Update dependency express to v4.22.1 (main)

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	4.18.2 → 4.22.1

This PR resolves the vulnerabilities described in Issue #-1

---

Version 4.18.2

Risk Change	Critical	High	Medium	Low
N/A	0	3	5	2

Version 4.22.1

Risk Change	Critical	High	Medium	Low
-100%	0 (--)	0 (-3 )	0 (-5 )	0 (-2 )

Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.

---

Release Notes

expressjs/express (express)

v4.22.1

Compare Source

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in #​6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

v4.22.0

Compare Source

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in #​6190
• ci: add support for Node.js@​23.0 by @​UlisesGascon in #​6080
• Method functions with no path should error by @​wesleytodd in #​5957
• ci: updated github actions ci workflow by @​Phillip9587 in #​6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in #​6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in #​6506
• chore(4.x): wider range for query test skip by @​jonchurch in #​6513
• use tilde notation for certain dependencies by @​UlisesGascon in #​6905
• deps: qs@​6.14.0 by @​UlisesGascon in #​6909
• deps: use tilde notation for qs by @​Phillip9587 in #​6919
• Release: 4.22.0 by @​UlisesGascon in #​6921

Full Changelog: expressjs/express@4.21.2...4.22.0

v4.21.2

Compare Source

What's Changed

• Add funding field (v4) by @​bjohansebas in #​6065
• deps: path-to-regexp@​0.1.11 by @​blakeembrey in #​5956
• deps: bump path-to-regexp@​0.1.12 by @​jonchurch in #​6209
• Release: 4.21.2 by @​UlisesGascon in #​6094

Full Changelog: expressjs/express@4.21.1...4.21.2

v4.21.1

Compare Source

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in #​6029
• Release: 4.21.1 by @​UlisesGascon in #​6031

Full Changelog: expressjs/express@4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in #​5935
• finalhandler@​1.3.1 by @​wesleytodd in #​5954
• fix(deps): serve-static@​1.16.2 by @​wesleytodd in #​5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in #​5946

New Contributors

• @​agadzinski93 made their first contribution in #​5946

Full Changelog: expressjs/express@4.20.0...4.21.0

v4.20.0

Compare Source

==========

• deps: serve-static@​0.16.0
  • Remove link renderization in html while redirecting
• deps: send@​0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@​0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@​0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

• Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

• Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@​0.6.0

v4.18.3

Compare Source

==========

• Fix routing requests without method
• deps: body-parser@​1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@​2.5.2
• deps: cookie@​0.6.0
  • Add partitioned option

---

• If you want to rebase/retry this PR, check this box