🚨 [security] Update express 5.1.0 → 5.2.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ express (5.1.0 → 5.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 express improperly controls modification of query properties

Impact

when using the extended query parser in express ('query parser': 'extended'), the request.query object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names

Important

the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser

Patches

the issue has been patched to ensure request.query is a plain object so request.query no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser

Workaround

this only impacts users using extended query parsing ('query parser': 'extended'), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:

provide qs directly and specify plainObjects: true

app.set('query parser',
  function (str) {
    return qs.parse(str, {
      plainObjects: true
  });
});

Release Notes

5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in #6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in #6137
• increased code coverage of utils.js file by @ashish3011 in #6386
• chore: remove duplicate word by @dufucun in #6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in #6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in #6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in #6496
• ci: add node.js 24 to test matrix by @Phillip9587 in #6504
• ci: update codeql config by @Phillip9587 in #6488
• chore: wider range for query test skip by @jonchurch in #6512
• chore: fix typos in test by @noritaka1166 in #6535
• ci: disable credential persistence for checkout actions by @mertssmnoglu in #6522
• ci: allow manual triggering of workflow by @shivarm in #6515
• test: add coverage for app.listen() variants by @kgarg1 in #6476
• docs: move documentation and charters to the discussions and .github … by @bjohansebas in #6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in #6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in #6548
• chore: enforce explicit Buffer import and add lint rule by @shivarm in #6525
• chore: use node protocol for querystring by @shivarm in #6520
• chore: fix typo by @mountdisk in #6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in #6618
• add deprecation warnings for redirect arguments undefined by @bjohansebas in #6405
• ci: run CI when the markdown changes by @bjohansebas in #6632
• doc: fix CONTRIBUTING link by @jonchurch in #6653
• doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in #6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in #6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in #6678
• lint: add --fix flag to automatic fix linting issue by @shivarm in #6644
• chore: ignore yarn.lock file and update example by @shivarm in #6588
• lib: use req.socket over deprecated req.connection by @bjohansebas in #6705
• doc: update express app example by @shivarm in #6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in #6675
• Remove history.md from being packaged on publish by @sheplu in #6780
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #6797
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in #6796
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #6795
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in #6794
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in #6793
• ci: add node.js 25 to test matrix by @Phillip9587 in #6843
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #6871
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in #6870
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #6869
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #6868
• chore: switch badges from badgen.net to shields.io by @Phillip9587 in #6900
• refactor: use cached slice in app.listen by @Tacit1 in #6897
• Nominate to @efekrskl for triage team by @bjohansebas in #6888
• docs: update emeritus triagers by @bjohansebas in #6890
• fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in #6922
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in #6930
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in #6929
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #6928
• Release: 5.2.0 by @UlisesGascon in #6920

New Contributors

• @ashish3011 made their first contribution in #6386
• @dufucun made their first contribution in #6456
• @noritaka1166 made their first contribution in #6535
• @mertssmnoglu made their first contribution in #6522
• @shivarm made their first contribution in #6515
• @kgarg1 made their first contribution in #6476
• @mountdisk made their first contribution in #6609
• @ShubhamOulkar made their first contribution in #6601
• @sheplu made their first contribution in #6780
• @Tacit1 made their first contribution in #6897

Full Changelog: v5.1.0...v5.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 55 commits:

• 5.2.1
• Revert "sec: security patch for CVE-2024-51999"
• Release: 5.2.0 (#6920)
• sec: security patch for CVE-2024-51999
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
• deps: body-parser@^2.2.1 (#6922)
• docs: update emeritus triagers (#6890)
• Nominate to @efekrskl for triage team (#6888)
• refactor: use cached slice in app.listen (#6897)
• docs: switch badges from badgen.net to shields.io (#6900)
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#6868)
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#6869)
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#6870)
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#6871)
• ci: add node.js 25 to test matrix (#6843)
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 (#6793)
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 (#6794)
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#6795)
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 (#6796)
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#6797)
• chore: remove history.md from being packaged on publish (#6780)
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 (#6675)
• doc: update express app example (#6718)
• lib: use req.socket over deprecated req.connection (#6705)
• chore: update git rules to ignore `yarn.lock` file (#6588)
• lint: add --fix flag to automatic fix linting issue (#6644)
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 (#6678)
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 (#6679)
• update contributing and COC links (#6601)
• doc: fix the Contributing.md link (#6653)
• ci: run CI when the markdown changes (#6632)
• feat: add deprecation warnings for redirect arguments undefined (#6405)
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 (#6618)
• chore: fix typo (#6609)
• chore: use node protocol for node builtin module (#6520)
• chore: enforce explicit Buffer import and add lint rule (#6525)
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#6548)
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 (#6549)
• fix(docs): move documentation and charters to the discussions and .github … (#6427)
• test: add coverage for app.listen() variants (#6476)
• ci: allow manual triggering of workflow (#6515)
• ci: disable credential persistence for checkout actions (#6522)
• test: fix typos in test descriptions (#6535)
• chore: wider range for query test skip (#6512)
• ci: update codeql config (#6488)
• ci: add node.js 24 to test matrix (#6504)
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 (#6496)
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 (#6497)
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 (#6498)
• fix(test): remove duplicate word (#6456)
• increased code coverage of utils.js file (#6386)
• Refactor: simplify `acceptsLanguages` implementation using spread operator (#6137)
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 (#6429)

↗️ body-parser (indirect, 2.2.0 → 2.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 body-parser is vulnerable to denial of service when url encoding is used

Impact

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.

Patches

This issue is addressed in version 2.2.1.

Release Notes

2.2.1

Important: Security

• Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

• ci: add dependabot by @Phillip9587 in #593
• ci: use full SHAs for github action versions by @Phillip9587 in #594
• deps: type-is@^2.0.1 by @Phillip9587 in #599
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in #609
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @dependabot[bot] in #610
• build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @dependabot[bot] in #611
• build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @dependabot[bot] in #613
• build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @dependabot[bot] in #612
• ci: add codeql github workflows scanning by @Phillip9587 in #614
• ci: update CodeQL config to ignore the test directory by @Phillip9587 in #615
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in #620
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot[bot] in #619
• chore(deps): unpin devDependencies by @Phillip9587 in #616
• ci: add node.js 24 to test matrix by @Phillip9587 in #621
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in #623
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in #624
• chore: add funding to package.json by @Phillip9587 in #617
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in #625
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in #630
• refactor: move common request validation to read function by @Phillip9587 in #600
• deps: bump iconv-lite by @bjohansebas in #631
• doc: pull beta changelog forward into 2.0.0 by @jonchurch in #629
• refactor: optimize raw and text parsers with shared passthrough function by @Phillip9587 in #634
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #640
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #639
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in #636
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in #637
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in #638
• deps: raw-body@^3.0.1 by @Phillip9587 in #641
• deps: debug@^4.4.3 by @Phillip9587 in #642
• docs: add iconv-lite 0.7.0 changes to history entry by @Phillip9587 in #645
• ci: add node.js 25 to test matrix by @Phillip9587 in #650
• perf: move read options outside parser middlewares by @Phillip9587 in #648
• test(json): add RFC 7159 whitespace edge cases by @Ayoub-Mabrouk in #653
• test: add test for urlencoded invalid defaultCharset by @Phillip9587 in #643
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #657
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #656
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #655
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in #654
• ci: also test on first supported node.js version by @Phillip9587 in #646
• chore: switch badges from badgen.net to shields.io by @Phillip9587 in #661
• Remove history.md from being packaged on publish by @bjohansebas in #660
• Release: 2.2.1 by @UlisesGascon in #659

New Contributors

• @dependabot[bot] made their first contribution in #609
• @jonchurch made their first contribution in #629
• @Ayoub-Mabrouk made their first contribution in #653

Full Changelog: v2.2.0...v2.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 48 commits:

• 2.2.1 (#659)
• sec: security patch for CVE-2025-13466
• feat: remove `history.md` from being packaged on publish (#660)
• docs: switch badges from badgen.net to shields.io (#661)
• ci: also test on first supported node.js version (#646)
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#654)
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#655)
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#656)
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#657)
• test: add test for urlencoded invalid defaultCharset (#643)
• test(json): add RFC 7159 whitespace edge cases (#653)
• perf: move read options outside parser middlewares (#648)
• ci: add node.js 25 to test matrix (#650)
• docs: add iconv-lite 0.7.0 changes to history entry (#645)
• deps: debug@^4.4.3 (#642)
• deps: raw-body@^3.0.1 (#641)
• Update .github/workflows/scorecard.yml
• Update .github/workflows/codeql.yml
• Update .github/workflows/codeql.yml
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0
• refactor: optimize raw and text parsers with shared passthrough function (#634)
• doc: pull beta changelog forward into 2.0.0
• deps: bump iconv-lite (#631)
• refactor: move common request validation to read function (#600)
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 (#625)
• chore: add funding to package.json (#617)
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#624)
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 (#623)
• ci: add node.js 24 to test matrix (#621)
• chore(deps): unpin devDependencies (#616)
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#619)
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 (#620)
• ci: update CodeQL config to ignore the test directory (#615)
• ci: add codeql github workflows scanning (#614)
• build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 (#612)
• build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 (#613)
• build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 (#611)
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 (#610)
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 (#609)
• deps: type-is@^2.0.1 (#599)
• ci: use full SHAs for github action versions (#594)
• ci: add dependabot (#593)
• ci: use full SHAs for github action versions (#594)

↗️ raw-body (indirect, 3.0.0 → 3.0.2) · Repo · Changelog

Release Notes

3.0.2

What's Changed

• docs: enhance security reporting and disclosure procedures by @bjohansebas in #101

• ci: add workflows for CodeQL analysis and Scorecard security checks, update dependabot configuration and Node.js versions by @bjohansebas in #102

• deps: use tilde notation for dependencies by @Phillip9587 in #120

• chore: remove history.md and security.md from being packaged on publish by @bjohansebas in #122

• build(deps): bump github/codeql-action from 3.30.5 to 4.31.0 by @dependabot[bot] in #105

• build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #107

• build(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #110

• chore: use neostandard by @bjohansebas in #116

• build(deps): bump actions/download-artifact from 4 to 6 by @dependabot[bot] in #108

• build(deps): bump actions/setup-node from 4 to 6 by @dependabot[bot] in #118

• build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #119

• build(deps): bump github/codeql-action from 4.31.0 to 4.31.2 by @dependabot[bot] in #117

• release: 3.0.2 by @bjohansebas in #123

New Contributors

• @dependabot[bot] made their first contribution in #105

Full Changelog: v3.0.1...v3.0.2

3.0.1

What's Changed

• ci: fix ci errors by @bjohansebas in #98
• deps: bump iconv-lite by @bjohansebas in #97
• chore: fix engines field by @bjohansebas in #99
• release: 3.0.1 by @bjohansebas in #100

New Contributors

• @bjohansebas made their first contribution in #98

Full Changelog: v3.0.0...v3.0.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• release: 3.0.2 (#123)
• chore: remove history.md and security.md from being packaged on publish (#122)
• deps: use tilde notation for dependencies (#120)
• build(deps): bump github/codeql-action from 4.31.0 to 4.31.2 (#117)
• build(deps): bump actions/checkout from 4 to 5 (#119)
• build(deps): bump actions/setup-node from 4 to 6 (#118)
• build(deps): bump actions/download-artifact from 4 to 6 (#108)
• chore: use neostandard (#116)
• build(deps): bump actions/upload-artifact from 4 to 5 (#110)
• build(deps): bump actions/checkout from 4 to 5 (#107)
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.0 (#105)
• ci: add workflows for CodeQL analysis and Scorecard security checks; update dependabot configuration and Node.js versions (#102)
• docs: enhance security reporting and disclosure procedures (#101)
• release: 3.0.1 (#100)
• chore: fix engines field (#99)
• deps: bump iconv-lite (#97)
• ci: add node >21 (#98)

🆕 iconv-lite (added, 0.7.0)

🆕 http-errors (added, 2.0.1)

🆕 statuses (added, 2.0.2)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

coverage: 69.389% (+0.1%) from 69.242%
when pulling e8b0829 on depfu/update/npm/express-5.2.1
into c9be949 on next.