Skip to content

chore(deps): update dependency express to v4.22.0 [security] #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 2, 2025
Merged

chore(deps): update dependency express to v4.22.0 [security] #416

merged 1 commit into from
Dec 2, 2025
+33 −18

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 1, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
express (source) 4.21.2 -> 4.22.0 age confidence

GitHub Vulnerability Alerts

CVE-2024-51999

Withdrawn Advisory

This advisory has been withdrawn because it describes a correctness bug, not a vulnerability with real security impact. This link is maintained to preserve external references.

Original Description

Impact

when using the extended query parser in express ('query parser': 'extended'), the request.query object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names

Important

the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser

Patches

the issue has been patched to ensure request.query is a plain object so request.query no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser

Workaround

this only impacts users using extended query parsing ('query parser': 'extended'), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:

provide qs directly and specify plainObjects: true

app.set('query parser',
  function (str) {
    return qs.parse(str, {
      plainObjects: true
  });
});

Release Notes

expressjs/express (express)

v4.22.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner December 1, 2025 20:28
kodiakhq[bot]
kodiakhq bot previously approved these changes Dec 1, 2025
View reviewed changes
@netlify
Copy link

netlify bot commented Dec 1, 2025
edited
Loading

Deploy Preview for angular-runtime-demo ready!

Name Link
🔨 Latest commit ec991fe
🔍 Latest deploy log https://app.netlify.com/projects/angular-runtime-demo/deploys/692f38d67a353d0008ce366d
😎 Deploy Preview https://deploy-preview-416--angular-runtime-demo.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions github-actions bot added the type: chore work needed to keep the product and development running smoothly label Dec 1, 2025
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 6bb942c to ec991fe Compare December 2, 2025 19:06
@renovate renovate bot enabled auto-merge (squash) December 2, 2025 19:06
@renovate renovate bot changed the title chore(deps): update dependency express to v5 [security] chore(deps): update dependency express to v4.22.0 [security] Dec 2, 2025
@renovate renovate bot merged commit 7168e96 into main Dec 2, 2025
18 checks passed
@renovate renovate bot deleted the renovate/npm-express-vulnerability branch December 2, 2025 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

dependencies javascript type: chore work needed to keep the product and development running smoothly

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant