🚨 [security] Update express 5.1.0 → 5.2.1 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ express (5.1.0 → 5.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 express improperly controls modification of query properties

Impact

when using the extended query parser in express ('query parser': 'extended'), the request.query object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names

Important

the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser

Patches

the issue has been patched to ensure request.query is a plain object so request.query no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser

Workaround

this only impacts users using extended query parsing ('query parser': 'extended'), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:

provide qs directly and specify plainObjects: true

app.set('query parser',
  function (str) {
    return qs.parse(str, {
      plainObjects: true
  });
});

Release Notes

5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in #6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in #6137
• increased code coverage of utils.js file by @ashish3011 in #6386
• chore: remove duplicate word by @dufucun in #6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in #6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in #6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in #6496
• ci: add node.js 24 to test matrix by @Phillip9587 in #6504
• ci: update codeql config by @Phillip9587 in #6488
• chore: wider range for query test skip by @jonchurch in #6512
• chore: fix typos in test by @noritaka1166 in #6535
• ci: disable credential persistence for checkout actions by @mertssmnoglu in #6522
• ci: allow manual triggering of workflow by @shivarm in #6515
• test: add coverage for app.listen() variants by @kgarg1 in #6476
• docs: move documentation and charters to the discussions and .github … by @bjohansebas in #6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in #6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in #6548
• chore: enforce explicit Buffer import and add lint rule by @shivarm in #6525
• chore: use node protocol for querystring by @shivarm in #6520
• chore: fix typo by @mountdisk in #6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in #6618
• add deprecation warnings for redirect arguments undefined by @bjohansebas in #6405
• ci: run CI when the markdown changes by @bjohansebas in #6632
• doc: fix CONTRIBUTING link by @jonchurch in #6653
• doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in #6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in #6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in #6678
• lint: add --fix flag to automatic fix linting issue by @shivarm in #6644
• chore: ignore yarn.lock file and update example by @shivarm in #6588
• lib: use req.socket over deprecated req.connection by @bjohansebas in #6705
• doc: update express app example by @shivarm in #6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in #6675
• Remove history.md from being packaged on publish by @sheplu in #6780
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #6797
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in #6796
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #6795
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in #6794
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in #6793
• ci: add node.js 25 to test matrix by @Phillip9587 in #6843
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #6871
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in #6870
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in #6869
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #6868
• chore: switch badges from badgen.net to shields.io by @Phillip9587 in #6900
• refactor: use cached slice in app.listen by @Tacit1 in #6897
• Nominate to @efekrskl for triage team by @bjohansebas in #6888
• docs: update emeritus triagers by @bjohansebas in #6890
• fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in #6922
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in #6930
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in #6929
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #6928
• Release: 5.2.0 by @UlisesGascon in #6920

New Contributors

• @ashish3011 made their first contribution in #6386
• @dufucun made their first contribution in #6456
• @noritaka1166 made their first contribution in #6535
• @mertssmnoglu made their first contribution in #6522
• @shivarm made their first contribution in #6515
• @kgarg1 made their first contribution in #6476
• @mountdisk made their first contribution in #6609
• @ShubhamOulkar made their first contribution in #6601
• @sheplu made their first contribution in #6780
• @Tacit1 made their first contribution in #6897

Full Changelog: v5.1.0...v5.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 55 commits:

• 5.2.1
• Revert "sec: security patch for CVE-2024-51999"
• Release: 5.2.0 (#6920)
• sec: security patch for CVE-2024-51999
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
• deps: body-parser@^2.2.1 (#6922)
• docs: update emeritus triagers (#6890)
• Nominate to @efekrskl for triage team (#6888)
• refactor: use cached slice in app.listen (#6897)
• docs: switch badges from badgen.net to shields.io (#6900)
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#6868)
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#6869)
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#6870)
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#6871)
• ci: add node.js 25 to test matrix (#6843)
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 (#6793)
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 (#6794)
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#6795)
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 (#6796)
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#6797)
• chore: remove history.md from being packaged on publish (#6780)
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 (#6675)
• doc: update express app example (#6718)
• lib: use req.socket over deprecated req.connection (#6705)
• chore: update git rules to ignore `yarn.lock` file (#6588)
• lint: add --fix flag to automatic fix linting issue (#6644)
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 (#6678)
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 (#6679)
• update contributing and COC links (#6601)
• doc: fix the Contributing.md link (#6653)
• ci: run CI when the markdown changes (#6632)
• feat: add deprecation warnings for redirect arguments undefined (#6405)
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 (#6618)
• chore: fix typo (#6609)
• chore: use node protocol for node builtin module (#6520)
• chore: enforce explicit Buffer import and add lint rule (#6525)
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#6548)
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 (#6549)
• fix(docs): move documentation and charters to the discussions and .github … (#6427)
• test: add coverage for app.listen() variants (#6476)
• ci: allow manual triggering of workflow (#6515)
• ci: disable credential persistence for checkout actions (#6522)
• test: fix typos in test descriptions (#6535)
• chore: wider range for query test skip (#6512)
• ci: update codeql config (#6488)
• ci: add node.js 24 to test matrix (#6504)
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 (#6496)
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 (#6497)
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 (#6498)
• fix(test): remove duplicate word (#6456)
• increased code coverage of utils.js file (#6386)
• Refactor: simplify `acceptsLanguages` implementation using spread operator (#6137)
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 (#6429)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud