diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2a143eed63..6dba5c2d9f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,23 +27,23 @@ jobs:
         include:
         - name: Node.js 4.0
           node-version: "4.0"
-          npm-i: mocha@5.2.0 supertest@3.4.2
+          npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2
 
         - name: Node.js 4.x
           node-version: "4.9"
-          npm-i: mocha@5.2.0 supertest@3.4.2
+          npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2
 
         - name: Node.js 5.x
           node-version: "5.12"
-          npm-i: mocha@5.2.0 supertest@3.4.2
+          npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2
 
         - name: Node.js 6.x
           node-version: "6.17"
-          npm-i: mocha@6.2.2
+          npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6
 
         - name: Node.js 7.x
           node-version: "7.10"
-          npm-i: mocha@6.2.2
+          npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6
 
         - name: Node.js 8.x
           node-version: "8.17"
@@ -68,7 +68,7 @@ jobs:
           node-version: "13.14"
 
         - name: Node.js 14.x
-          node-version: "14.18"
+          node-version: "14.19"
 
     steps:
     - uses: actions/checkout@v2
@@ -113,6 +113,7 @@ jobs:
         echo "node@$(node -v)"
         echo "npm@$(npm -v)"
         npm -s ls ||:
+        (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print "::set-output name=" $2 "::" $3 }'
 
     - name: Run tests
       shell: bash
diff --git a/.gitignore b/.gitignore
index 5fee6a2dc9..3a673d9cc0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,27 +1,15 @@
-# OS X
-.DS_Store*
-Icon?
-._*
-
-# Windows
-Thumbs.db
-ehthumbs.db
-Desktop.ini
-
-# Linux
-.directory
-*~
-
-
 # npm
 node_modules
 package-lock.json
 *.log
 *.gz
 
-
 # Coveralls
+.nyc_output
 coverage
 
 # Benchmarking
 benchmarks/graphs
+
+# ignore additional files using core.excludesFile
+# https://git-scm.com/docs/gitignore
diff --git a/History.md b/History.md
index d89efef4e6..5380daf09c 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+5.x
+===
+
+This incorporates all changes after 4.17.2 up to 4.17.3.
+
 5.0.0-beta.1 / 2022-02-14
 =========================
 
@@ -157,6 +162,21 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
   * add:
     - `app.router` is a reference to the base router
 
+4.17.3 / 2022-02-16
+===================
+
+  * deps: accepts@~1.3.8
+    - deps: mime-types@~2.1.34
+    - deps: negotiator@0.6.3
+  * deps: body-parser@1.19.2
+    - deps: bytes@3.1.2
+    - deps: qs@6.9.7
+    - deps: raw-body@2.4.3
+  * deps: cookie@0.4.2
+  * deps: qs@6.9.7
+    * Fix handling of `__proto__` keys
+  * pref: remove unnecessary regexp for trust proxy
+
 4.17.2 / 2021-12-16
 ===================
 
diff --git a/appveyor.yml b/appveyor.yml
index 433729652b..7f7a3717e7 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -10,7 +10,7 @@ environment:
     - nodejs_version: "11.15"
     - nodejs_version: "12.22"
     - nodejs_version: "13.14"
-    - nodejs_version: "14.18"
+    - nodejs_version: "14.19"
 cache:
   - node_modules
 install:
@@ -46,11 +46,25 @@ install:
       } elseif ([int]$env:nodejs_version.split(".")[0] -lt 12) {
         npm install --silent --save-dev mocha@8.4.0
       }
+  - ps: |
+      # nyc for test coverage
+      # - use 10.3.2 for Node.js < 4
+      # - use 11.9.0 for Node.js < 6
+      # - use 14.1.1 for Node.js < 8
+      if ([int]$env:nodejs_version.split(".")[0] -lt 4) {
+        npm install --silent --save-dev nyc@10.3.2
+      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) {
+        npm install --silent --save-dev nyc@11.9.0
+      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) {
+        npm install --silent --save-dev nyc@14.1.1
+      }
   - ps: |
       # supertest for http calls
       # - use 3.4.2 for Node.js < 6
       if ([int]$env:nodejs_version.split(".")[0] -lt 6) {
         npm install --silent --save-dev supertest@3.4.2
+      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) {
+        npm install --silent --save-dev supertest@6.1.6
       }
   # Update Node.js modules
   - ps: |
diff --git a/examples/auth/index.js b/examples/auth/index.js
index 2f05d5ff8d..2859545c54 100644
--- a/examples/auth/index.js
+++ b/examples/auth/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -59,14 +61,14 @@ function authenticate(name, pass, fn) {
   if (!module.parent) console.log('authenticating %s:%s', name, pass);
   var user = users[name];
   // query the db for the given username
-  if (!user) return fn(new Error('cannot find user'));
+  if (!user) return fn(null, null)
   // apply the same algorithm to the POSTed password, applying
   // the hash against the pass / salt, if there is a match we
   // found the user
   hash({ password: pass, salt: user.salt }, function (err, pass, salt, hash) {
     if (err) return fn(err);
     if (hash === user.hash) return fn(null, user)
-    fn(new Error('invalid password'));
+    fn(null, null)
   });
 }
 
@@ -99,9 +101,10 @@ app.get('/login', function(req, res){
   res.render('login');
 });
 
-app.post('/login', function(req, res){
+app.post('/login', function (req, res, next) {
   if (!req.body) return res.sendStatus(400)
   authenticate(req.body.username, req.body.password, function(err, user){
+    if (err) return next(err)
     if (user) {
       // Regenerate session when signing in
       // to prevent fixation
diff --git a/examples/content-negotiation/db.js b/examples/content-negotiation/db.js
index 43fb04baa1..f59b23bf18 100644
--- a/examples/content-negotiation/db.js
+++ b/examples/content-negotiation/db.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var users = [];
 
 users.push({ name: 'Tobi' });
diff --git a/examples/content-negotiation/index.js b/examples/content-negotiation/index.js
index 348929e852..280a4e2299 100644
--- a/examples/content-negotiation/index.js
+++ b/examples/content-negotiation/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../');
 var app = module.exports = express();
 var users = require('./db');
diff --git a/examples/content-negotiation/users.js b/examples/content-negotiation/users.js
index fe511072ec..fe703e73a9 100644
--- a/examples/content-negotiation/users.js
+++ b/examples/content-negotiation/users.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var users = require('./db');
 
diff --git a/examples/cookie-sessions/index.js b/examples/cookie-sessions/index.js
index 1dda15de61..01c731c1c8 100644
--- a/examples/cookie-sessions/index.js
+++ b/examples/cookie-sessions/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/cookies/index.js b/examples/cookies/index.js
index 7d6264a143..8bca73ff97 100644
--- a/examples/cookies/index.js
+++ b/examples/cookies/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/downloads/index.js b/examples/downloads/index.js
index dc59532c40..0d8118591f 100644
--- a/examples/downloads/index.js
+++ b/examples/downloads/index.js
@@ -1,11 +1,18 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../../');
 var path = require('path');
+var resolvePath = require('resolve-path')
+
 var app = module.exports = express();
 
+// path to where the files are stored on disk
+var FILES_DIR = path.join(__dirname, 'files')
+
 app.get('/', function(req, res){
   res.send('<ul>' +
     '<li>Download <a href="/files/notes/groceries.txt">notes/groceries.txt</a>.</li>' +
@@ -18,7 +25,7 @@ app.get('/', function(req, res){
 // /files/* is accessed via req.params[0]
 // but here we name it :file
 app.get('/files/:file+', function (req, res, next) {
-  var filePath = path.join(__dirname, 'files', req.params.file);
+  var filePath = resolvePath(FILES_DIR, req.params.file)
 
   res.download(filePath, function (err) {
     if (!err) return; // file sent
diff --git a/examples/ejs/index.js b/examples/ejs/index.js
index 7278091293..a39d805a16 100644
--- a/examples/ejs/index.js
+++ b/examples/ejs/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/error-pages/index.js b/examples/error-pages/index.js
index 44333cb08f..efa815c474 100644
--- a/examples/error-pages/index.js
+++ b/examples/error-pages/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/error/index.js b/examples/error/index.js
index 07814d8520..d922de06cc 100644
--- a/examples/error/index.js
+++ b/examples/error/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/hello-world/index.js b/examples/hello-world/index.js
index 04382ac3d0..8c1855c2eb 100644
--- a/examples/hello-world/index.js
+++ b/examples/hello-world/index.js
@@ -1,6 +1,8 @@
+'use strict'
+
 var express = require('../../');
 
-var app = express();
+var app = module.exports = express()
 
 app.get('/', function(req, res){
   res.send('Hello World');
diff --git a/examples/markdown/index.js b/examples/markdown/index.js
index df8c195fb4..74ac05e77f 100644
--- a/examples/markdown/index.js
+++ b/examples/markdown/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/multi-router/controllers/api_v1.js b/examples/multi-router/controllers/api_v1.js
index 08b7b5e6fd..a301e3ee72 100644
--- a/examples/multi-router/controllers/api_v1.js
+++ b/examples/multi-router/controllers/api_v1.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../..');
 
 var apiv1 = express.Router();
diff --git a/examples/multi-router/controllers/api_v2.js b/examples/multi-router/controllers/api_v2.js
index 4dd708281c..e997fb1f88 100644
--- a/examples/multi-router/controllers/api_v2.js
+++ b/examples/multi-router/controllers/api_v2.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../..');
 
 var apiv2 = express.Router();
diff --git a/examples/multi-router/index.js b/examples/multi-router/index.js
index 78bae9d6e3..dbfd284126 100644
--- a/examples/multi-router/index.js
+++ b/examples/multi-router/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../..');
 
 var app = module.exports = express();
diff --git a/examples/multipart/index.js b/examples/multipart/index.js
index 42c2af23f7..ea7b86e0c9 100644
--- a/examples/multipart/index.js
+++ b/examples/multipart/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/mvc/controllers/main/index.js b/examples/mvc/controllers/main/index.js
index 031862d345..74cde191cd 100644
--- a/examples/mvc/controllers/main/index.js
+++ b/examples/mvc/controllers/main/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 exports.index = function(req, res){
   res.redirect('/users');
 };
diff --git a/examples/mvc/controllers/pet/index.js b/examples/mvc/controllers/pet/index.js
index 157a98e84e..214160f9a4 100644
--- a/examples/mvc/controllers/pet/index.js
+++ b/examples/mvc/controllers/pet/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/mvc/controllers/user-pet/index.js b/examples/mvc/controllers/user-pet/index.js
index 416b00741a..42a29adebe 100644
--- a/examples/mvc/controllers/user-pet/index.js
+++ b/examples/mvc/controllers/user-pet/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/mvc/controllers/user/index.js b/examples/mvc/controllers/user/index.js
index a7b0208c8e..ec3ae4c811 100644
--- a/examples/mvc/controllers/user/index.js
+++ b/examples/mvc/controllers/user/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/mvc/db.js b/examples/mvc/db.js
index c992afcfd7..94d1480f9b 100644
--- a/examples/mvc/db.js
+++ b/examples/mvc/db.js
@@ -1,3 +1,5 @@
+'use strict'
+
 // faux database
 
 var pets = exports.pets = [];
diff --git a/examples/mvc/index.js b/examples/mvc/index.js
index 77885a60ca..da4727b282 100644
--- a/examples/mvc/index.js
+++ b/examples/mvc/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/mvc/lib/boot.js b/examples/mvc/lib/boot.js
index 422330dc06..0216e5d76d 100644
--- a/examples/mvc/lib/boot.js
+++ b/examples/mvc/lib/boot.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/online/index.js b/examples/online/index.js
index f14474c08d..0b5fdffc86 100644
--- a/examples/online/index.js
+++ b/examples/online/index.js
@@ -1,3 +1,4 @@
+'use strict'
 
 // install redis first:
 // https://redis.io/
diff --git a/examples/params/index.js b/examples/params/index.js
index 5b57573d1e..b153b93b98 100644
--- a/examples/params/index.js
+++ b/examples/params/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/resource/index.js b/examples/resource/index.js
index b79ad923d2..ff1f6fe11f 100644
--- a/examples/resource/index.js
+++ b/examples/resource/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/route-map/index.js b/examples/route-map/index.js
index e7adf5fcb4..2bc28bd4b2 100644
--- a/examples/route-map/index.js
+++ b/examples/route-map/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/route-middleware/index.js b/examples/route-middleware/index.js
index e7a0901fa8..44ec13a95b 100644
--- a/examples/route-middleware/index.js
+++ b/examples/route-middleware/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/route-separation/index.js b/examples/route-separation/index.js
index 6512109134..5d48381111 100644
--- a/examples/route-separation/index.js
+++ b/examples/route-separation/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/route-separation/post.js b/examples/route-separation/post.js
index e3f12e7884..3a8e3a2d22 100644
--- a/examples/route-separation/post.js
+++ b/examples/route-separation/post.js
@@ -1,3 +1,5 @@
+'use strict'
+
 // Fake posts database
 
 var posts = [
diff --git a/examples/route-separation/site.js b/examples/route-separation/site.js
index a3d20bc8a1..aee36d1bd7 100644
--- a/examples/route-separation/site.js
+++ b/examples/route-separation/site.js
@@ -1,3 +1,5 @@
+'use strict'
+
 exports.index = function(req, res){
   res.render('index', { title: 'Route Separation Example' });
 };
diff --git a/examples/route-separation/user.js b/examples/route-separation/user.js
index ef79b343a2..1c2aec7cd2 100644
--- a/examples/route-separation/user.js
+++ b/examples/route-separation/user.js
@@ -1,3 +1,5 @@
+'use strict'
+
 // Fake user database
 
 var users = [
diff --git a/examples/search/index.js b/examples/search/index.js
index add16d5248..4b57168987 100644
--- a/examples/search/index.js
+++ b/examples/search/index.js
@@ -1,3 +1,4 @@
+'use strict'
 
 // install redis first:
 // https://redis.io/
diff --git a/examples/search/public/client.js b/examples/search/public/client.js
index 75c37d8e00..cd43faf71e 100644
--- a/examples/search/public/client.js
+++ b/examples/search/public/client.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var search = document.querySelector('[type=search]');
 var code = document.querySelector('pre');
 
diff --git a/examples/session/index.js b/examples/session/index.js
index 9bae48b8d3..2bb2b109c8 100644
--- a/examples/session/index.js
+++ b/examples/session/index.js
@@ -1,3 +1,4 @@
+'use strict'
 
 // install redis first:
 // https://redis.io/
diff --git a/examples/session/redis.js b/examples/session/redis.js
index 1338d6e95e..bbbdc7fd3e 100644
--- a/examples/session/redis.js
+++ b/examples/session/redis.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/static-files/index.js b/examples/static-files/index.js
index 0e44313d15..609c546b47 100644
--- a/examples/static-files/index.js
+++ b/examples/static-files/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/vhost/index.js b/examples/vhost/index.js
index 4a0c17b850..a9499356b4 100644
--- a/examples/vhost/index.js
+++ b/examples/vhost/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/view-constructor/github-view.js b/examples/view-constructor/github-view.js
index 0a98a90843..43d29336ca 100644
--- a/examples/view-constructor/github-view.js
+++ b/examples/view-constructor/github-view.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/view-constructor/index.js b/examples/view-constructor/index.js
index 175a254e4e..3d673670e3 100644
--- a/examples/view-constructor/index.js
+++ b/examples/view-constructor/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/view-locals/index.js b/examples/view-locals/index.js
index cb41509606..bf52d2a85a 100644
--- a/examples/view-locals/index.js
+++ b/examples/view-locals/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
diff --git a/examples/view-locals/user.js b/examples/view-locals/user.js
index 90ab1f389d..aaa6f85ff0 100644
--- a/examples/view-locals/user.js
+++ b/examples/view-locals/user.js
@@ -1,3 +1,5 @@
+'use strict'
+
 module.exports = User;
 
 // faux model
diff --git a/examples/web-service/index.js b/examples/web-service/index.js
index 3685619d10..a2cd2cb7f9 100644
--- a/examples/web-service/index.js
+++ b/examples/web-service/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -32,7 +34,7 @@ app.use('/api', function(req, res, next){
   if (!key) return next(error(400, 'api key required'));
 
   // key is invalid
-  if (!~apiKeys.indexOf(key)) return next(error(401, 'invalid api key'));
+  if (apiKeys.indexOf(key) === -1) return next(error(401, 'invalid api key'))
 
   // all good, store req.key for route access
   req.key = key;
diff --git a/lib/response.js b/lib/response.js
index d3c8a45b5c..e6f3cce13e 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -389,7 +389,7 @@ res.sendFile = function sendFile(path, options, callback) {
  * Optionally providing an alternate attachment `filename`,
  * and optional callback `callback(err)`. The callback is invoked
  * when the data transfer is complete, or when an error has
- * ocurred. Be sure to check `res.headersSent` if you plan to respond.
+ * occurred. Be sure to check `res.headersSent` if you plan to respond.
  *
  * Optionally providing an `options` object to use with `res.sendFile()`.
  * This function will set the `Content-Disposition` header, overriding
diff --git a/lib/utils.js b/lib/utils.js
index 43cf47ada8..df3335bee2 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -187,7 +187,8 @@ exports.compileTrust = function(val) {
 
   if (typeof val === 'string') {
     // Support comma-separated values
-    val = val.split(/ *, */);
+    val = val.split(',')
+      .map(function (v) { return v.trim() })
   }
 
   return proxyaddr.compile(val || []);
diff --git a/package.json b/package.json
index e22f640d57..302cdfa050 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
     "body-parser": "2.0.0-beta.1",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
-    "cookie": "0.4.1",
+    "cookie": "0.4.2",
     "cookie-signature": "1.0.6",
     "debug": "3.1.0",
     "depd": "~1.1.2",
@@ -49,7 +49,7 @@
     "parseurl": "~1.3.3",
     "path-is-absolute": "1.0.1",
     "proxy-addr": "~2.0.7",
-    "qs": "6.9.6",
+    "qs": "6.9.7",
     "range-parser": "~1.2.1",
     "router": "2.0.0-beta.1",
     "safe-buffer": "5.2.1",
@@ -70,15 +70,16 @@
     "eslint": "7.32.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",
-    "istanbul": "0.4.5",
     "marked": "0.7.0",
     "method-override": "3.0.0",
-    "mocha": "9.1.3",
+    "mocha": "9.2.0",
     "morgan": "1.10.0",
-    "multiparty": "4.2.2",
+    "multiparty": "4.2.3",
+    "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
+    "resolve-path": "1.4.0",
     "should": "13.2.3",
-    "supertest": "6.1.6",
+    "supertest": "6.2.2",
     "vhost": "~3.0.2"
   },
   "engines": {
@@ -94,8 +95,8 @@
   "scripts": {
     "lint": "eslint .",
     "test": "mocha --require test/support/env --reporter spec --bail --check-leaks test/ test/acceptance/",
-    "test-ci": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --require test/support/env --reporter spec --check-leaks test/ test/acceptance/",
-    "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --require test/support/env --reporter dot --check-leaks test/ test/acceptance/",
+    "test-ci": "nyc --reporter=lcovonly --reporter=text npm test",
+    "test-cov": "nyc --reporter=html --reporter=text npm test",
     "test-tap": "mocha --require test/support/env --reporter tap --check-leaks test/ test/acceptance/"
   }
 }
diff --git a/test/Route.js b/test/Route.js
index 8f90152d8c..005b4634e9 100644
--- a/test/Route.js
+++ b/test/Route.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var after = require('after');
 var should = require('should');
diff --git a/test/Router.js b/test/Router.js
index 30837ff123..233a907a74 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var after = require('after');
 var express = require('../')
diff --git a/test/acceptance/auth.js b/test/acceptance/auth.js
index 9a36ea45fe..d7838755a0 100644
--- a/test/acceptance/auth.js
+++ b/test/acceptance/auth.js
@@ -22,7 +22,7 @@ describe('auth', function(){
       .expect(200, /<form/, done)
     })
 
-    it('should display login error', function(done){
+    it('should display login error for bad user', function (done) {
       request(app)
       .post('/login')
       .type('urlencoded')
@@ -36,6 +36,21 @@ describe('auth', function(){
         .expect(200, /Authentication failed/, done)
       })
     })
+
+    it('should display login error for bad password', function (done) {
+      request(app)
+        .post('/login')
+        .type('urlencoded')
+        .send('username=tj&password=nogood')
+        .expect('Location', '/login')
+        .expect(302, function (err, res) {
+          if (err) return done(err)
+          request(app)
+            .get('/login')
+            .set('Cookie', getCookie(res))
+            .expect(200, /Authentication failed/, done)
+        })
+    })
   })
 
   describe('GET /logout',function(){
diff --git a/test/acceptance/downloads.js b/test/acceptance/downloads.js
index ae44388354..6db43b351e 100644
--- a/test/acceptance/downloads.js
+++ b/test/acceptance/downloads.js
@@ -36,4 +36,12 @@ describe('downloads', function(){
       .expect(404, done)
     })
   })
+
+  describe('GET /files/../index.js', function () {
+    it('should respond with 403', function (done) {
+      request(app)
+        .get('/files/../index.js')
+        .expect(403, done)
+    })
+  })
 })
diff --git a/test/acceptance/hello-world.js b/test/acceptance/hello-world.js
new file mode 100644
index 0000000000..db90349c49
--- /dev/null
+++ b/test/acceptance/hello-world.js
@@ -0,0 +1,21 @@
+
+var app = require('../../examples/hello-world')
+var request = require('supertest')
+
+describe('hello-world', function () {
+  describe('GET /', function () {
+    it('should respond with hello world', function (done) {
+      request(app)
+        .get('/')
+        .expect(200, 'Hello World', done)
+    })
+  })
+
+  describe('GET /missing', function () {
+    it('should respond with 404', function (done) {
+      request(app)
+        .get('/missing')
+        .expect(404, done)
+    })
+  })
+})
diff --git a/test/app.all.js b/test/app.all.js
index e9ef08831d..185a8332fe 100644
--- a/test/app.all.js
+++ b/test/app.all.js
@@ -1,22 +1,25 @@
+'use strict'
 
+var after = require('after')
 var express = require('../')
   , request = require('supertest');
 
 describe('app.all()', function(){
   it('should add a router per method', function(done){
     var app = express();
+    var cb = after(2, done)
 
     app.all('/tobi', function(req, res){
       res.end(req.method);
     });
 
     request(app)
-    .put('/tobi')
-    .expect('PUT', function(){
-      request(app)
+      .put('/tobi')
+      .expect(200, 'PUT', cb)
+
+    request(app)
       .get('/tobi')
-      .expect('GET', done);
-    });
+      .expect(200, 'GET', cb)
   })
 
   it('should run the callback for a method just once', function(done){
diff --git a/test/app.engine.js b/test/app.engine.js
index b198292fa0..214510a94c 100644
--- a/test/app.engine.js
+++ b/test/app.engine.js
@@ -1,4 +1,6 @@
+'use strict'
 
+var assert = require('assert')
 var express = require('../')
   , fs = require('fs');
 var path = require('path')
@@ -22,16 +24,16 @@ describe('app', function(){
 
       app.render('user.html', function(err, str){
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
 
     it('should throw when the callback is missing', function(){
       var app = express();
-      (function(){
+      assert.throws(function () {
         app.engine('.html', null);
-      }).should.throw('callback function required');
+      }, /callback function required/)
     })
 
     it('should work without leading "."', function(done){
@@ -43,7 +45,7 @@ describe('app', function(){
 
       app.render('user.html', function(err, str){
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
@@ -58,7 +60,7 @@ describe('app', function(){
 
       app.render('user', function(err, str){
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
@@ -73,7 +75,7 @@ describe('app', function(){
 
       app.render('user', function(err, str){
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
diff --git a/test/app.head.js b/test/app.head.js
index b417ca0c92..fabb98795a 100644
--- a/test/app.head.js
+++ b/test/app.head.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../');
 var request = require('supertest');
@@ -46,23 +47,20 @@ describe('HEAD', function(){
 describe('app.head()', function(){
   it('should override', function(done){
     var app = express()
-      , called;
 
     app.head('/tobi', function(req, res){
-      called = true;
-      res.end('');
+      res.header('x-method', 'head')
+      res.end()
     });
 
     app.get('/tobi', function(req, res){
-      assert(0, 'should not call GET');
+      res.header('x-method', 'get')
       res.send('tobi');
     });
 
     request(app)
-    .head('/tobi')
-    .expect(200, function(){
-      assert(called);
-      done();
-    });
+      .head('/tobi')
+      .expect('x-method', 'head')
+      .expect(200, done)
   })
 })
diff --git a/test/app.js b/test/app.js
index 4a18b9bcd6..fe7d4c2758 100644
--- a/test/app.js
+++ b/test/app.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var express = require('..')
@@ -32,8 +33,8 @@ describe('app.parent', function(){
     blog.use('/admin', blogAdmin);
 
     assert(!app.parent, 'app.parent');
-    blog.parent.should.equal(app);
-    blogAdmin.parent.should.equal(blog);
+    assert.strictEqual(blog.parent, app)
+    assert.strictEqual(blogAdmin.parent, blog)
   })
 })
 
@@ -48,10 +49,10 @@ describe('app.mountpath', function(){
     app.use(fallback);
     blog.use('/admin', admin);
 
-    admin.mountpath.should.equal('/admin');
-    app.mountpath.should.equal('/');
-    blog.mountpath.should.equal('/blog');
-    fallback.mountpath.should.equal('/');
+    assert.strictEqual(admin.mountpath, '/admin')
+    assert.strictEqual(app.mountpath, '/')
+    assert.strictEqual(blog.mountpath, '/blog')
+    assert.strictEqual(fallback.mountpath, '/')
   })
 })
 
@@ -64,35 +65,56 @@ describe('app.path()', function(){
     app.use('/blog', blog);
     blog.use('/admin', blogAdmin);
 
-    app.path().should.equal('');
-    blog.path().should.equal('/blog');
-    blogAdmin.path().should.equal('/blog/admin');
+    assert.strictEqual(app.path(), '')
+    assert.strictEqual(blog.path(), '/blog')
+    assert.strictEqual(blogAdmin.path(), '/blog/admin')
   })
 })
 
 describe('in development', function(){
+  before(function () {
+    this.env = process.env.NODE_ENV
+    process.env.NODE_ENV = 'development'
+  })
+
+  after(function () {
+    process.env.NODE_ENV = this.env
+  })
+
   it('should disable "view cache"', function(){
-    process.env.NODE_ENV = 'development';
     var app = express();
-    app.enabled('view cache').should.be.false()
-    process.env.NODE_ENV = 'test';
+    assert.ok(!app.enabled('view cache'))
   })
 })
 
 describe('in production', function(){
+  before(function () {
+    this.env = process.env.NODE_ENV
+    process.env.NODE_ENV = 'production'
+  })
+
+  after(function () {
+    process.env.NODE_ENV = this.env
+  })
+
   it('should enable "view cache"', function(){
-    process.env.NODE_ENV = 'production';
     var app = express();
-    app.enabled('view cache').should.be.true()
-    process.env.NODE_ENV = 'test';
+    assert.ok(app.enabled('view cache'))
   })
 })
 
 describe('without NODE_ENV', function(){
+  before(function () {
+    this.env = process.env.NODE_ENV
+    process.env.NODE_ENV = ''
+  })
+
+  after(function () {
+    process.env.NODE_ENV = this.env
+  })
+
   it('should default to development', function(){
-    process.env.NODE_ENV = '';
     var app = express();
-    app.get('env').should.equal('development');
-    process.env.NODE_ENV = 'test';
+    assert.strictEqual(app.get('env'), 'development')
   })
 })
diff --git a/test/app.listen.js b/test/app.listen.js
index 9d54ca5244..08eeaaa63c 100644
--- a/test/app.listen.js
+++ b/test/app.listen.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
 
diff --git a/test/app.locals.js b/test/app.locals.js
index d8bfb5a987..88f83c9483 100644
--- a/test/app.locals.js
+++ b/test/app.locals.js
@@ -1,16 +1,19 @@
+'use strict'
 
+var assert = require('assert')
 var express = require('../')
+var should = require('should')
 
 describe('app', function(){
   describe('.locals(obj)', function(){
     it('should merge locals', function(){
       var app = express();
-      Object.keys(app.locals).should.eql(['settings']);
+      should(Object.keys(app.locals)).eql(['settings'])
       app.locals.user = 'tobi';
       app.locals.age = 2;
-      Object.keys(app.locals).should.eql(['settings', 'user', 'age']);
-      app.locals.user.should.equal('tobi');
-      app.locals.age.should.equal(2);
+      should(Object.keys(app.locals)).eql(['settings', 'user', 'age'])
+      assert.strictEqual(app.locals.user, 'tobi')
+      assert.strictEqual(app.locals.age, 2)
     })
   })
 
@@ -19,8 +22,8 @@ describe('app', function(){
       var app = express();
       app.set('title', 'House of Manny');
       var obj = app.locals.settings;
-      obj.should.have.property('env', 'test');
-      obj.should.have.property('title', 'House of Manny');
+      should(obj).have.property('env', 'test')
+      should(obj).have.property('title', 'House of Manny')
     })
   })
 })
diff --git a/test/app.options.js b/test/app.options.js
index b924475038..ee4c81631c 100644
--- a/test/app.options.js
+++ b/test/app.options.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/app.param.js b/test/app.param.js
index 93e5befcde..bfda9ddc3b 100644
--- a/test/app.param.js
+++ b/test/app.param.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
@@ -16,24 +17,22 @@ describe('app', function(){
 
       app.get('/post/:id', function(req, res){
         var id = req.params.id;
-        id.should.be.a.Number()
-        res.send('' + id);
+        res.send((typeof id) + ':' + id)
       });
 
       app.get('/user/:uid', function(req, res){
         var id = req.params.id;
-        id.should.be.a.Number()
-        res.send('' + id);
+        res.send((typeof id) + ':' + id)
       });
 
       request(app)
-      .get('/user/123')
-      .expect(200, '123', function (err) {
-        if (err) return done(err)
-        request(app)
-        .get('/post/123')
-        .expect('123', done);
-      })
+        .get('/user/123')
+        .expect(200, 'number:123', function (err) {
+          if (err) return done(err)
+          request(app)
+            .get('/post/123')
+            .expect('number:123', done)
+        })
     })
   })
 
@@ -50,13 +49,12 @@ describe('app', function(){
 
       app.get('/user/:id', function(req, res){
         var id = req.params.id;
-        id.should.be.a.Number()
-        res.send('' + id);
+        res.send((typeof id) + ':' + id)
       });
 
       request(app)
-      .get('/user/123')
-      .expect('123', done);
+        .get('/user/123')
+        .expect(200, 'number:123', done)
     })
 
     it('should only call once per request', function(done) {
diff --git a/test/app.render.js b/test/app.render.js
index 54f6c2ca82..9d202acfdd 100644
--- a/test/app.render.js
+++ b/test/app.render.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var express = require('..');
@@ -13,7 +14,7 @@ describe('app', function(){
 
       app.render(path.join(__dirname, 'fixtures', 'user.tmpl'), function (err, str) {
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
@@ -26,7 +27,7 @@ describe('app', function(){
 
       app.render(path.join(__dirname, 'fixtures', 'user'), function (err, str) {
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
@@ -39,7 +40,7 @@ describe('app', function(){
 
       app.render('user.tmpl', function (err, str) {
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
@@ -52,7 +53,7 @@ describe('app', function(){
 
       app.render('blog/post', function (err, str) {
         if (err) return done(err);
-        str.should.equal('<h1>blog post</h1>');
+        assert.strictEqual(str, '<h1>blog post</h1>')
         done();
       })
     })
@@ -72,8 +73,8 @@ describe('app', function(){
       app.set('view', View);
 
       app.render('something', function(err, str){
-        err.should.be.ok()
-        err.message.should.equal('err!');
+        assert.ok(err)
+        assert.strictEqual(err.message, 'err!')
         done();
       })
     })
@@ -113,7 +114,7 @@ describe('app', function(){
 
         app.render('email.tmpl', function (err, str) {
           if (err) return done(err);
-          str.should.equal('<p>This is an email</p>');
+          assert.strictEqual(str, '<p>This is an email</p>')
           done();
         })
       })
@@ -128,7 +129,7 @@ describe('app', function(){
 
         app.render('email', function(err, str){
           if (err) return done(err);
-          str.should.equal('<p>This is an email</p>');
+          assert.strictEqual(str, '<p>This is an email</p>')
           done();
         })
       })
@@ -143,7 +144,7 @@ describe('app', function(){
 
         app.render('user.tmpl', function (err, str) {
           if (err) return done(err);
-          str.should.equal('<p>tobi</p>');
+          assert.strictEqual(str, '<p>tobi</p>')
           done();
         })
       })
@@ -161,7 +162,7 @@ describe('app', function(){
 
           app.render('user.tmpl', function (err, str) {
             if (err) return done(err);
-            str.should.equal('<span>tobi</span>');
+            assert.strictEqual(str, '<span>tobi</span>')
             done();
           })
         })
@@ -178,7 +179,7 @@ describe('app', function(){
 
           app.render('name.tmpl', function (err, str) {
             if (err) return done(err);
-            str.should.equal('<p>tobi</p>');
+            assert.strictEqual(str, '<p>tobi</p>')
             done();
           })
         })
@@ -219,7 +220,7 @@ describe('app', function(){
 
         app.render('something', function(err, str){
           if (err) return done(err);
-          str.should.equal('abstract engine');
+          assert.strictEqual(str, 'abstract engine')
           done();
         })
       })
@@ -245,12 +246,12 @@ describe('app', function(){
 
         app.render('something', function(err, str){
           if (err) return done(err);
-          count.should.equal(1);
-          str.should.equal('abstract engine');
+          assert.strictEqual(count, 1)
+          assert.strictEqual(str, 'abstract engine')
           app.render('something', function(err, str){
             if (err) return done(err);
-            count.should.equal(2);
-            str.should.equal('abstract engine');
+            assert.strictEqual(count, 2)
+            assert.strictEqual(str, 'abstract engine')
             done();
           })
         })
@@ -275,12 +276,12 @@ describe('app', function(){
 
         app.render('something', function(err, str){
           if (err) return done(err);
-          count.should.equal(1);
-          str.should.equal('abstract engine');
+          assert.strictEqual(count, 1)
+          assert.strictEqual(str, 'abstract engine')
           app.render('something', function(err, str){
             if (err) return done(err);
-            count.should.equal(1);
-            str.should.equal('abstract engine');
+            assert.strictEqual(count, 1)
+            assert.strictEqual(str, 'abstract engine')
             done();
           })
         })
@@ -298,7 +299,7 @@ describe('app', function(){
 
       app.render('user.tmpl', { user: user }, function (err, str) {
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
@@ -311,7 +312,7 @@ describe('app', function(){
 
       app.render('user.tmpl', {}, function (err, str) {
         if (err) return done(err);
-        str.should.equal('<p>tobi</p>');
+        assert.strictEqual(str, '<p>tobi</p>')
         done();
       })
     })
@@ -325,7 +326,7 @@ describe('app', function(){
 
       app.render('user.tmpl', { user: jane }, function (err, str) {
         if (err) return done(err);
-        str.should.equal('<p>jane</p>');
+        assert.strictEqual(str, '<p>jane</p>')
         done();
       })
     })
@@ -350,12 +351,12 @@ describe('app', function(){
 
         app.render('something', {cache: true}, function(err, str){
           if (err) return done(err);
-          count.should.equal(1);
-          str.should.equal('abstract engine');
+          assert.strictEqual(count, 1)
+          assert.strictEqual(str, 'abstract engine')
           app.render('something', {cache: true}, function(err, str){
             if (err) return done(err);
-            count.should.equal(1);
-            str.should.equal('abstract engine');
+            assert.strictEqual(count, 1)
+            assert.strictEqual(str, 'abstract engine')
             done();
           })
         })
diff --git a/test/app.request.js b/test/app.request.js
index 728043a5a3..4930af84c2 100644
--- a/test/app.request.js
+++ b/test/app.request.js
@@ -1,4 +1,6 @@
+'use strict'
 
+var after = require('after')
 var express = require('../')
   , request = require('supertest');
 
@@ -19,5 +21,123 @@ describe('app', function(){
       .get('/foo?name=tobi')
       .expect('name=tobi', done);
     })
+
+    it('should only extend for the referenced app', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
+
+      app1.request.foobar = function () {
+        return 'tobi'
+      }
+
+      app1.get('/', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      app2.get('/', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      request(app1)
+        .get('/')
+        .expect(200, 'tobi', cb)
+
+      request(app2)
+        .get('/')
+        .expect(500, /(?:not a function|has no method)/, cb)
+    })
+
+    it('should inherit to sub apps', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
+
+      app1.request.foobar = function () {
+        return 'tobi'
+      }
+
+      app1.use('/sub', app2)
+
+      app1.get('/', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      app2.get('/', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      request(app1)
+        .get('/')
+        .expect(200, 'tobi', cb)
+
+      request(app1)
+        .get('/sub')
+        .expect(200, 'tobi', cb)
+    })
+
+    it('should allow sub app to override', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
+
+      app1.request.foobar = function () {
+        return 'tobi'
+      }
+
+      app2.request.foobar = function () {
+        return 'loki'
+      }
+
+      app1.use('/sub', app2)
+
+      app1.get('/', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      app2.get('/', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      request(app1)
+        .get('/')
+        .expect(200, 'tobi', cb)
+
+      request(app1)
+        .get('/sub')
+        .expect(200, 'loki', cb)
+    })
+
+    it('should not pollute parent app', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
+
+      app1.request.foobar = function () {
+        return 'tobi'
+      }
+
+      app2.request.foobar = function () {
+        return 'loki'
+      }
+
+      app1.use('/sub', app2)
+
+      app1.get('/sub/foo', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      app2.get('/', function (req, res) {
+        res.send(req.foobar())
+      })
+
+      request(app1)
+        .get('/sub')
+        .expect(200, 'loki', cb)
+
+      request(app1)
+        .get('/sub/foo')
+        .expect(200, 'tobi', cb)
+    })
   })
 })
diff --git a/test/app.response.js b/test/app.response.js
index c6ea77c820..5fb69f6275 100644
--- a/test/app.response.js
+++ b/test/app.response.js
@@ -1,4 +1,6 @@
+'use strict'
 
+var after = require('after')
 var express = require('../')
   , request = require('supertest');
 
@@ -20,25 +22,122 @@ describe('app', function(){
       .expect('HEY', done);
     })
 
-    it('should not be influenced by other app protos', function(done){
-      var app = express()
-        , app2 = express();
+    it('should only extend for the referenced app', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
 
-      app.response.shout = function(str){
-        this.send(str.toUpperCase());
-      };
+      app1.response.shout = function (str) {
+        this.send(str.toUpperCase())
+      }
 
-      app2.response.shout = function(str){
-        this.send(str);
-      };
+      app1.get('/', function (req, res) {
+        res.shout('foo')
+      })
 
-      app.use(function(req, res){
-        res.shout('hey');
-      });
+      app2.get('/', function (req, res) {
+        res.shout('foo')
+      })
 
-      request(app)
-      .get('/')
-      .expect('HEY', done);
+      request(app1)
+        .get('/')
+        .expect(200, 'FOO', cb)
+
+      request(app2)
+        .get('/')
+        .expect(500, /(?:not a function|has no method)/, cb)
+    })
+
+    it('should inherit to sub apps', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
+
+      app1.response.shout = function (str) {
+        this.send(str.toUpperCase())
+      }
+
+      app1.use('/sub', app2)
+
+      app1.get('/', function (req, res) {
+        res.shout('foo')
+      })
+
+      app2.get('/', function (req, res) {
+        res.shout('foo')
+      })
+
+      request(app1)
+        .get('/')
+        .expect(200, 'FOO', cb)
+
+      request(app1)
+        .get('/sub')
+        .expect(200, 'FOO', cb)
+    })
+
+    it('should allow sub app to override', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
+
+      app1.response.shout = function (str) {
+        this.send(str.toUpperCase())
+      }
+
+      app2.response.shout = function (str) {
+        this.send(str + '!')
+      }
+
+      app1.use('/sub', app2)
+
+      app1.get('/', function (req, res) {
+        res.shout('foo')
+      })
+
+      app2.get('/', function (req, res) {
+        res.shout('foo')
+      })
+
+      request(app1)
+        .get('/')
+        .expect(200, 'FOO', cb)
+
+      request(app1)
+        .get('/sub')
+        .expect(200, 'foo!', cb)
+    })
+
+    it('should not pollute parent app', function (done) {
+      var app1 = express()
+      var app2 = express()
+      var cb = after(2, done)
+
+      app1.response.shout = function (str) {
+        this.send(str.toUpperCase())
+      }
+
+      app2.response.shout = function (str) {
+        this.send(str + '!')
+      }
+
+      app1.use('/sub', app2)
+
+      app1.get('/sub/foo', function (req, res) {
+        res.shout('foo')
+      })
+
+      app2.get('/', function (req, res) {
+        res.shout('foo')
+      })
+
+      request(app1)
+        .get('/sub')
+        .expect(200, 'foo!', cb)
+
+      request(app1)
+        .get('/sub/foo')
+        .expect(200, 'FOO', cb)
     })
   })
 })
diff --git a/test/app.route.js b/test/app.route.js
index 29131a9ec4..a0c8696e50 100644
--- a/test/app.route.js
+++ b/test/app.route.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../');
 var request = require('supertest');
 
diff --git a/test/app.router.js b/test/app.router.js
index fc004300ce..33c45bab8f 100644
--- a/test/app.router.js
+++ b/test/app.router.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var after = require('after');
 var express = require('../')
@@ -759,36 +760,38 @@ describe('app.router', function(){
   describe('.:name', function(){
     it('should denote a format', function(done){
       var app = express();
+      var cb = after(2, done)
 
       app.get('/:name.:format', function(req, res){
         res.end(req.params.name + ' as ' + req.params.format);
       });
 
       request(app)
-      .get('/foo.json')
-      .expect('foo as json', function(){
-        request(app)
+        .get('/foo.json')
+        .expect(200, 'foo as json', cb)
+
+      request(app)
         .get('/foo')
-        .expect(404, done);
-      });
+        .expect(404, cb)
     })
   })
 
   describe('.:name?', function(){
     it('should denote an optional format', function(done){
       var app = express();
+      var cb = after(2, done)
 
       app.get('/:name.:format?', function(req, res){
         res.end(req.params.name + ' as ' + (req.params.format || 'html'));
       });
 
       request(app)
-      .get('/foo')
-      .expect('foo as html', function(){
-        request(app)
+        .get('/foo')
+        .expect(200, 'foo as html', cb)
+
+      request(app)
         .get('/foo.json')
-        .expect('foo as json', done);
-      });
+        .expect(200, 'foo as json', done)
     })
   })
 
@@ -1130,6 +1133,6 @@ describe('app.router', function(){
 
   it('should be chainable', function(){
     var app = express();
-    app.get('/', function(){}).should.equal(app);
+    assert.strictEqual(app.get('/', function () {}), app)
   })
 })
diff --git a/test/app.routes.error.js b/test/app.routes.error.js
index 9e2a3147cf..efc0108b0f 100644
--- a/test/app.routes.error.js
+++ b/test/app.routes.error.js
@@ -1,3 +1,6 @@
+'use strict'
+
+var assert = require('assert')
 var express = require('../')
   , request = require('supertest');
 
@@ -34,20 +37,20 @@ describe('app', function(){
         next();
       }, function(err, req, res, next){
         b = true;
-        err.message.should.equal('fabricated error');
+        assert.strictEqual(err.message, 'fabricated error')
         next(err);
       }, function(err, req, res, next){
         c = true;
-        err.message.should.equal('fabricated error');
+        assert.strictEqual(err.message, 'fabricated error')
         next();
       }, function(err, req, res, next){
         d = true;
         next();
       }, function(req, res){
-        a.should.be.false()
-        b.should.be.true()
-        c.should.be.true()
-        d.should.be.false()
+        assert.ok(!a)
+        assert.ok(b)
+        assert.ok(c)
+        assert.ok(!d)
         res.sendStatus(204);
       });
 
diff --git a/test/app.use.js b/test/app.use.js
index f5d5cc4ff8..a0f0242959 100644
--- a/test/app.use.js
+++ b/test/app.use.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var after = require('after');
 var assert = require('assert')
@@ -10,7 +11,7 @@ describe('app', function(){
       , app = express();
 
     blog.on('mount', function(arg){
-      arg.should.equal(app);
+      assert.strictEqual(arg, app)
       done();
     });
 
@@ -37,6 +38,7 @@ describe('app', function(){
       var blog = express()
         , forum = express()
         , app = express();
+      var cb = after(2, done)
 
       blog.get('/', function(req, res){
         res.end('blog');
@@ -50,12 +52,12 @@ describe('app', function(){
       app.use('/forum', forum);
 
       request(app)
-      .get('/blog')
-      .expect('blog', function(){
-        request(app)
+        .get('/blog')
+        .expect(200, 'blog', cb)
+
+      request(app)
         .get('/forum')
-        .expect('forum', done);
-      });
+        .expect(200, 'forum', done)
     })
 
     it('should set the child\'s .parent', function(){
@@ -63,7 +65,7 @@ describe('app', function(){
         , app = express();
 
       app.use('/blog', blog);
-      blog.parent.should.equal(app);
+      assert.strictEqual(blog.parent, app)
     })
 
     it('should support dynamic routes', function(done){
@@ -102,11 +104,11 @@ describe('app', function(){
       });
 
       blog.once('mount', function (parent) {
-        parent.should.equal(app);
+        assert.strictEqual(parent, app)
         cb();
       });
       other.once('mount', function (parent) {
-        parent.should.equal(app);
+        assert.strictEqual(parent, app)
         cb();
       });
 
diff --git a/test/config.js b/test/config.js
index 17a02b7eba..8386a4471c 100644
--- a/test/config.js
+++ b/test/config.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert');
 var express = require('..');
diff --git a/test/exports.js b/test/exports.js
index 7d4dc683f3..07608aff4b 100644
--- a/test/exports.js
+++ b/test/exports.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var express = require('../');
diff --git a/test/express.json.js b/test/express.json.js
index 16ac328add..37a17b5c1a 100644
--- a/test/express.json.js
+++ b/test/express.json.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var Buffer = require('safe-buffer').Buffer
diff --git a/test/express.raw.js b/test/express.raw.js
index fbe52576de..a78353b17d 100644
--- a/test/express.raw.js
+++ b/test/express.raw.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var Buffer = require('safe-buffer').Buffer
diff --git a/test/express.static.js b/test/express.static.js
index e130a0861e..57a23accc1 100644
--- a/test/express.static.js
+++ b/test/express.static.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var Buffer = require('safe-buffer').Buffer
diff --git a/test/express.text.js b/test/express.text.js
index ef95d3aa9b..3833c82f8c 100644
--- a/test/express.text.js
+++ b/test/express.text.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var Buffer = require('safe-buffer').Buffer
diff --git a/test/express.urlencoded.js b/test/express.urlencoded.js
index ef94cec942..939f68bd72 100644
--- a/test/express.urlencoded.js
+++ b/test/express.urlencoded.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var Buffer = require('safe-buffer').Buffer
diff --git a/test/middleware.basic.js b/test/middleware.basic.js
index 4616842ed6..19f00d9a29 100644
--- a/test/middleware.basic.js
+++ b/test/middleware.basic.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var express = require('../');
diff --git a/test/regression.js b/test/regression.js
index 5d4509ed6f..4e99b30694 100644
--- a/test/regression.js
+++ b/test/regression.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.accepts.js b/test/req.accepts.js
index 0df4780e22..2066fb5185 100644
--- a/test/req.accepts.js
+++ b/test/req.accepts.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.acceptsCharsets.js b/test/req.acceptsCharsets.js
index d1c459174a..360a9878a7 100644
--- a/test/req.acceptsCharsets.js
+++ b/test/req.acceptsCharsets.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.acceptsEncodings.js b/test/req.acceptsEncodings.js
index a5cf747d41..9f8973cdfb 100644
--- a/test/req.acceptsEncodings.js
+++ b/test/req.acceptsEncodings.js
@@ -1,36 +1,39 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
 
 describe('req', function(){
   describe('.acceptsEncodings', function () {
-    it('should be true if encoding accepted', function(done){
+    it('should return encoding if accepted', function (done) {
       var app = express();
 
-      app.use(function(req, res){
-        req.acceptsEncodings('gzip').should.be.ok()
-        req.acceptsEncodings('deflate').should.be.ok()
-        res.end();
-      });
+      app.get('/', function (req, res) {
+        res.send({
+          gzip: req.acceptsEncodings('gzip'),
+          deflate: req.acceptsEncodings('deflate')
+        })
+      })
 
       request(app)
-      .get('/')
-      .set('Accept-Encoding', ' gzip, deflate')
-      .expect(200, done);
+        .get('/')
+        .set('Accept-Encoding', ' gzip, deflate')
+        .expect(200, { gzip: 'gzip', deflate: 'deflate' }, done)
     })
 
     it('should be false if encoding not accepted', function(done){
       var app = express();
 
-      app.use(function(req, res){
-        req.acceptsEncodings('bogus').should.not.be.ok()
-        res.end();
-      });
+      app.get('/', function (req, res) {
+        res.send({
+          bogus: req.acceptsEncodings('bogus')
+        })
+      })
 
       request(app)
-      .get('/')
-      .set('Accept-Encoding', ' gzip, deflate')
-      .expect(200, done);
+        .get('/')
+        .set('Accept-Encoding', ' gzip, deflate')
+        .expect(200, { bogus: false }, done)
     })
   })
 })
diff --git a/test/req.acceptsLanguages.js b/test/req.acceptsLanguages.js
index 1d92f44b2b..e5629fbc32 100644
--- a/test/req.acceptsLanguages.js
+++ b/test/req.acceptsLanguages.js
@@ -1,52 +1,56 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
 
 describe('req', function(){
   describe('.acceptsLanguages', function(){
-    it('should be true if language accepted', function(done){
+    it('should return language if accepted', function (done) {
       var app = express();
 
-      app.use(function(req, res){
-        req.acceptsLanguages('en-us').should.be.ok()
-        req.acceptsLanguages('en').should.be.ok()
-        res.end();
-      });
+      app.get('/', function (req, res) {
+        res.send({
+          'en-us': req.acceptsLanguages('en-us'),
+          en: req.acceptsLanguages('en')
+        })
+      })
 
       request(app)
-      .get('/')
-      .set('Accept-Language', 'en;q=.5, en-us')
-      .expect(200, done);
+        .get('/')
+        .set('Accept-Language', 'en;q=.5, en-us')
+        .expect(200, { 'en-us': 'en-us', en: 'en' }, done)
     })
 
     it('should be false if language not accepted', function(done){
       var app = express();
 
-      app.use(function(req, res){
-        req.acceptsLanguages('es').should.not.be.ok()
-        res.end();
-      });
+      app.get('/', function (req, res) {
+        res.send({
+          es: req.acceptsLanguages('es')
+        })
+      })
 
       request(app)
-      .get('/')
-      .set('Accept-Language', 'en;q=.5, en-us')
-      .expect(200, done);
+        .get('/')
+        .set('Accept-Language', 'en;q=.5, en-us')
+        .expect(200, { es: false }, done)
     })
 
     describe('when Accept-Language is not present', function(){
-      it('should always return true', function(done){
+      it('should always return language', function (done) {
         var app = express();
 
-        app.use(function(req, res){
-          req.acceptsLanguages('en').should.be.ok()
-          req.acceptsLanguages('es').should.be.ok()
-          req.acceptsLanguages('jp').should.be.ok()
-          res.end();
-        });
+        app.get('/', function (req, res) {
+          res.send({
+            en: req.acceptsLanguages('en'),
+            es: req.acceptsLanguages('es'),
+            jp: req.acceptsLanguages('jp')
+          })
+        })
 
         request(app)
-        .get('/')
-        .expect(200, done);
+          .get('/')
+          .expect(200, { en: 'en', es: 'es', jp: 'jp' }, done)
       })
     })
   })
diff --git a/test/req.baseUrl.js b/test/req.baseUrl.js
index 9ac9d88029..b70803ea8b 100644
--- a/test/req.baseUrl.js
+++ b/test/req.baseUrl.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..')
 var request = require('supertest')
diff --git a/test/req.fresh.js b/test/req.fresh.js
index 1aa8fa5b21..9160e2caaf 100644
--- a/test/req.fresh.js
+++ b/test/req.fresh.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.get.js b/test/req.get.js
index 109a2d90ce..16589b3f05 100644
--- a/test/req.get.js
+++ b/test/req.get.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest')
diff --git a/test/req.host.js b/test/req.host.js
index 55d6426d2c..cdda82eaae 100644
--- a/test/req.host.js
+++ b/test/req.host.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest')
diff --git a/test/req.hostname.js b/test/req.hostname.js
index 09bfb89989..b3716b566a 100644
--- a/test/req.hostname.js
+++ b/test/req.hostname.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest')
diff --git a/test/req.ip.js b/test/req.ip.js
index 1cd255216b..6bb3c5ac52 100644
--- a/test/req.ip.js
+++ b/test/req.ip.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
@@ -21,7 +22,7 @@ describe('req', function(){
           .expect('client', done);
         })
 
-        it('should return the addr after trusted proxy', function(done){
+        it('should return the addr after trusted proxy based on count', function (done) {
           var app = express();
 
           app.set('trust proxy', 2);
@@ -36,6 +37,21 @@ describe('req', function(){
           .expect('p1', done);
         })
 
+        it('should return the addr after trusted proxy based on list', function (done) {
+          var app = express()
+
+          app.set('trust proxy', '10.0.0.1, 10.0.0.2, 127.0.0.1, ::1')
+
+          app.get('/', function (req, res) {
+            res.send(req.ip)
+          })
+
+          request(app)
+            .get('/')
+            .set('X-Forwarded-For', '10.0.0.2, 10.0.0.3, 10.0.0.1', '10.0.0.4')
+            .expect('10.0.0.3', done)
+        })
+
         it('should return the addr after trusted proxy, from sub app', function (done) {
           var app = express();
           var sub = express();
diff --git a/test/req.ips.js b/test/req.ips.js
index a7d464b846..2f9a0736ea 100644
--- a/test/req.ips.js
+++ b/test/req.ips.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.is.js b/test/req.is.js
index a2fce17867..c5904dd600 100644
--- a/test/req.is.js
+++ b/test/req.is.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..')
 var request = require('supertest')
diff --git a/test/req.path.js b/test/req.path.js
index 6ad4009c7d..3ff6177c74 100644
--- a/test/req.path.js
+++ b/test/req.path.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.protocol.js b/test/req.protocol.js
index 453ad11ca4..61f76356b4 100644
--- a/test/req.protocol.js
+++ b/test/req.protocol.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.query.js b/test/req.query.js
index 067d452107..bc76d4106b 100644
--- a/test/req.query.js
+++ b/test/req.query.js
@@ -1,4 +1,6 @@
+'use strict'
 
+var assert = require('assert')
 var express = require('../')
   , request = require('supertest');
 
@@ -82,7 +84,8 @@ describe('req', function(){
 
     describe('when "query parser" an unknown value', function () {
       it('should throw', function () {
-        createApp.bind(null, 'bogus').should.throw(/unknown value.*query parser/);
+        assert.throws(createApp.bind(null, 'bogus'),
+          /unknown value.*query parser/)
       });
     });
   })
diff --git a/test/req.range.js b/test/req.range.js
index 5443c0658d..111441736e 100644
--- a/test/req.range.js
+++ b/test/req.range.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..');
 var request = require('supertest')
diff --git a/test/req.route.js b/test/req.route.js
index 2947b7c3d0..6c17fbb1c8 100644
--- a/test/req.route.js
+++ b/test/req.route.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
@@ -8,18 +9,20 @@ describe('req', function(){
       var app = express();
 
       app.get('/user/:id/:op?', function(req, res, next){
-        req.route.path.should.equal('/user/:id/:op?');
+        res.header('path-1', req.route.path)
         next();
       });
 
       app.get('/user/:id/edit', function(req, res){
-        req.route.path.should.equal('/user/:id/edit');
+        res.header('path-2', req.route.path)
         res.end();
       });
 
       request(app)
-      .get('/user/12/edit')
-      .expect(200, done);
+        .get('/user/12/edit')
+        .expect('path-1', '/user/:id/:op?')
+        .expect('path-2', '/user/:id/edit')
+        .expect(200, done)
     })
   })
 })
diff --git a/test/req.secure.js b/test/req.secure.js
index 2025c8786b..0097ed6136 100644
--- a/test/req.secure.js
+++ b/test/req.secure.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.signedCookies.js b/test/req.signedCookies.js
index a55f81b22c..db56195166 100644
--- a/test/req.signedCookies.js
+++ b/test/req.signedCookies.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest')
diff --git a/test/req.stale.js b/test/req.stale.js
index 30c9d05d51..cda77fa403 100644
--- a/test/req.stale.js
+++ b/test/req.stale.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.subdomains.js b/test/req.subdomains.js
index 18e4d80ad3..e5600f2eb5 100644
--- a/test/req.subdomains.js
+++ b/test/req.subdomains.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/req.xhr.js b/test/req.xhr.js
index 94af9170cb..99cf7f1917 100644
--- a/test/req.xhr.js
+++ b/test/req.xhr.js
@@ -1,62 +1,42 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
 
 describe('req', function(){
   describe('.xhr', function(){
-    it('should return true when X-Requested-With is xmlhttprequest', function(done){
-      var app = express();
-
-      app.use(function(req, res){
-        req.xhr.should.be.true()
-        res.end();
-      });
+    before(function () {
+      this.app = express()
+      this.app.get('/', function (req, res) {
+        res.send(req.xhr)
+      })
+    })
 
-      request(app)
-      .get('/')
-      .set('X-Requested-With', 'xmlhttprequest')
-      .expect(200, done)
+    it('should return true when X-Requested-With is xmlhttprequest', function(done){
+      request(this.app)
+        .get('/')
+        .set('X-Requested-With', 'xmlhttprequest')
+        .expect(200, 'true', done)
     })
 
     it('should case-insensitive', function(done){
-      var app = express();
-
-      app.use(function(req, res){
-        req.xhr.should.be.true()
-        res.end();
-      });
-
-      request(app)
-      .get('/')
-      .set('X-Requested-With', 'XMLHttpRequest')
-      .expect(200, done)
+      request(this.app)
+        .get('/')
+        .set('X-Requested-With', 'XMLHttpRequest')
+        .expect(200, 'true', done)
     })
 
     it('should return false otherwise', function(done){
-      var app = express();
-
-      app.use(function(req, res){
-        req.xhr.should.be.false()
-        res.end();
-      });
-
-      request(app)
-      .get('/')
-      .set('X-Requested-With', 'blahblah')
-      .expect(200, done)
+      request(this.app)
+        .get('/')
+        .set('X-Requested-With', 'blahblah')
+        .expect(200, 'false', done)
     })
 
     it('should return false when not present', function(done){
-      var app = express();
-
-      app.use(function(req, res){
-        req.xhr.should.be.false()
-        res.end();
-      });
-
-      request(app)
-      .get('/')
-      .expect(200, done)
+      request(this.app)
+        .get('/')
+        .expect(200, 'false', done)
     })
   })
 })
diff --git a/test/res.append.js b/test/res.append.js
index f7f1d55b3c..5b12e35b69 100644
--- a/test/res.append.js
+++ b/test/res.append.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..')
 var request = require('supertest')
diff --git a/test/res.attachment.js b/test/res.attachment.js
index 4c3d4aa2f1..6283ded0d6 100644
--- a/test/res.attachment.js
+++ b/test/res.attachment.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var Buffer = require('safe-buffer').Buffer
 var express = require('../')
diff --git a/test/res.clearCookie.js b/test/res.clearCookie.js
index 4822057e92..fc0cfb99a3 100644
--- a/test/res.clearCookie.js
+++ b/test/res.clearCookie.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/res.cookie.js b/test/res.cookie.js
index d8e6b7ca85..d10e48646b 100644
--- a/test/res.cookie.js
+++ b/test/res.cookie.js
@@ -1,7 +1,7 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest')
-  , cookie = require('cookie')
   , cookieParser = require('cookie-parser')
 var merge = require('utils-merge');
 
@@ -46,12 +46,9 @@ describe('res', function(){
       });
 
       request(app)
-      .get('/')
-      .end(function(err, res){
-        var val = ['name=tobi; Path=/', 'age=1; Path=/', 'gender=%3F; Path=/'];
-        res.headers['set-cookie'].should.eql(val);
-        done();
-      })
+        .get('/')
+        .expect('Set-Cookie', 'name=tobi; Path=/,age=1; Path=/,gender=%3F; Path=/')
+        .expect(200, done)
     })
   })
 
@@ -80,11 +77,9 @@ describe('res', function(){
         });
 
         request(app)
-        .get('/')
-        .end(function(err, res){
-          res.headers['set-cookie'][0].should.not.containEql('Thu, 01 Jan 1970 00:00:01 GMT');
-          done();
-        })
+          .get('/')
+          .expect('Set-Cookie', /name=tobi; Max-Age=1; Path=\/; Expires=/)
+          .expect(200, done)
       })
 
       it('should set max-age', function(done){
@@ -141,13 +136,9 @@ describe('res', function(){
         });
 
         request(app)
-        .get('/')
-        .end(function(err, res){
-          var val = res.headers['set-cookie'][0];
-          val = cookie.parse(val.split('.')[0]);
-          val.user.should.equal('s:j:{"name":"tobi"}');
-          done();
-        })
+          .get('/')
+          .expect('Set-Cookie', 'user=s%3Aj%3A%7B%22name%22%3A%22tobi%22%7D.K20xcwmDS%2BPb1rsD95o5Jm5SqWs1KteqdnynnB7jkTE; Path=/')
+          .expect(200, done)
       })
     })
 
diff --git a/test/res.download.js b/test/res.download.js
index 4f3de6fd96..7013f88bbf 100644
--- a/test/res.download.js
+++ b/test/res.download.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var after = require('after');
 var assert = require('assert');
@@ -20,6 +21,33 @@ describe('res', function(){
       .expect('Content-Disposition', 'attachment; filename="user.html"')
       .expect(200, '<p>{{user.name}}</p>', done)
     })
+
+    it('should accept range requests', function (done) {
+      var app = express()
+
+      app.get('/', function (req, res) {
+        res.download('test/fixtures/user.html')
+      })
+
+      request(app)
+        .get('/')
+        .expect('Accept-Ranges', 'bytes')
+        .expect(200, '<p>{{user.name}}</p>', done)
+    })
+
+    it('should respond with requested byte range', function (done) {
+      var app = express()
+
+      app.get('/', function (req, res) {
+        res.download('test/fixtures/user.html')
+      })
+
+      request(app)
+        .get('/')
+        .set('Range', 'bytes=0-2')
+        .expect('Content-Range', 'bytes 0-2/20')
+        .expect(206, '<p>', done)
+    })
   })
 
   describe('.download(path, filename)', function(){
@@ -61,7 +89,7 @@ describe('res', function(){
       var cb = after(2, done);
 
       app.use(function(req, res){
-        res.download('test/fixtures/user.html', 'document', done);
+        res.download('test/fixtures/user.html', 'document', cb)
       });
 
       request(app)
diff --git a/test/res.format.js b/test/res.format.js
index 4e4dbd6b7e..c7fe25695d 100644
--- a/test/res.format.js
+++ b/test/res.format.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var after = require('after')
 var express = require('../')
diff --git a/test/res.get.js b/test/res.get.js
index a53bdc3380..a5f12e2e53 100644
--- a/test/res.get.js
+++ b/test/res.get.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..');
 var request = require('supertest');
diff --git a/test/res.json.js b/test/res.json.js
index 28a78d6112..bef8adafd5 100644
--- a/test/res.json.js
+++ b/test/res.json.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest')
diff --git a/test/res.jsonp.js b/test/res.jsonp.js
index 77d0f888e8..e9cc08bc05 100644
--- a/test/res.jsonp.js
+++ b/test/res.jsonp.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest')
diff --git a/test/res.links.js b/test/res.links.js
index 36630c9ccc..240b7fcfda 100644
--- a/test/res.links.js
+++ b/test/res.links.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..');
 var request = require('supertest');
diff --git a/test/res.locals.js b/test/res.locals.js
index a1c819667a..c4365b36f3 100644
--- a/test/res.locals.js
+++ b/test/res.locals.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/res.location.js b/test/res.location.js
index c0bfbe8c8e..158afac01e 100644
--- a/test/res.location.js
+++ b/test/res.location.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/res.redirect.js b/test/res.redirect.js
index 911f219011..85f7123ecd 100644
--- a/test/res.redirect.js
+++ b/test/res.redirect.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var express = require('..');
diff --git a/test/res.render.js b/test/res.render.js
index 643a57002a..50f0b0a742 100644
--- a/test/res.render.js
+++ b/test/res.render.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..');
 var path = require('path')
diff --git a/test/res.send.js b/test/res.send.js
index c3b4d10f28..2a85e093e3 100644
--- a/test/res.send.js
+++ b/test/res.send.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert')
 var Buffer = require('safe-buffer').Buffer
@@ -499,7 +500,7 @@ describe('res', function(){
           var chunk = !Buffer.isBuffer(body)
             ? Buffer.from(body, encoding)
             : body;
-          chunk.toString().should.equal('hello, world!');
+          assert.strictEqual(chunk.toString(), 'hello, world!')
           return '"custom"';
         });
 
diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index 12b12d0988..79b18e170f 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var after = require('after');
 var assert = require('assert')
@@ -112,12 +113,11 @@ describe('res', function(){
       app.use(function (req, res) {
         setImmediate(function () {
           res.sendFile(path.resolve(fixtures, 'name.txt'));
-          server.close(cb)
           setTimeout(function () {
             cb(error)
           }, 10)
         })
-        test.abort();
+        test.req.abort()
       });
 
       app.use(function (err, req, res, next) {
@@ -127,7 +127,10 @@ describe('res', function(){
 
       var server = app.listen()
       var test = request(server).get('/')
-      test.end()
+      test.end(function (err) {
+        assert.ok(err)
+        server.close(cb)
+      })
     })
 
     describe('with "cacheControl" option', function () {
@@ -272,43 +275,49 @@ describe('res', function(){
     })
 
     it('should invoke the callback when client aborts', function (done) {
-      var cb = after(1, done);
+      var cb = after(2, done)
       var app = express();
 
       app.use(function (req, res) {
         setImmediate(function () {
           res.sendFile(path.resolve(fixtures, 'name.txt'), function (err) {
-            should(err).be.ok()
-            err.code.should.equal('ECONNABORTED');
-            server.close(cb)
+            assert.ok(err)
+            assert.strictEqual(err.code, 'ECONNABORTED')
+            cb()
           });
         });
-        test.abort();
+        test.req.abort()
       });
 
       var server = app.listen()
       var test = request(server).get('/')
-      test.expect(200, cb);
+      test.end(function (err) {
+        assert.ok(err)
+        server.close(cb)
+      })
     })
 
     it('should invoke the callback when client already aborted', function (done) {
-      var cb = after(1, done);
+      var cb = after(2, done)
       var app = express();
 
       app.use(function (req, res) {
         onFinished(res, function () {
           res.sendFile(path.resolve(fixtures, 'name.txt'), function (err) {
-            should(err).be.ok()
-            err.code.should.equal('ECONNABORTED');
-            server.close(cb)
+            assert.ok(err)
+            assert.strictEqual(err.code, 'ECONNABORTED')
+            cb()
           });
         });
-        test.abort();
+        test.req.abort()
       });
 
       var server = app.listen()
       var test = request(server).get('/')
-      test.expect(200, cb);
+      test.end(function (err) {
+        assert.ok(err)
+        server.close(cb)
+      })
     })
 
     it('should invoke the callback without error when HEAD', function (done) {
diff --git a/test/res.sendStatus.js b/test/res.sendStatus.js
index c355bc408f..9b1de8385c 100644
--- a/test/res.sendStatus.js
+++ b/test/res.sendStatus.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..')
 var request = require('supertest')
diff --git a/test/res.set.js b/test/res.set.js
index e46d123947..04511c1c95 100644
--- a/test/res.set.js
+++ b/test/res.set.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..');
 var request = require('supertest');
diff --git a/test/res.status.js b/test/res.status.js
index 8c173a645c..e0abc73c4c 100644
--- a/test/res.status.js
+++ b/test/res.status.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/res.type.js b/test/res.type.js
index cc1dd08d41..980717a6e3 100644
--- a/test/res.type.js
+++ b/test/res.type.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('../')
   , request = require('supertest');
diff --git a/test/res.vary.js b/test/res.vary.js
index a55d2151df..ff3c971652 100644
--- a/test/res.vary.js
+++ b/test/res.vary.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var express = require('..');
 var request = require('supertest');
diff --git a/test/utils.js b/test/utils.js
index 5e5cd0f507..aff3f03aa3 100644
--- a/test/utils.js
+++ b/test/utils.js
@@ -1,3 +1,4 @@
+'use strict'
 
 var assert = require('assert');
 var Buffer = require('safe-buffer').Buffer
@@ -5,23 +6,23 @@ var utils = require('../lib/utils');
 
 describe('utils.etag(body, encoding)', function(){
   it('should support strings', function(){
-    utils.etag('express!')
-    .should.eql('"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
+    assert.strictEqual(utils.etag('express!'),
+      '"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
   })
 
   it('should support utf8 strings', function(){
-    utils.etag('express❤', 'utf8')
-    .should.eql('"a-JBiXf7GyzxwcrxY4hVXUwa7tmks"')
+    assert.strictEqual(utils.etag('express❤', 'utf8'),
+      '"a-JBiXf7GyzxwcrxY4hVXUwa7tmks"')
   })
 
   it('should support buffer', function(){
-    utils.etag(Buffer.from('express!'))
-    .should.eql('"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
+    assert.strictEqual(utils.etag(Buffer.from('express!')),
+      '"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
   })
 
   it('should support empty string', function(){
-    utils.etag('')
-    .should.eql('"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"')
+    assert.strictEqual(utils.etag(''),
+      '"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"')
   })
 })
 
@@ -49,22 +50,22 @@ describe('utils.setCharset(type, charset)', function () {
 
 describe('utils.wetag(body, encoding)', function(){
   it('should support strings', function(){
-    utils.wetag('express!')
-    .should.eql('W/"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
+    assert.strictEqual(utils.wetag('express!'),
+      'W/"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
   })
 
   it('should support utf8 strings', function(){
-    utils.wetag('express❤', 'utf8')
-    .should.eql('W/"a-JBiXf7GyzxwcrxY4hVXUwa7tmks"')
+    assert.strictEqual(utils.wetag('express❤', 'utf8'),
+      'W/"a-JBiXf7GyzxwcrxY4hVXUwa7tmks"')
   })
 
   it('should support buffer', function(){
-    utils.wetag(Buffer.from('express!'))
-    .should.eql('W/"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
+    assert.strictEqual(utils.wetag(Buffer.from('express!')),
+      'W/"8-O2uVAFaQ1rZvlKLT14RnuvjPIdg"')
   })
 
   it('should support empty string', function(){
-    utils.wetag('')
-    .should.eql('W/"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"')
+    assert.strictEqual(utils.wetag(''),
+      'W/"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"')
   })
 })