From 3c8ab5e63705bd83f7199687f6c79883b468cd12 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 13 Sep 2024 10:37:03 -0500 Subject: [PATCH 01/27] feat: v5 release --- _posts/2024-09-12-v5-release.md | 139 ++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 _posts/2024-09-12-v5-release.md diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md new file mode 100644 index 0000000000..890fd87664 --- /dev/null +++ b/_posts/2024-09-12-v5-release.md @@ -0,0 +1,139 @@ +--- +title: Express v5 +tags: site-admin +author: Wes Todd +--- + +A lot has happened in the last 10 years, but today we are excited to talk about what has happened in the last 8 months. The Express project has had a renaissance, and we are +excited to finally share with you some of the work we have been doing. As you might be aware, the [v5 release which has been in progress since July 14th +2014](https://github.com/expressjs/express/pull/2237) is now published and merged. There is a lot to talk about in the release, but I want to take a second to recognize the work of +many contributors over the years, especially @dougwilson who tirelessly maintained one of the most stable projects in the ecosystem over the past 10 years. Without the work from so +many, this release would not have happened so if you are among these contributors please give yourself a pat on the back. + +So what happened 8 months ago? We went public with a proposed plan to move [Express Forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing +to the governance we had outlined many years before and added some things to help onboard more contributors to help kickstart progress again. It might not seem important to folks +who are less involved in Open Source, but project governance is critical to larger projects health. I want to thank the [OpenJS Foundation Cross Project +Council](https://github.com/openjs-foundation/cross-project-council/) and it's members for helping us put together this plan. + +## So what about v5? + +Lets start by mentioning how **boring** this release is meant to be. I know this might seem like an odd thing to say, but it was truly our goal to keep this release as simple as we +could while unblocking ourselves to make larger and more impactful changes in future releases. This means we focused on things like dropping support for older Node.js versions, +addressing long standing security concerns, and updating the projects process to make things more maintainable for maintainers. To most folks these sound pretty **boring**, but to +us this means we can more easily ship future feature releases with the more exciting changes. + +Before I move onto the changes for Express users we need to address the timeline and reason we released v5 when we did and on the `next` dist-tag. As part of reviving the project, +we started a [Security Working Group](https://github.com/expressjs/security-wg) and security triage team to help us ensure we address the growing needs around Open Source Supply +Chain Security. As part of this we undertook a security audit (more details to come on that) which uncovered a few things. Additionally while giving this aspect more attention, we +uncovered some other problems which needed to be addressed. This meant that in addition to the normal work we would do in public issues, we had many stacked features being worked +on in private forks. These required orchestration when releasing to enure the code and CVE reports went out together. So while we recognize that not having this blog post, our +changelog, and the documentation updated in advance was not ideal, with our limited contributor base we felt it was more important to focus on getting the secure and stable code +released. + +We will be publishing more details on our LTS plans, including dates when we plan to move from `next` to `latest`, as soon as we can. But for now, if you are uncomfortable being on +the bleeding edge (even if it is a rather dull edge) then please consider waiting until we move to `latest` to upgrade. That said, we look forward to working with you all as you +upgrade to support and address any bugs you encounter. + +## The Breaking Changes + +As I said above, we did the minimum number of breaking changes we could. I try here to list them in order of impact to application owners, but there are a fair number of subtle +chnages burried in here which you should read the changelog for more details on. + +### Goodbye Node.js 0.10, Hello Node 18 and up. + +We dropped support for Node.js versions lower than 18. This was a long time coming, but it is probably the most important change for us as maintainers of these libraries. Keeping old +Node.js version support was holding us back from many critical performance and maintainability changes. Now that we have dropped these versions we have more stable and maintainable +CI, we can start adopting some newer language and runtime features, and we can drop many dependencies which are no longer required. + +We recognize that this might mean some enterprises have difficulty with older or "parked" applications, and because of this we are working on a partnership with HeroDevs to offer +"Never Ending Support" which will include critical security patches even after v4 enters End-of-Life (more on these plans will come soon). That said, we strongly suggest that folks +update to modern Node.js versions as soon as possible. + +### Path Matching and Regular Expressions + +We updated from `path-to-regexp@0.x` to `path-to-regexp@8.x` in v5, needless to say there were many years of changes in this. If you were using any of the 5.0.0-beta releases, we +landed a last minute update which greatly changed the path semantics so we could [remove any ReDoS chances going forward](https://blakeembrey.com/posts/2024-09-web-redos/). For +more detailed changes, [see the `path-to-regexp` readme](https://github.com/pillarjs/path-to-regexp?tab=readme-ov-file#express--4x). + +#### 1. No more regex. We dropped support for sub-expression regular expressions (ex. `/:foo(\\d+)`). + +This is one of the most common patterns in wide use which we have removed. The unfortunate nature of regular expressions is how easy it is to write one with exponential time behaviors +when parsing input. The dreaded ReDoS. It turns out it is very difficult to prevent users from doing this, and as a library which converts strings to regular expressions, we are on +the hook for the security aspects of this. + +*How to migrate:* We recommend using more robust input validation libraries. [There are many on `npm`](https://www.npmjs.com/search?q=validate%20express) depending on your needs. +Shameless plug from the author, I maintain [a middleware based "code first" OpenAPI library](https://www.npmjs.com/package/@wesleytodd/openapi) for this kind of thing. + +#### 2. Splats, optional, and captures oh my. Simplified patterns for common route patterns. + +With the removal of regular expression semantics comes other small but impactful changes to how you write your routes. + +1. `:name?` becomes `{:name}`. Usage of `{}` for optional parts of your route means you can now do things like `/base{/:optional}/:required` and what parts are actually optional is + much more explicit. +2. `:name*` becomes `*name`. (@blakeembrey to provide more details) +3. `:name+` is equivalent to a `*name` and so has been removed +4. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those + characters mean specific things in previous versions. + +*How to migrate:* (@wesleytodd to provide more info with codemods and migration tools) + +#### 3. Name everything. Ordered numerical parameters are not supported. + +In Express v4, using regex capture groups you could get numerical parameters (ex. `/user(s?)` => `req.params[0] === 's'`). Now all params must be named. Along with requiring a +name, we now support all valid JavaScript identifiers or quoted (ex. `/:"this"`). + +### Promise Support + +This one may be a bit contentious, but I `Promise` we are moving in the right direction. We have added support for returned *rejected* promises from middleware raising errors. This +*does not include* calling `next` from returned *resolved* promises. There are a lot of edge cases in old express apps around expectations of `Promise` behavior, and before we can +run we need to walk. For most folks, this means you can now write middleware like the following: + +```javascript +app.use(async (req, res, next) => { + req.locals.user = await getUser(req); + next(); +}); +``` + +Notice that we use `async/await` and the `getUser` call may throw (user does not exist, db is down, etc), but we still call `next` if it is successful. We dont need to catch the +error in line anymore if we want to rely on error handling middleware instead because the router will now catch the rejected promise and treat that as calling `next(err)`. + +*editorial note:* Error handling is a huge topic, but one hill I will die on is that errors should be handled as close to the error site as possible. So while this is now handled +in the router, I would strongly urge you to catch this kind of error within the middleware and handle it without relying on separate error handling middleware. + +### Body Parser + +We made an assortment of `body-parser` changes: + +- Add option to customize the urlencoded body depth with a default value of 32 (@TODO see CVE) +- Remove deprecated `bodyParser()` combination middleware +- `req.body` is no longer always initialized to `{}` +- `urlencoded` parser now defaults `extended` to false +- Added brotli support + +### Removed APIs + +We have removed a bunch of apis which were primarily from v3. + +- `res.redirect('back')` and `res.location('back')` are no longer a supported magic string, explicitly use `req.get('Referrer') || '/'` +- `res.send(status, body)` - use `res.status(status).send(body)` +- `res.redirect(url, status)` - use `res.redirect(status, url)` +- `res.jsonp(status, obj)` - use `res.status(status).jsonp(obj)` +- `res.json(status, obj)` - use `res.status(status).json(obj)` +- `app.param(fn)` - use `req.params`, `req.body` or `req.query` instead +- `app.del` - use `app.delete` +- `req.acceptsCharset` - use `req.acceptsCharsets` +- `req.acceptsEncoding` - use `req.acceptsEncodings` +- `req.acceptsLanguage` - use `req.acceptsLanguages` +- `res.json(obj, status)` signature - use `res.json(status, obj)` +- `res.jsonp(obj, status)` signature - use `res.jsonp(status, obj)` +- `res.send(body, status)` signature - use `res.send(status, body)` +- `res.send(status)` signature - use `res.sendStatus(status)` +- `res.sendfile` - use `res.sendFile` instead + +## Our work is just starting + +I know it seems like an odd thing to announce a "boring" major version release and then say the work is only starting after 10 years, but we hope that the ecosystem sees how +important this release is as a milestone toward a server side JavaScript ecosystem which is a stable and reliable tool for companies, governments, educators, and hobby projects. It +is our commitment as the new stewards of the Express project to do our best to help the ecosystem move forward with these goals in mind. If you would like to support this work, +which we do on a volunteer basis, please consider supporting the project and it's maintainers via our sponsorship opportunities (@TODO link here). From d2c022b17afe09a626281fbc6c87be578ecf2f58 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 7 Oct 2024 14:46:50 -0400 Subject: [PATCH 02/27] delete duplicated removal notices specifically, deleted the recommendations to use: res.send(body, status) res.json(obj, status) res.jsonp(obj, status) --- _posts/2024-09-12-v5-release.md | 35 +++++++++++++++------------------ 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 890fd87664..b6ae5d8488 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -111,25 +111,22 @@ We made an assortment of `body-parser` changes: - `urlencoded` parser now defaults `extended` to false - Added brotli support -### Removed APIs - -We have removed a bunch of apis which were primarily from v3. - -- `res.redirect('back')` and `res.location('back')` are no longer a supported magic string, explicitly use `req.get('Referrer') || '/'` -- `res.send(status, body)` - use `res.status(status).send(body)` -- `res.redirect(url, status)` - use `res.redirect(status, url)` -- `res.jsonp(status, obj)` - use `res.status(status).jsonp(obj)` -- `res.json(status, obj)` - use `res.status(status).json(obj)` -- `app.param(fn)` - use `req.params`, `req.body` or `req.query` instead -- `app.del` - use `app.delete` -- `req.acceptsCharset` - use `req.acceptsCharsets` -- `req.acceptsEncoding` - use `req.acceptsEncodings` -- `req.acceptsLanguage` - use `req.acceptsLanguages` -- `res.json(obj, status)` signature - use `res.json(status, obj)` -- `res.jsonp(obj, status)` signature - use `res.jsonp(status, obj)` -- `res.send(body, status)` signature - use `res.send(status, body)` -- `res.send(status)` signature - use `res.sendStatus(status)` -- `res.sendfile` - use `res.sendFile` instead +### Deprecated API Method Signatures Removed in Express v5 + +We have removed a number of deprecated API method signatures, many of which were carried over from v3 and deprecated under v4. Below are the changes you need to make: + +- `res.redirect('back')` and `res.location('back')`: The magic string `'back'` is no longer supported. Use `req.get('Referrer') || '/'` explicitly instead. +- `res.send(status, body)` and `res.send(body, status)` signatures: Use `res.status(status).send(body)`. +- `res.send(status)` signature: Use `res.sendStatus(status)` for simple status responses, or `res.status(status).send()` for sending a status code with an optional body. +- `res.redirect(url, status)` signature: Use `res.redirect(status, url)`. +- `res.json(status, obj)` and `res.json(obj, status)` signatures: Use `res.status(status).json(obj)`. +- `res.jsonp(status, obj)` and `res.jsonp(obj, status)` signatures: Use `res.status(status).jsonp(obj)`. +- `app.param(fn)`: This method has been deprecated. Instead, access parameters directly via `req.params`, or use `req.body` or `req.query` as needed. +- `app.del('/', () => {})` method: Use `app.delete('/', () => {})` instead. +- `req.acceptsCharset`: Use `req.acceptsCharsets` (plural). +- `req.acceptsEncoding`: Use `req.acceptsEncodings` (plural). +- `req.acceptsLanguage`: Use `req.acceptsLanguages` (plural). +- `res.sendfile` method: Use `res.sendFile` instead. ## Our work is just starting From 5481ac0c8a903bfc95370d7f88a4ad3db56685a0 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 7 Oct 2024 14:51:13 -0400 Subject: [PATCH 03/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Blake Embrey --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index b6ae5d8488..de6af37d01 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -39,7 +39,7 @@ upgrade to support and address any bugs you encounter. As I said above, we did the minimum number of breaking changes we could. I try here to list them in order of impact to application owners, but there are a fair number of subtle chnages burried in here which you should read the changelog for more details on. -### Goodbye Node.js 0.10, Hello Node 18 and up. +### Goodbye Node.js 0.10, Hello Node 18 and Up We dropped support for Node.js versions lower than 18. This was a long time coming, but it is probably the most important change for us as maintainers of these libraries. Keeping old Node.js version support was holding us back from many critical performance and maintainability changes. Now that we have dropped these versions we have more stable and maintainable From 26d16fc73b972f06e3a155d3a6a8472088772368 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 7 Oct 2024 14:51:20 -0400 Subject: [PATCH 04/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Blake Embrey --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index de6af37d01..b566d5203d 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -4,7 +4,7 @@ tags: site-admin author: Wes Todd --- -A lot has happened in the last 10 years, but today we are excited to talk about what has happened in the last 8 months. The Express project has had a renaissance, and we are +Ten years ago the [Express v5 release PR](https://github.com/expressjs/express/pull/2237) was opened. It is now merged and published! There's a lot to be excited about, but we want to recognize the work of all our contributors, especially Doug Wilson who spent the last 10 years ensuring Express was the most stable project around. Without these contributions this release could not have happened. excited to finally share with you some of the work we have been doing. As you might be aware, the [v5 release which has been in progress since July 14th 2014](https://github.com/expressjs/express/pull/2237) is now published and merged. There is a lot to talk about in the release, but I want to take a second to recognize the work of many contributors over the years, especially @dougwilson who tirelessly maintained one of the most stable projects in the ecosystem over the past 10 years. Without the work from so From 7bd3c544c4a246d70c4637957e3f3d34a97476df Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 7 Oct 2024 14:55:36 -0400 Subject: [PATCH 05/27] typos, :name* change per blake Co-authored-by: Blake Embrey --- _posts/2024-09-12-v5-release.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index b566d5203d..faf77b548b 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -13,7 +13,7 @@ many, this release would not have happened so if you are among these contributor So what happened 8 months ago? We went public with a proposed plan to move [Express Forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing to the governance we had outlined many years before and added some things to help onboard more contributors to help kickstart progress again. It might not seem important to folks who are less involved in Open Source, but project governance is critical to larger projects health. I want to thank the [OpenJS Foundation Cross Project -Council](https://github.com/openjs-foundation/cross-project-council/) and it's members for helping us put together this plan. +Council](https://github.com/openjs-foundation/cross-project-council/) and its members for helping us put together this plan. ## So what about v5? @@ -37,7 +37,7 @@ upgrade to support and address any bugs you encounter. ## The Breaking Changes As I said above, we did the minimum number of breaking changes we could. I try here to list them in order of impact to application owners, but there are a fair number of subtle -chnages burried in here which you should read the changelog for more details on. +changes burried in here which you should read the changelog for more details on. ### Goodbye Node.js 0.10, Hello Node 18 and Up @@ -70,7 +70,7 @@ With the removal of regular expression semantics comes other small but impactful 1. `:name?` becomes `{:name}`. Usage of `{}` for optional parts of your route means you can now do things like `/base{/:optional}/:required` and what parts are actually optional is much more explicit. -2. `:name*` becomes `*name`. (@blakeembrey to provide more details) +2. `*` becomes `*name`. 3. `:name+` is equivalent to a `*name` and so has been removed 4. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. From 397d3001301402a61bc49400b87c9ff04ab333ad Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Wed, 9 Oct 2024 00:46:14 -0700 Subject: [PATCH 06/27] General edits, some review feedback --- _posts/2024-09-12-v5-release.md | 106 ++++++++++++-------------------- 1 file changed, 39 insertions(+), 67 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index faf77b548b..ce1c846072 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -1,92 +1,67 @@ --- title: Express v5 -tags: site-admin -author: Wes Todd +tags: releases +author: Wes Todd and the Express TC +description: Announcing the release of Express version 5 --- -Ten years ago the [Express v5 release PR](https://github.com/expressjs/express/pull/2237) was