|
| 1 | +--- |
| 2 | +title: "Spring Cleaning in Express.js: Deprecations and the Path Ahead" |
| 3 | +tags: news |
| 4 | +author: Express Technical Committee |
| 5 | +description: As part of a broader effort to modernize and streamline Express.js, we’ve deprecated several outdated packages including csurf, connect-multiparty, and path-match. Learn why we made these changes and what it means for the future of the framework. |
| 6 | +--- |
| 7 | + |
| 8 | +As Express.js continues to power web applications across the world, it's important that we maintain a clean, reliable, and modern codebase. In that spirit, we've done a bit of spring cleaning. |
| 9 | + |
| 10 | +Over the past few weeks, we've evaluated legacy packages within the Express.js ecosystem — some of which have become outdated, unmaintained, or misaligned with modern best practices. As a result, we’ve officially deprecated several of them. |
| 11 | + |
| 12 | +## 🚨 Packages Deprecated |
| 13 | + |
| 14 | +Here are the key packages we’ve deprecated: |
| 15 | + |
| 16 | +- [`csurf`](https://www.npmjs.com/package/csurf): A CSRF middleware that’s long been difficult to maintain and is better handled today through frameworks or custom implementations that align with your architecture. |
| 17 | +- [`connect-multiparty`](https://www.npmjs.com/package/connect-multiparty): A multipart form-data parser that relies on deprecated libraries and hasn’t aged well. |
| 18 | +- [`path-match`](https://www.npmjs.com/package/path-match): A route-matching utility that has been superseded by more modern and maintained alternatives. |
| 19 | + |
| 20 | +Each of these packages was originally created to solve real problems—but time has moved on, and the ecosystem has evolved. |
| 21 | + |
| 22 | +## 🤔 Why This Matters |
| 23 | + |
| 24 | +Maintaining deprecated or inactive dependencies introduces technical debt and security risk. By formally deprecating these packages, we: |
| 25 | + |
| 26 | +- Encourage developers to adopt better-maintained and more secure solutions. |
| 27 | +- Reduce confusion around which tools are actively supported by Express. |
| 28 | +- Focus our efforts on modernizing the core and surrounding ecosystem. |
| 29 | + |
| 30 | +## 🗂️ What You Should Do |
| 31 | + |
| 32 | +If your application depends on any of these packages, now is a great time to look for alternatives. For instance: |
| 33 | + |
| 34 | +- Consider finding a modern CSRF protection strategy on [npm](https://www.npmjs.com/search?q=csurf) that aligns with your specific needs. |
| 35 | +- Use up-to-date multipart parsers like [`multer`](https://www.npmjs.com/package/multer). |
| 36 | +- Replace path-match logic with standard [`path-to-regexp`](https://www.npmjs.com/package/path-to-regexp). |
| 37 | + |
| 38 | +## 📘 What's Next |
| 39 | + |
| 40 | +We're not stopping here. This cleanup is part of a broader effort to streamline Express.js, prepare for the future, and clarify what is and isn’t officially supported. |
| 41 | + |
| 42 | +👉 A full discussion of these changes can be found [expressjs/discussions#134](https://github.com/expressjs/discussions/issues/134). |
| 43 | + |
| 44 | +📢 Stay tuned—we'll continue to post updates and insights as we modernize the Express ecosystem. |
| 45 | + |
| 46 | +💚Thanks to the community for your continued trust and support. |
0 commit comments