Release Plan: 5.1.0

[wesleytodd]

Remaining Work

• Release: 5.0.2 #6095
• Added check to support Uint8Array in response sending #6285

Dependency work

• accepts
• body-parser
  • Release v2.1.0 body-parser#578
  • Update type-is
    • update mime-types
      • update mime-db
• content-disposition
  • https://github.com/jshttp/content-disposition/pulls
  • Certain languages can't be matched correctly by the Regular Expression EXT_VALUE_REGEXP like en-US or zh_cn jshttp/content-disposition#47
  • refactor: use simplified basename function and remove dependency on node:path jshttp/content-disposition#68
  • Release: 1.0.1 jshttp/content-disposition#58
• content-type
  • ^ range d2de128
• cookie
  • ^ range af7cd90
• debug:
  • ^ range 85e48bb
  • chore(deps): update debug to ^4.4.0 #6313
• encodeurl
  • ^ range af7cd90
• escape-html
  • ^ range af7cd90
• etag
  • ^ range af7cd90
• finalhandler
  • feat(deps): [email protected] #6373
• fresh
  • ^ range af7cd90
• http-errors
  • ^ range af7cd90
  • https://github.com/jshttp/http-errors/pulls
• merge-descriptors: nothing
• mime-types
  • https://github.com/jshttp/mime-db/releases/tag/v1.54.0
  • Update mime-db to 1.54.0 (fix: update mime-db dependency to version 1.54.0 jshttp/mime-types#133)
• on-finished
  • ^ range af7cd90
• once
  • ^ range af7cd90
• parseurl
  • ^ range af7cd90
• proxy-addr
  • ^ range af7cd90
  • invalid range on address: 0.0.0.0/0 jshttp/proxy-addr#28 ???
• qs
  • fix(deps): qs@^6.14.0 #6374
• range-parser
  • ^ range af7cd90
• router
  • release: Release: 2.2.0 pillarjs/router#155
  • DEBUG=express:* does not work in [email protected] #6280
• send
  • https://github.com/pillarjs/send/pulls
  • update mime-types (deps: update mime-types to v3.0.1 pillarjs/send#251)
    • update mime-db
• serve-static
  • https://github.com/expressjs/serve-static/pulls
  • update send
    • update mime-types
      • update mime-db
• statuses
  • ^ range af7cd90
• type-is
• vary
  • ^ range af7cd90

Not planned for this release

• cookie-signature
  • Maintenance of this library tj/node-cookie-signature#36

[dpopp07]

I'm happy to open a small PR with the semver range changes.

[dpopp07]

PR to address router issue: pillarjs/router#151

Edit: sibling PR to the above for documenting the router change in the migration guide: expressjs/expressjs.com#1819

[UlisesGascon]

Ok, so following #6412 my current understanding of the release plan and the blockers is the following (@wesleytodd please edit this 🙏 ). Also I was fishing some items from expressjs/discussions#266

Current proposal

What's Changed

• Update captains by @UlisesGascon in Update captains #6027
• build: Node.js 23.0 by @bjohansebas in build: Node.js 23.0 #6075
• Add funding field (v5) by @bjohansebas in Add funding field (v5) #6064
• ✅ add discarded middleware test by @ctcpip in ✅ add discarded middleware test #5819
• update homepage link http to https by @bjohansebas in update homepage link http to https #5920
• Improve readme by @bjohansebas in Improve readme #5994
• Add bjohansebas as repo captain for expressjs.com by @crandmck in Add bjohansebas as repo captain for expressjs.com #6058
• Remove Object.setPrototypeOf polyfill by @Phillip9587 in Remove Object.setPrototypeOf polyfill #6081
• fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in fix(buffer): use node:buffer instead of safe-buffer #6071
• docs: Add DCO by @UlisesGascon in docs: Add DCO #6048
• cleanup: remove promise support check from tests by @Phillip9587 in cleanup: remove promise support check from tests #6148
• Use loop for acceptParams by @blakeembrey in Use loop for acceptParams #6066
• Improve documentation step in release process by @bjohansebas in Improve documentation step in release process #6150
• cleanup: remove unnecessary require for global Buffer by @Phillip9587 in cleanup: remove unnecessary require for global Buffer #6146
• cleanup: remove AsyncLocalStorage check by @Phillip9587 in cleanup: remove AsyncLocalStorage check #6147
• update history.md for acceptParams change by @jonchurch in update history.md for acceptParams change #6177
• docs: add @rxmarbles to the triage team by @UlisesGascon in docs: add @rxmarbles to the triage team #6151
• refactor: improve readability by @sazk07 in refactor: improve readability #6173
• docs: clarify the security process in the triage role by @bjohansebas in docs: clarify the security process in the triage role #6217
• chore: replace methods dependency with standard library by @jonkoops in chore: replace methods dependency with standard library #6196
• Remove utils-merge dependency - use spread syntax instead by @Phillip9587 in Remove utils-merge dependency - use spread syntax instead #6091
• fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in fix(securite): fix vulnerabilities #6211
• refactor: prefix built-in node module imports by @slagiewka in refactor: prefix built-in node module imports #6236
• fix: remove download size badges by @wesleytodd in fix: remove download size badges #6266
• Remove unused depd dependency by @jonkoops in Remove unused depd dependency #6197
• fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @hamirmahal in fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml #6256
• Add support for OSSF scorecard reporting by @UlisesGascon in Add support for OSSF scorecard reporting #5431
• docs: add @Phillip9587 to the triage team by @bjohansebas in docs: add @Phillip9587 to the triage team #6276
• fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in fix: added a missing semicolon in css styles in examples/auth #6297
• docs: include team email in the security policy by @UlisesGascon in docs: include team email in the security policy #6278
• refactor: simplify normalizeTypes function by @Ayoub-Mabrouk in refactor: simplify normalizeTypes function #6097
• ci: updated github actions ci workflow by @Phillip9587 in ci: updated github actions ci workflow #6314
• ci: fix npm install --include typo by @Phillip9587 in ci: fix npm install --include typo #6324
• ci: updated scorecard actions by @Phillip9587 in ci: updated scorecard actions #6322
• build(deps): use carat notation for dependency versions by @dpopp07 in build(deps): use carat notation for dependency versions #6317
• chore(deps): update debug to ^4.4.0 by @Phillip9587 in chore(deps): update debug to ^4.4.0 #6313
• docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in docs: retroactively note 5.0.0-beta.1 api change in history file #6333
• feat(deps): body-parser@^2.1.0 by @wesleytodd in feat(deps): body-parser@^2.1.0 #6332
• feat(deps): router@^2.1.0 by @wesleytodd in feat(deps): router@^2.1.0 #6331
• Update repo captains by @UlisesGascon in Update repo captains #6234
• deps: upgrade nyc by @agungjati in deps: upgrade nyc #6122
• fix (deps): update deps by @wesleytodd in fix (deps): update deps #6337
• response: add support for ETag option in res.sendFile by @juanarbol in response: add support for ETag option in res.sendFile #6073
• Update multiple links to use https instead of http by @Phillip9587 in Update multiple links to use https instead of http #6338
• Extend res.links() to allow adding multiple links with the same rel Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in Extend res.links() to allow adding multiple links with the same rel #2729 #4885
• docs: update emeritus triagers by @UlisesGascon in docs: update emeritus triagers #6345
• docs: update guidance for triager nominations by @bjohansebas in docs: update guidance for triager nominations #6349
• docs: clarify guidelines for becoming a committer by @bjohansebas in docs: clarify guidelines for becoming a committer #6364
• Nominate @dpopp07 to the triage team by @UlisesGascon in Nominate @dpopp07 to the triage team #6352
• fix(deps): qs@^6.14.0 by @wesleytodd in fix(deps): qs@^6.14.0 #6374
• Add dependabot by @UlisesGascon in Add dependabot #5435
• fix dependabot config by @bjohansebas in fix dependabot config #6392
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 by @dependabot in build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 #6398
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 #6397
• feat(deps): [email protected] by @wesleytodd in feat(deps): [email protected] #6373

New Contributors

• @bhavya3024 made their first contribution in fix(buffer): use node:buffer instead of safe-buffer #6071
• @jonkoops made their first contribution in chore: replace methods dependency with standard library #6196
• @Abdel-Monaam-Aouini made their first contribution in fix(securite): fix vulnerabilities #6211
• @slagiewka made their first contribution in refactor: prefix built-in node module imports #6236
• @hamirmahal made their first contribution in fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml #6256
• @pr4j3sh made their first contribution in fix: added a missing semicolon in css styles in examples/auth #6297
• @Ayoub-Mabrouk made their first contribution in refactor: simplify normalizeTypes function #6097
• @dpopp07 made their first contribution in build(deps): use carat notation for dependency versions #6317
• @agungjati made their first contribution in deps: upgrade nyc #6122
• @andvea made their first contribution in Extend res.links() to allow adding multiple links with the same rel #2729 #4885
• @dependabot made their first contribution in build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 #6398

Full Changelog: 5.0.1...master

Pending Work

Express Work

Potential additions
What do you think @wesleytodd? Maybe we can include them while unblocking other parts?

• Moves compileQueryParser to separate module #3259: requires some conflict work (ref).
• feat(response): new setting strict status codes #5856: Need some rework but seems like there is an agreement.
• Resolve paths for views asynchronously #2653: A quick win for performance but it will require some work (portentially)
• Move settings methods to app.settings and deprecate old versions #3714: Seems quite solid

Final Work

• Prepare a PR with the version bump to 5.1.0 and the full changelog (@wesleytodd )
• Create a github release and a git tag for 5.1.0 (@wesleytodd )
• Publish the version in npm (@wesleytodd)
• Social Media promotion (@wesleytodd )

Dependencies

Level 0 (Express itself)

• include [email protected] (@UlisesGascon ): deps: router@^2.2.0 #6417
• include [email protected] (@UlisesGascon ): deps: serve-static@^2.2.0 #6418
• include [email protected] (@UlisesGascon ): deps: body-parser@^2.2.0 #6419
• include [email protected] (@UlisesGascon ): deps: type-is@^2.0.1 #6420
• include [email protected] (@UlisesGascon ): deps: accepts@^3.0.0 #6416

Level 1

• content-disposition has no relevant changes or releases pending
• cookie has no relevant changes or releases pending
• proxy-addr has no relevant changes or releases pending
• [email protected]
  • land feat: deprecate non-native Promises pillarjs/router#154 (@UlisesGascon )
  • land chore: upgrade finalhandler to 2.1.0 pillarjs/router#153 (@UlisesGascon )
  • Prepare a Release [email protected] (@UlisesGascon ): Release 2.2.0 pillarjs/router#157
  • Publish on npm [email protected] (@UlisesGascon )
• vary has no relevant changes or releases pending
• [email protected]
  • include [email protected] (@UlisesGascon ): deps: [email protected] serve-static#196
  • land ci: updated ci workflow and remove appveyor serve-static#192
  • land chore(deps): remove devDependency safe-buffer serve-static#191
  • Prepare a Release [email protected] (@UlisesGascon ): Release 2.2.0 serve-static#197
  • Publish on npm [email protected] (@UlisesGascon )
• finalhandler has no relevant changes or releases pending
• [email protected]
  • include [email protected] (@UlisesGascon )
  • land Generic Body Parser body-parser#561 or yet another rebase! generic body parser body-parser#574 (@wesleytodd )
  • land fix(docs): replace var with let or const in ReadMe body-parser#581 (@UlisesGascon )
  • land chore: update test dependencies body-parser#585 (@UlisesGascon )
  • land dep: upgrade iconv-lite to ^0.6.3 body-parser#588 (@UlisesGascon )
  • land Refactor parameterCount to optimize performance body-parser#591 (@UlisesGascon )
  • land refactor: normalize common options for all parsers body-parser#551 semver-minor (@UlisesGascon )
  • Prepare a Release [email protected] (@UlisesGascon ): Release 2.2.0 body-parser#597
  • Publish on npm [email protected] (@UlisesGascon )

Level 2

• forwarded has no relevant changes or releases pending
• parseurl has no relevant changes or releases pending
• path-to-regexp has no relevant changes or releases pending
• [email protected]
  • check and land Replace deprecated String.prototype.substr() jshttp/type-is#50
  • check land land Adds support for HTAB as well as SP as whitespace separators in content-type headers jshttp/type-is#53
  • land Refactor normalizeType function to simplify return statement jshttp/type-is#61 (@UlisesGascon )
  • land Optimize argument handling in typeofrequest function jshttp/type-is#60 (@UlisesGascon )
  • land Refactor tryNormalizeType function for cleaner code jshttp/type-is#59 (@UlisesGascon )
  • Prepare a Release [email protected] (@UlisesGascon ): Release 2.0.1 jshttp/type-is#64
  • Publish on npm [email protected] (@UlisesGascon )
• [email protected]: We closed this as will not release.
  • include [email protected] (@UlisesGascon ): deps: mime-types@^3.0.1 jshttp/accepts#42
  • create git tag and release for 2.0.0 that is missing (@UlisesGascon ): https://github.com/jshttp/accepts/releases/tag/2.0.0
  • Fix engines in v2 branch (@UlisesGascon ): fix: update engines field jshttp/accepts#43
  • Prepare a Release [email protected] (@UlisesGascon ): Release 3.0.0 jshttp/accepts#44
  • Publish on npm [email protected] (@UlisesGascon )
• [email protected]
  • include [email protected] (@UlisesGascon ): deps: update mime-types to v3.0.1 pillarjs/send#251
  • We need to plan a major (due BREAKING Change: chore(deps): updated dependency fresh to v2 pillarjs/send#247) (@UlisesGascon)
  • Prepare a Release [email protected] (@UlisesGascon ): Release 1.2.0 pillarjs/send#252
  • Publish on npm [email protected] (@UlisesGascon )

