip made their first contribution in #5690
• @bjohansebas made their first contribution in #5814

Full Changelog: 4.19.1...4.20.0

v5.0.0-beta.3

Full Changelog: 5.0.0-beta.2...v5.0.0-beta.3

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: 4.19.1...4.19.2

5.0.0-beta.2

What's Changed

• lib: fix typo ocurred -> occurred by @caioagiani in #4805
• examples: defend from privilege elevation by @KoyamaSohei in #4120
• replace "replaces" with "replacer" in jsdoc by @apeltop in #4843
• Add install size badge to README by @styfle in #3710
• Replace deprecated String.prototype.substr() by @CommanderRoot in #4860
• fix: remove deprecated html attribute by @Hashen110 in #4866
• fix: parameter index is not described in JSDoc by @Hashen110 in #4867
• fix: continue is unnecessary as the last statement in a loop by @Hashen110 in #4868
• Deprecate non integer status codes in v4 by @jonchurch in #4223
• Add root support in res.download() by @mmito in #4855
• res.format(): call default using obj as the context by @shesek in #3587
• Feature/4171 depd by @UlisesGascon in #4174
• Validate maxAge appropriateness before use by @cjbarth in #3936
• deps: [email protected] by @3imed-jaberi in #4336
• test: fix typo by @Hashen110 in #4882
• docs: fix typo: http -> HTTP by @ghousemohamed in #4872
• Update Security.md by @netcode in #4890
• examples: add missing associated labels by @Hashen110 in #4884
• Increase timeout for mocha to 7500 by @grisu48 in #4887
• Release 4.18 by @dougwilson in #4287
• Expanding the benchmark. by @denizy97 in #4880
• examples: remove unused params by @alxdrg in #4914
• Grammatically updated the express documentation for better comprehension by @REALSTEVEIG in #4926
• Freenode is dead/dying by @theabhinavdas in #5013
• Use https: protocol instead of deprecated git: protocol by @vcsjones in #5032
• build: [email protected] and [email protected] by @abenhamdine in #5034
• ci: update actions/checkout to v3 by @armujahid in #5027
• test: remove unused function arguments in params by @raksbisht in #5124
• Remove unused originalIndex from acceptParams by @raksbisht in #5119
• Fixed typos by @raksbisht in #5117
• examples: remove unused params by @raksbisht in #5113
• fix: parameter str is not described in JSDoc by @raksbisht in #5130
• fix: typos in History.md by @raksbisht in #5131
• build : add [email protected] by @abenhamdine in #5028
• test: remove unused function arguments in params by @raksbisht in #5137
• use random port in test so it won't fail on already listening by @rluvaton in #5162
• tests: use cb() instead of done() by @kristof-low in #5233
• examples: remove multipart example by @riddlew in #5195
• Update support Node.js@18 in the CI by @UlisesGascon in #5490
• Fix favicon-related bug in cookie-sessions example by @DmytroKondrashov in #5414
• Release 4.18.3 by @UlisesGascon in #5505
• fix typo in release date by @UlisesGascon in #5527
• docs: nominating @wesleytodd to be project captian by @wesleytodd in #5511
• docs: loosen TC activity rules by @wesleytodd in #5510
• Add note on how to update docs for new release by @crandmck in #5541
• Release 4.19.0 by @wesleytodd in #5551
• Fix ci after location patch by @wesleytodd in #5552
• fixed un-edited version in history.md for 4.19.0 by @wesleytodd in #5556

New Contributors

• @caioagiani made their first contribution in #4805
• @apeltop made their first contribution in #4843
• @styfle made their first contribution in #3710
• @CommanderRoot made their first contribution in #4860
• @Hashen110 made their first contribution in #4866
• @mmito made their first contribution in #4855
• @UlisesGascon made their first contribution in #4174
• @cjbarth made their first contribution in #3936
• @ghousemohamed made their first contribution in #4872
• @netcode made their first contribution in #4890
• @grisu48 made their first contribution in #4887
• @denizy97 made their first contribution in #4880
• @alxdrg made their first contribution in #4914
• @REALSTEVEIG made their first contribution in #4926
• @theabhinavdas made their first contribution in #5013
• @vcsjones made their first contribution in #5032
• @abenhamdine made their first contribution in #5034
• @armujahid made their first contribution in #5027
• @raksbisht made their first contribution in #5124
• @rluvaton made their first contribution in #5162
• @kristof-low made their first contribution in #5233
• @riddlew made their first contribution in #5195
• @DmytroKondrashov made their first contribution in #5414
• @crandmck made their first contribution in #5541

Full Changelog: v5.0.0-beta.1...5.0.0-beta.2

4.19.1

What's Changed

• Fix ci after location patch by @wesleytodd in #5552
• fixed un-edited version in history.md for 4.19.0 by @wesleytodd in #5556

Full Changelog: 4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @UlisesGascon in #5527
• docs: nominating @wesleytodd to be project captian by @wesleytodd in #5511
• docs: loosen TC activity rules by @wesleytodd in #5510
• Add note on how to update docs for new release by @crandmck in #5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @wesleytodd in #5551

New Contributors

• @crandmck made their first contribution in #5541

Full Changelog: 4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]

Other Changes

• Use https: protocol instead of deprecated git: protocol by @vcsjones in #5032
• build: [email protected] and [email protected] by @abenhamdine in #5034
• ci: update actions/checkout to v3 by @armujahid in #5027
• test: remove unused function arguments in params by @raksbisht in #5124
• Remove unused originalIndex from acceptParams by @raksbisht in #5119
• Fixed typos by @raksbisht in #5117
• examples: remove unused params by @raksbisht in #5113
• fix: parameter str is not described in JSDoc by @raksbisht in #5130
• fix: typos in History.md by @raksbisht in #5131
• build : add [email protected] by @abenhamdine in #5028
• test: remove unused function arguments in params by @raksbisht in #5137
• use random port in test so it won't fail on already listening by @rluvaton in #5162
• tests: use cb() instead of done() by @kristof-low in #5233
• examples: remove multipart example by @riddlew in #5195
• Update support Node.js@18 in the CI by @UlisesGascon in #5490
• Fix favicon-related bug in cookie-sessions example by @DmytroKondrashov in #5414
• Release 4.18.3 by @UlisesGascon in #5505

New Contributors

• @vcsjones made their first contribution in #5032
• @abenhamdine made their first contribution in #5034
• @armujahid made their first contribution in #5027
• @raksbisht made their first contribution in #5124
• @rluvaton made their first contribution in #5162
• @kristof-low made their first contribution in #5233
• @riddlew made their first contribution in #5195
• @DmytroKondrashov made their first contribution in #5414

Full Changelog: 4.18.2...4.18.3

4.18.2

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

4.18.1

• Fix hanging on large stack of sync routes

4.18.0

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: [email protected]
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • Remove set content headers that break response
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Prevent loss of async hooks context
• deps: [email protected]
• deps: [email protected]
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
  • Remove code 306
  • Rename 425 Unordered Collection to standard 425 Too Early