Release changelog

All the latest updates, improvements, and fixes to Express

Express v5

5.1.0 - Release date: 2025-03-31

The 5.1.0 minor release includes some new features and improvements:

• Support for sending responses as Uint8Array
• Added support for ETag option in res.sendFile()
• Added support for adding multiple links with the same rel with res.links()
• Performance: Use loop for acceptParams
• body-parser@2.2.0
  • Remove legacy node.js support checks for Brotli & AsyncLocalStorage
  • Remove unpipe & destroy
• router@2.2.0
  • Restore debug. Now with the router scope instead of express.
  • Remove legacy node.js support checks for setImmediate
  • Deprecate non-native promise support
  • Remove after, safe-buffer, array-flatten, setprotoypeof, methods, utils-merge
• finalhandler@2.1.0
  • Remove legacy node.js support checks for headersSent, setImmediate, & http2 support
  • Remove unpipe
• Transitioned all remaining dependencies to use ^ ranges instead of locked versions
• Add package.json funding field to highlight our OpenCollective
• See Changelog v5.1.0

5.0.1 - Release date: 2024-10-08

The 5.0.1 patch release includes one security fix:

• Update jshttps/cookie to address a vulnerability.

5.0.0 - Release date: 2024-09-09

Check the migration guide with all the changes in this new version of Express.

Express v4

4.21.2 - Release date: 2024-11-06

The 4.21.2 patch release includes one security fix:

• Update pillajs/path-to-regexp to address a vulnerability.

4.21.1 - Release date: 2024-10-08

The 4.21.1 patch release includes one security fix:

• Update jshttps/cookie to address a vulnerability.

4.21.0 - Release date: 2024-09-11

The 4.21.0 minor release includes one new feature:

• Deprecate res.location("back") and res.redirect("back") magic string

4.20.0 - Release date: 2024-09-10

The 4.20.0 minor release includes bug fixes and some new features, including:

• The res.clearCookie() method deprecates options.maxAge and options.expires options.
• The res.redirect() method removes HTML link rendering.
• The express.urlencoded() method method now has a depth level of 32, whereas it was previously Infinity.
• Adds support for named matching groups in the routes using a regex
• Removes encoding of \, |, and ^ to align better with URL spec

For a complete list of changes in this release, see History.md

4.19.2 - Release date: 2024-03-25

• Improved fix for open redirect allow list bypass

For a complete list of changes in this release, see History.md

4.19.1 - Release date: 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

For a complete list of changes in this release, see History.md

4.19.0 - Release date: 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

For a complete list of changes in this release, see History.md

4.18.3 - Release date: 2024-02-29

The 4.18.3 patch release includes the following bug fix:

• Fix routing requests without method. (commit)

For a complete list of changes in this release, see History.md

4.18.2 - Release date: 2022-10-08

The 4.18.2 patch release includes the following bug fix:

• Fix regression routing a large stack in a single route. (commit)

For a complete list of changes in this release, see History.md

4.18.1 - Release date: 2022-04-29

The 4.18.1 patch release includes the following bug fix:

• Fix the condition where if an Express application is created with a very large stack of routes, and all of those routes are sync (call next() synchronously), then the request processing may hang.

For a complete list of changes in this release, see History.md.

4.18.0 - Release date: 2022-04-25

The 4.18.0 minor release includes bug fixes and some new features, including:

• The app.get() method and the app.set() method now ignores properties directly on Object.prototype when getting a setting value.

• The res.cookie() method now accepts a “priority” option to set the Priority attribute on the Set-Cookie response header.

• The res.cookie() method now rejects an Invalid Date object provided as the “expires” option.

• The res.cookie() method now works when null or undefined is explicitly provided as the “maxAge” argument.

• Starting with this version, Express supports Node.js 18.x.

• The res.download() method now accepts a “root” option to match res.sendFile().

• The res.download() method can be supplied with an options object without providing a filename argument, simplifying calls when the default filename is desired.

• The res.format() method now invokes the provided “default” handler with the same arguments as the type handlers (req, res, and next).

• The res.send() method will not attempt to send a response body when the response code is set to 205.

• The default error handler will now remove certain response headers that will break the error response rendering, if they were set previously.

• The status code 425 is now represented as the standard “Too Early” instead of “Unordered Collection”.

For a complete list of changes in this release, see History.md.

4.17.3 - Release date: 2022-02-16

The 4.17.3 patch release includes one bug fix:

• Update to qs module for a fix around parsing __proto__ properties.

For a complete list of changes in this release, see History.md.

4.17.2 - Release date: 2021-12-16

The 4.17.2 patch release includes the following bug fixes:

• Fix handling of undefined in res.jsonp when a callback is provided.

• Fix handling of undefined in res.json and res.jsonp when "json escape" is enabled.

• Fix handling of invalid values to the maxAge option of res.cookie().

• Update to jshttp/proxy-addr module to use req.socket over deprecated req.connection.

• Starting with this version, Express supports Node.js 14.x.

For a complete list of changes in this release, see History.md.

4.17.1 - Release date: 2019-05-25

The 4.17.1 patch release includes one bug fix:

• The change to the res.status() API has been reverted due to causing regressions in existing Express 4 applications.

For a complete list of changes in this release, see History.md.

4.17.0 - Release date: 2019-05-16

The 4.17.0 minor release includes bug fixes and some new features, including:

• The express.raw() and express.text() middleware have been added to provide request body parsing for more raw request payloads. This uses the expressjs/body-parser module module underneath, so apps that are currently requiring the module separately can switch to the built-in parsers.

• The res.cookie() API now supports the "none" value for the sameSite option.

• When the "trust proxy" setting is enabled, the req.hostname now supports multiple X-Forwarded-For headers in a request.

• Starting with this version, Express supports Node.js 10.x and 12.x.

• The res.sendFile() API now provides and more immediate and easier to understand error when a non-string is passed as the path argument.

• The res.status() API now provides and more immediate and easier to understand error when null or undefined is passed as the argument.

For a complete list of changes in this release, see History.md.

4.16.4 - Release date: 2018-10-10

The 4.16.4 patch release includes various bug fixes:

• Fix issue where "Request aborted" may be logged in res.sendfile.

For a complete list of changes in this release, see History.md.

4.16.3 - Release date: 2018-03-12

The 4.16.3 patch release includes various bug fixes:

• Fix issue where a plain % at the end of the url in the res.location method or the res.redirect method would not get encoded as %25.

• Fix issue where a blank req.url value can result in a thrown error within the default 404 handling.

• Fix the generated HTML document for express.static redirect responses to properly include </html>.

For a complete list of changes in this release, see History.md.

4.16.2 - Release date: 2017-10-09

The 4.16.2 patch release includes a regression bug fix:

• Fix a TypeError that can occur in the res.send method when a Buffer is passed to res.send and the ETag header is already set on the response.

For a complete list of changes in this release, see History.md.

4.16.1 - Release date: 2017-09-29

The 4.16.1 patch release includes a regression bug fix:

• Update to pillarjs/send module to fix an edge case scenario regression that affected certain users of express.static.

For a complete list of changes in this release, see History.md.

4.16.0 - Release date: 2017-09-28

The 4.16.0 minor release includes security updates, bug fixes, performance enhancements, and some new features, including:

• Update to jshttp/forwarded module to address a vulnerability. req.host, req.hostname, req.ip, req.ips, req.protocol을 사용하는 애플리케이션에 영향을 끼칠 수 있습니다.

• Update a dependency of the pillarjs/send module to address a vulnerability in the mime dependency. This may affect your application if untrusted string input is passed to the following APIs: res.type().

• The pillarjs/send module has implemented a protection against the Node.js 8.5.0 vulnerability. Using any prior version of Express with Node.js 8.5.0 (that specific Node.js version) will make the following APIs vulnerable: express.static, res.sendfile, and res.sendFile.

• Starting with this version, Express supports Node.js 8.x.

• The new setting "json escape" can be enabled to escape characters in res.json(), res.jsonp() and res.send() responses that can trigger clients to sniff the response as HTML instead of honoring the Content-Type. This can help protect an Express app from a class of persistent XSS-based attacks.

• The res.download() method now accepts an optional options object.

• The express.json() and express.urlencoded() middleware have been added to provide request body parsing support out-of-the-box. This uses the expressjs/body-parser module module underneath, so apps that are currently requiring the module separately can switch to the built-in parsers.

• The express.static() middleware and res.sendFile() method now support setting the immutable directive on the Cache-Control header. Setting this header with an appropriate maxAge will prevent supporting web browsers from sending any request to the server when the file is still in their cache.

• The pillarjs/send module has an updated list of MIME types to better set the Content-Type of more files. There are 70 new types for file extensions.

For a complete list of changes in this release, see History.md.

4.15.5 - Release date: 2017-09-24

The 4.15.5 patch release includes security updates, some minor performance enhancements, and a bug fix:

• Update to debug module to address a vulnerability, but this issue does not impact Express.

• Update to jshttp/fresh module to address a vulnerability. express.static, req.fresh, res.json, res.jsonp, res.send, res.sendfile res.sendFile, res.sendStatus를 사용하고 있는 애플리케이션에 영향을 끼칩니다.

• Update to jshttp/fresh module fixes handling of modified headers with invalid dates and makes parsing conditional headers (like If-None-Match) faster.

For a complete list of changes in this release, see History.md.

4.15.4 - Release date: 2017-08-06

The 4.15.4 patch release includes some minor bug fixes:

• Fix array being set for "trust proxy" value being manipulated in certain conditions.

For a complete list of changes in this release, see History.md.

4.15.3 - Release date: 2017-05-16

The 4.15.3 patch release includes a security update and some minor bug fixes:

• Update a dependency of the pillarjs/send module to address a vulnerability. 애플리케이션이 express.static, res.sendfile, res.sendFile의 maxAge 옵션에 Untrusted 문자열을 입력받고 있으면 영향을 끼칠 수 있습니다.

• Fix error when res.set cannot add charset to Content-Type.

• Fix missing </html> in HTML document.

For a complete list of changes in this release, see History.md.

4.15.2 - Release date: 2017-03-06

The 4.15.2 patch release includes a minor bug fix:

• Fix regression parsing keys starting with [ in the extended (default) query parser.

For a complete list of changes in this release, see History.md.

4.15.1 - Release date: 2017-03-05

The 4.15.1 patch release includes a minor bug fix:

• Fix compatibility issue when using the datejs 1.x library where the express.static() middleware and res.sendFile() method would incorrectly respond with 412 Precondition Failed.

For a complete list of changes in this release, see History.md.

4.15.0 - Release date: 2017-03-01

The 4.15.0 minor release includes bug fixes, performance improvements, and other minor feature additions, including:

• Starting with this version, Express supports Node.js 7.x.

• The express.static() middleware and res.sendFile() method now support the If-Match and If-Unmodified-Since request headers.

• Update to jshttp/etag module to generate the default ETags for responses which work when Node.js has FIPS-compliant crypto enabled.

• Various auto-generated HTML responses like the default not found and error handlers will respond with complete HTML 5 documents and additional security headers.

For a complete list of changes in this release, see History.md.

4.14.1 - Release date: 2017-01-28

The 4.14.1 patch release includes bug fixes and performance improvements, including:

• Update to pillarjs/finalhandler module fixes an exception when Express handles an Error object which has a headers property that is not an object.

For a complete list of changes in this release, see History.md.

4.14.0 - Release date: 2016-06-16

The 4.14.0 minor release includes bug fixes, security update, performance improvements, and other minor feature additions, including:

• Starting with this version, Express supports Node.js 6.x.

• Update to jshttp/negotiator module fixes a regular expression denial of service vulnerability.

• The res.sendFile() method now accepts two new options: acceptRanges and cacheControl.

  • acceptRanges (defaut is true), enables or disables accepting ranged requests. When disabled, the response does not send the Accept-Ranges header and ignores the contents of the Range request header.

  • cacheControl, (default is true), enables or disables the Cache-Control response header. Disabling it will ignore the maxAge option.

  • res.sendFile has also been updated to handle Range header and redirections better.

    </li>

  • The res.location() method and res.redirect() method will now URL-encode the URL string, if it is not already encoded.

  • The performance of the res.json() method and res.jsonp() method have been improved in the common cases.

  • The jshttp/cookie module (in addition to a number of other improvements) has been updated and now the res.cookie() method supports the sameSite option to let you specify the SameSite cookie attribute.

  Note

  This attribute has not yet been fully standardized, may change in the future, and many clients may ignore it.
  

  The possible value for the sameSite option are:

  • true, which sets the SameSite attribute to Strict for strict same site enforcement.
  • false, which does not set the SameSite attribute.
  • 'lax', which sets the SameSite attribute to Lax for lax same site enforcement.

  • 'strict', which sets the SameSite attribute to Strict for strict same site enforcement.

    </li>

  • Absolute path checking on Windows, which was incorrect for some cases, has been fixed.

  • IP address resolution with proxies has been greatly improved.

  • The req.range() method options object now supports a combine option (false by default), which when true, combines overlapping and adjacent ranges and returns them as if they were specified that way in the header.

  </ul>

  For a complete list of changes in this release, see History.md.

  </div>