Skip to content

Release: 4.21.2 #6094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jonchurch merged 1 commit into from
Dec 5, 2024
Merged

Release: 4.21.2 #6094

jonchurch merged 1 commit into from
Dec 5, 2024
+2 −2

Conversation

@UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Oct 29, 2024
edited by jonchurch
Loading

Plan to release it on Nov 06

What's included in the HISTORY.md

What's Changed

Full Changelog: 4.21.1...4.x

@UlisesGascon UlisesGascon self-assigned this Oct 29, 2024
@wesleytodd
Copy link
Member

wesleytodd commented Oct 29, 2024

Same comment as here: expressjs/discussions#228 (comment)

I think we need more eyes on the funding field before we publish. Ideally a change like this would be reviewed by a few members of the TC before landing since it is often considered a sensitive issue.

@NewEraCracker
Copy link

NewEraCracker commented Oct 31, 2024

Just release it. It is Oct 31st.

The funding field is only some metadata npm adds on the package-lock.json for people who install this version.

@UlisesGascon UlisesGascon requested a review from a team November 6, 2024 11:10
@UlisesGascon

This comment was marked as off-topic.

Sign in to view
@UlisesGascon
Copy link
Member Author

UlisesGascon commented Nov 7, 2024

We plan to include a security patch too so this release is on hold now

@UlisesGascon UlisesGascon marked this pull request as draft November 7, 2024 10:05
@NewEraCracker
Copy link

NewEraCracker commented Nov 8, 2024

@UlisesGascon

We plan to include a security patch too so this release is on hold now

Can you please disclose how serious (low, medium, high) it is? Does it impact a dependency or express code itself? Can it be sorted by npm overrides?

We are kind of aggressive with user input and never pass untrusted/unfiltered parameters to express functions.

@wesleytodd
Copy link
Member

wesleytodd commented Nov 8, 2024
edited
Loading

I believe we are undecided if it is really a security issue after investigation. And even if we were we would not disclose information about it until we had a patch.

@UlisesGascon @jonchurch
4.21.2
009a03b 
Signed-off-by: Ulises Gascon <[email protected]>
@jonchurch jonchurch marked this pull request as ready for review December 5, 2024 22:21
@jonchurch jonchurch merged commit 1faf228 into 4.x Dec 5, 2024
47 checks passed
@MilkaChucky MilkaChucky mentioned this pull request Dec 5, 2024
Merged
@holkeri holkeri mentioned this pull request Dec 6, 2024
Merged
@UlisesGascon UlisesGascon deleted the release/4.21.2 branch December 20, 2024 19:45
@Tobbe Tobbe mentioned this pull request Dec 26, 2024
Merged
This was referenced Aug 15, 2025
Closed
Closed
Closed
Closed
Closed
This was referenced Aug 24, 2025
Closed
Closed
Closed
MightyPrytanis added a commit to MightyPrytanis/codebase that referenced this pull request Dec 28, 2025
@MightyPrytanis
[Snyk] Upgrade express from 4.21.2 to 4.22.1 (#87)
8a9b27c 
![snyk-top-banner](https://res.cloudinary.com/snyk/image/upload/r-d/scm-platform/snyk-pull-requests/pr-banner-default.svg)


<h3>Snyk has created this PR to upgrade express from 4.21.2 to
4.22.1.</h3>

:information_source: Keep your dependencies up-to-date. This makes it
easier to fix existing vulnerabilities and to more quickly identify and
fix newly disclosed vulnerabilities when they affect your project.

<hr/>


- The recommended version is **2 versions** ahead of your current
version.

- The recommended version was released **23 days ago**.