Level 3

• content-type has no relevant changes or releases pending
• encodeurl has no relevant changes or releases pending
• etag has no relevant changes or releases pending
• fresh has no relevant changes or releases pending
• [email protected]
  • land fix: update mime-db dependency to version 1.54.0 jshttp/mime-types#133 (@UlisesGascon )
  • Prepare a Release [email protected] (@UlisesGascon ): Release 3.0.1 jshttp/mime-types#134
  • Publish on npm [email protected] (@UlisesGascon )
• media-typer has no relevant changes or releases pending
• negotiator has no relevant changes or releases pending
• on-finished has no relevant changes or releases pending
• range-parser has no relevant changes or releases pending
• http-errors has no relevant changes or releases pending

Level 4

• [email protected] is out (npm, release details)
• statuses has no relevant changes or releases pending

[bjohansebas]

Btw, the change of engines in path-to-regexp needs to be a major release.

[UlisesGascon]

Btw, the change of engines in path-to-regexp needs to be a major release.

True! actually if we want to go with 9.0.0 is a good option, otherwise I can revert the commit partially to be semver compatible. WDYT (@bjohansebas @wesleytodd ) ?

[bjohansebas]

I think we should stick to version 8. I don't think we should release another version of path-to-regexp unless we want to make other types of changes (such as releasing a dual package (commonjs and ems), moving to ESM, or achieving safer regex for string patterns).

[jonkoops]

What is the ESM transition plan for these dependencies (if any)? In April, support for Node.js 18 will be dropped, which is the last version of Node.js that does not support interoperability between CommonJS and ESM. So technically, that would be a good moment to raise the minimum version and do a full ESM conversion. If you are short on hands for this effort, I can volunteer my time to get it done, if so desired.

[panva]

Is 5.1.0 going to be tagged as @latest on npm?

[bjohansebas]

Yes, 5.1.0 will be the latest version when it is released

[panva]

That's good to know, issues spanning from req.host not being an actual url host component (i.e. incl. port) will go away as people slowly upgrade. So far with v5 being tagged as @next it was hard to get people to upgrade.

[wesleytodd]

What is the ESM transition plan for these dependencies

@jonkoops, you can read more about that here: expressjs/discussions#323

Is 5.1.0 going to be tagged as @latest on npm?

express and all of it's direct dependents we had kept at next while express was will be going latest.

That's good to know, issues spanning from req.host not being an actual url host component (i.e. incl. port) will go away as people slowly upgrade. So far with v5 being tagged as @next it was hard to get people to upgrade.

@panva Do you have some node issues I can link to when we talk about this? It is near impossible to get folks to upgrade even if it is latest but we can try with good messaging.

[panva]

Do you have some node issues I can link to when we talk about this? It is near impossible to get folks to upgrade even if it is latest but we can try with good messaging.

@wesleytodd Having express as a dependency of a passport strategy - it is a real struggle to be able to determine the request's original href without both replicating express' internals and changing the resolution code based on the app's trust proxy setting. This is stemming from the fact that req.host in v4 is the hostname and not the host and there's no host getter that would take trust proxy into consideration.

refs: panva/openid-client#767, panva/openid-client#743, panva/openid-client#733, panva/openid-client#746, panva/openid-client#713, panva/openid-client#714

v5 behaves as expected but unfortunately in v4 the code doesn't work for development on localhost with arbitrary ports, and in production with non http scheme default ports (i.e. other than 80 and 443).

I've resisted the pressure of accomodating the bugged v4 behaviour and just explained to users they need to either upgrade to v5 or overload the method that returns the current URL in development setups. In v4 the req.host should have been fixed instead of being deprecated and console warned upon use in the first place. I get a few issues opened every now and then because of it.

It is near impossible to get folks to upgrade even if it is latest but we can try with good messaging.

I get that. But at least having latest be v5 means new apps will default to v5 with npm i express and the transition to v5 can begin for real in userland.

[jonkoops]

@jonkoops, you can read more about that here: expressjs/discussions#323

Thanks, I will subscribe there 👍

[wesleytodd]

Proposed release: #6425

I will close this in favor of moving any conversation there now that we have a PR.