Sourced from express's releases.

v5.1.0

What's Changed

• Update captains by @​UlisesGascon in expressjs/express#6027
• build: Node.js 23.0 by @​bjohansebas in expressjs/express#6075
• Add funding field (v5) by @​bjohansebas in expressjs/express#6064
• ✅ add discarded middleware test by @​ctcpip in expressjs/express#5819
• update homepage link http to https by @​bjohansebas in expressjs/express#5920
• Improve readme by @​bjohansebas in expressjs/express#5994
• Add bjohansebas as repo captain for expressjs.com by @​crandmck in expressjs/express#6058
• Remove Object.setPrototypeOf polyfill by @​Phillip9587 in expressjs/express#6081
• fix(buffer): use node:buffer instead of safe-buffer by @​bhavya3024 in expressjs/express#6071
• docs: Add DCO by @​UlisesGascon in expressjs/express#6048
• cleanup: remove promise support check from tests by @​Phillip9587 in expressjs/express#6148
• Use loop for acceptParams by @​blakeembrey in expressjs/express#6066
• Improve documentation step in release process by @​bjohansebas in expressjs/express#6150
• cleanup: remove unnecessary require for global Buffer by @​Phillip9587 in expressjs/express#6146
• cleanup: remove AsyncLocalStorage check by @​Phillip9587 in expressjs/express#6147
• update history.md for acceptParams change by @​jonchurch in expressjs/express#6177
• docs: add @​rxmarbles to the triage team by @​UlisesGascon in expressjs/express#6151
• refactor: improve readability by @​sazk07 in expressjs/express#6173
• docs: clarify the security process in the triage role by @​bjohansebas in expressjs/express#6217
• chore: replace methods dependency with standard library by @​jonkoops in expressjs/express#6196
• Remove utils-merge dependency - use spread syntax instead by @​Phillip9587 in expressjs/express#6091
• fix(securite): fix vulnerabilities by @​Abdel-Monaam-Aouini in expressjs/express#6211
• refactor: prefix built-in node module imports by @​slagiewka in expressjs/express#6236
• fix: remove download size badges by @​wesleytodd in expressjs/express#6266
• Remove unused depd dependency by @​jonkoops in expressjs/express#6197
• fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @​hamirmahal in expressjs/express#6256
• Add support for OSSF scorecard reporting by @​UlisesGascon in expressjs/express#5431
• docs: add @​Phillip9587 to the triage team by @​bjohansebas in expressjs/express#6276
• fix: added a missing semicolon in css styles in examples/auth by @​pr4j3sh in expressjs/express#6297
• docs: include team email in the security policy by @​UlisesGascon in expressjs/express#6278
• refactor: simplify normalizeTypes function by @​Ayoub-Mabrouk in expressjs/express#6097
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6314
• ci: fix npm install --include typo by @​Phillip9587 in expressjs/express#6324
• ci: updated scorecard actions by @​Phillip9587 in expressjs/express#6322
• build(deps): use carat notation for dependency versions by @​dpopp07 in expressjs/express#6317
• chore(deps): update debug to ^4.4.0 by @​Phillip9587 in expressjs/express#6313
• docs: retroactively note 5.0.0-beta.1 api change in history file by @​dpopp07 in expressjs/express#6333
• feat(deps): body-parser@^2.1.0 by @​wesleytodd in expressjs/express#6332
• feat(deps): router@^2.1.0 by @​wesleytodd in expressjs/express#6331
• Update repo captains by @​UlisesGascon in expressjs/express#6234
• deps: upgrade nyc by @​agungjati in expressjs/express#6122
• fix (deps): update deps by @​wesleytodd in expressjs/express#6337
• response: add support for ETag option in res.sendFile by @​juanarbol in expressjs/express#6073
• Update multiple links to use https instead of http by @​Phillip9587 in expressjs/express#6338
• Extend res.links() to allow adding multiple links with the same rel #2729 by @​andvea in expressjs/express#4885
• docs: update emeritus triagers by @​UlisesGascon in expressjs/express#6345
• docs: update guidance for triager nominations by @​bjohansebas in expressjs/express#6349
• docs: clarify guidelines for becoming a committer by @​bjohansebas in expressjs/express#6364

... (truncated)

Sourced from express's changelog.

5.1.0 / 2025-03-31

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0

... (truncated)

• cd7d439 5.1.0
• 4c4f3ea fix(deps): serve-static@^2.2.0 (#6418)
• cb4c56e fix(docs): remove @​mertcanaltin from Triagers (#6408)
• 7b44e1d ci: use full SHAs for github action versions
• eb6d125 deps: router@^2.2.0 (#6417)
• f1a2dc8 deps: type-is@^2.0.1 (#6420)
• 6b51e8e deps: body-parser@^2.2.0 (#6419)
• 1f311c5 build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 (#6399)
• 9e97144 feat(deps): finalhandler@2.1.0 (#6373)
• 29d0980 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#6397)
• Additional commits viewable in compare view

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)