<details>
<summary><b>Release notes</b></summary>
<br/>
  <details>
    <summary>Package name: <b>express</b></summary>
    <ul>
      <li>
<b>4.22.1</b> - <a
href="https://redirect.github.com/expressjs/express/releases/tag/v4.22.1">2025-12-01</a></br><h2>What's
Changed</h2>
<div class="markdown-alert markdown-alert-important"><p
class="markdown-alert-title"><svg class="octicon octicon-report mr-2"
viewBox="0 0 16 16" version="1.1" width="16" height="16"
aria-hidden="true"><path d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16
.784 16 1.75v9.5A1.75 1.75 0 0 1 14.25 13H8.06l-2.573 2.573A1.458 1.458
0 0 1 3 14.543V13H1.75A1.75 1.75 0 0 1 0 11.25Zm1.75-.25a.25.25 0 0
0-.25.25v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1
.75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0
.25-.25v-9.5a.25.25 0 0 0-.25-.25Zm7 2.25v2.5a.75.75 0 0 1-1.5
0v-2.5a.75.75 0 0 1 1.5 0ZM9 9a1 1 0 1 1-2 0 1 1 0 0 1 2
0Z"></path></svg>Important</p><p>The prior release (4.22.0) included an
erroneous breaking change related to the extended query parser. There is
no actual security vulnerability associated with this behavior (<a
title="CVE-2024-51999" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-pj86-cfqh-vqx6/hovercard"
href="https://redirect.github.com/advisories/GHSA-pj86-cfqh-vqx6">CVE-2024-51999</a>
has been rejected). The change has been fully reverted in this
release.</p>
</div>
<ul>
<li>Release: 4.22.1 by <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/UlisesGascon/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3682359911" data-permission-text="Title is private"
data-url="expressjs/express#6934"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6934/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6934">#6934</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a class="commit-link"
href="https://redirect.github.com/expressjs/express/compare/4.22.0...v4.22.1"><tt>4.22.0...v4.22.1</tt></a></p>
      </li>
      <li>
<b>4.22.0</b> - <a
href="https://redirect.github.com/expressjs/express/releases/tag/4.22.0">2025-12-01</a></br><h2>Important:
Security</h2>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2024-51999"
rel="nofollow">CVE-2024-51999</a> (<a
href="https://redirect.github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6">GHSA-pj86-cfqh-vqx6</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Refactor: improve readability by <a class="user-mention notranslate"
data-hovercard-type="user" data-hovercard-url="/users/sazk07/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/sazk07">@ sazk07</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2699832614" data-permission-text="Title is private"
data-url="expressjs/express#6190"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6190/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6190">#6190</a></li>
<li>ci: add support for [email protected] by <a class="user-mention
notranslate" data-hovercard-type="user"
data-hovercard-url="/users/UlisesGascon/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2600747827" data-permission-text="Title is private"
data-url="expressjs/express#6080"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6080/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6080">#6080</a></li>
<li>Method functions with no path should error by <a class="user-mention
notranslate" data-hovercard-type="user"
data-hovercard-url="/users/wesleytodd/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/wesleytodd">@ wesleytodd</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2523063687" data-permission-text="Title is private"
data-url="expressjs/express#5957"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/5957/hovercard"
href="https://redirect.github.com/expressjs/express/pull/5957">#5957</a></li>
<li>ci: updated github actions ci workflow by <a class="user-mention
notranslate" data-hovercard-type="user"
data-hovercard-url="/users/Phillip9587/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2832891965" data-permission-text="Title is private"
data-url="expressjs/express#6323"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6323/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6323">#6323</a></li>
<li>ci: reorder <code>npm i</code> steps to fix ci for older node
versions by <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/Phillip9587/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2849001182" data-permission-text="Title is private"
data-url="expressjs/express#6336"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6336/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6336">#6336</a></li>
<li>Backport: ci: add node.js 24 to test matrix by <a
class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/Phillip9587/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3048978479" data-permission-text="Title is private"
data-url="expressjs/express#6506"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6506/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6506">#6506</a></li>
<li>chore(4.x): wider range for query test skip by <a
class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/jonchurch/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/jonchurch">@ jonchurch</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3064505138" data-permission-text="Title is private"
data-url="expressjs/express#6513"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6513/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6513">#6513</a></li>
<li>use tilde notation for certain dependencies by <a
class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/UlisesGascon/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3647756531" data-permission-text="Title is private"
data-url="expressjs/express#6905"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6905/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6905">#6905</a></li>
<li>deps: [email protected] by <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/UlisesGascon/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3651273165" data-permission-text="Title is private"
data-url="expressjs/express#6909"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6909/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6909">#6909</a></li>
<li>deps: use tilde notation for <code>qs</code> by <a
class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/Phillip9587/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3664544540" data-permission-text="Title is private"
data-url="expressjs/express#6919"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6919/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6919">#6919</a></li>
<li>Release: 4.22.0 by <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/UlisesGascon/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="3664588541" data-permission-text="Title is private"
data-url="expressjs/express#6921"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6921/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6921">#6921</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a class="commit-link"
href="https://redirect.github.com/expressjs/express/compare/4.21.2...4.22.0"><tt>4.21.2...4.22.0</tt></a></p>
      </li>
      <li>
<b>4.21.2</b> - <a
href="https://redirect.github.com/expressjs/express/releases/tag/4.21.2">2024-12-05</a></br><h2>What's
Changed</h2>
<ul>
<li>Add funding field (v4) by <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/bjohansebas/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/bjohansebas">@ bjohansebas</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2593149488" data-permission-text="Title is private"
data-url="expressjs/express#6065"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6065/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6065">#6065</a></li>
<li>deps: [email protected] by <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/blakeembrey/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/blakeembrey">@ blakeembrey</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2523061308" data-permission-text="Title is private"
data-url="expressjs/express#5956"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/5956/hovercard"
href="https://redirect.github.com/expressjs/express/pull/5956">#5956</a></li>
<li>deps: bump [email protected] by <a class="user-mention
notranslate" data-hovercard-type="user"
data-hovercard-url="/users/jonchurch/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/jonchurch">@ jonchurch</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2721541419" data-permission-text="Title is private"
data-url="expressjs/express#6209"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6209/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6209">#6209</a></li>
<li>Release: 4.21.2 by <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/UlisesGascon/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="2621467921" data-permission-text="Title is private"
data-url="expressjs/express#6094"
data-hovercard-type="pull_request"
data-hovercard-url="/expressjs/express/pull/6094/hovercard"
href="https://redirect.github.com/expressjs/express/pull/6094">#6094</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a class="commit-link"
href="https://redirect.github.com/expressjs/express/compare/4.21.1...4.21.2"><tt>4.21.1...4.21.2</tt></a></p>
      </li>
    </ul>
from <a
href="https://redirect.github.com/expressjs/express/releases">express
GitHub release notes</a>
  </details>
</details>

---

> [!IMPORTANT]
>
> - Check the changes in this PR to ensure they won't cause issues with
your project.
> - This PR was automatically created by Snyk using the credentials of a
real user.

---

**Note:** _You are seeing this because you or someone else with access
to this repository has authorized Snyk to open upgrade PRs._

**For more information:** <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI2MTdiNTRmZi05NzhlLTRjMjMtOTk1Yy0zZDY1MmU5M2Y5YmEiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjYxN2I1NGZmLTk3OGUtNGMyMy05OTVjLTNkNjUyZTkzZjliYSJ9fQ=="
width="0" height="0"/>

> - 🧐 [View latest project
report](https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)
> - 📜 [Customise PR
templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template)
> - 🛠 [Adjust upgrade PR
settings](https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b/settings/integration?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)
> - 🔕 [Ignore this dependency or unsubscribe from future upgrade
PRs](https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b/settings/integration?pkg&#x3D;express&amp;utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr#auto-dep-upgrades)

[//]: #
'snyk:metadata:{"breakingChangeRiskLevel":null,"FF_showPullRequestBreakingChanges":false,"FF_showPullRequestBreakingChangesWebSearch":false,"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"express","from":"4.21.2","to":"4.22.1"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"617b54ff-978e-4c23-995c-3d652e93f9ba","prPublicId":"617b54ff-978e-4c23-995c-3d652e93f9ba","packageManager":"npm","priorityScoreList":[],"projectPublicId":"bcb5f568-d266-4cb2-8e80-1c9ebed57c1b","projectUrl":"https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":[],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":2,"publishedDate":"2025-12-01T20:50:41.122Z"},"vulns":[]}'
@StanleyMasinde StanleyMasinde mentioned this pull request Jan 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blakeembrey blakeembrey blakeembrey approved these changes

Assignees

@UlisesGascon UlisesGascon

Labels

4.x release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@UlisesGascon @wesleytodd @NewEraCracker @blakeembrey @jonchurch @bjohansebas