opened. It is now merged and published! There's a lot to be excited about, but we want to recognize the work of all our contributors, especially Doug Wilson who spent the last 10 years ensuring Express was the most stable project around. Without these contributions this release could not have happened. -excited to finally share with you some of the work we have been doing. As you might be aware, the [v5 release which has been in progress since July 14th -2014](https://github.com/expressjs/express/pull/2237) is now published and merged. There is a lot to talk about in the release, but I want to take a second to recognize the work of -many contributors over the years, especially @dougwilson who tirelessly maintained one of the most stable projects in the ecosystem over the past 10 years. Without the work from so -many, this release would not have happened so if you are among these contributors please give yourself a pat on the back. +Ten years ago the [Express v5 release PR](https://github.com/expressjs/express/pull/2237) was opened, and now at long last it's been merged and published! We want to recognize the work of all our contributors, especially [Doug Wilson](https://github.com/dougwilson), who spent the last ten years ensuring Express was the most stable project around. Without his contributions and those of many others, this release could not have happened. -So what happened 8 months ago? We went public with a proposed plan to move [Express Forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing -to the governance we had outlined many years before and added some things to help onboard more contributors to help kickstart progress again. It might not seem important to folks -who are less involved in Open Source, but project governance is critical to larger projects health. I want to thank the [OpenJS Foundation Cross Project +Eight months ago we went public with a plan to move [Express forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing to the governance we outlined many years before and working to onboard more contributors to help kickstart progress again. Many people may not realize that robust project governance is critical to the health of large open-source projects. We want to thank the [OpenJS Foundation Cross Project Council](https://github.com/openjs-foundation/cross-project-council/) and its members for helping us put together this plan. ## So what about v5? -Lets start by mentioning how **boring** this release is meant to be. I know this might seem like an odd thing to say, but it was truly our goal to keep this release as simple as we -could while unblocking ourselves to make larger and more impactful changes in future releases. This means we focused on things like dropping support for older Node.js versions, -addressing long standing security concerns, and updating the projects process to make things more maintainable for maintainers. To most folks these sound pretty **boring**, but to -us this means we can more easily ship future feature releases with the more exciting changes. +This release is designed to be boring! That may seem odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. The focus of this release was on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. -Before I move onto the changes for Express users we need to address the timeline and reason we released v5 when we did and on the `next` dist-tag. As part of reviving the project, -we started a [Security Working Group](https://github.com/expressjs/security-wg) and security triage team to help us ensure we address the growing needs around Open Source Supply -Chain Security. As part of this we undertook a security audit (more details to come on that) which uncovered a few things. Additionally while giving this aspect more attention, we -uncovered some other problems which needed to be addressed. This meant that in addition to the normal work we would do in public issues, we had many stacked features being worked -on in private forks. These required orchestration when releasing to enure the code and CVE reports went out together. So while we recognize that not having this blog post, our -changelog, and the documentation updated in advance was not ideal, with our limited contributor base we felt it was more important to focus on getting the secure and stable code -released. +Before going into the changes in this release, let's address why we released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security Working Group](https://github.com/expressjs/security-wg) and security triage team to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work that we did in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to enure the code and CVE reports went out together. While we weren't able to simultaneously release this blog post, our changelog, and the documentation, we felt it was most important to have a secure and stable release. -We will be publishing more details on our LTS plans, including dates when we plan to move from `next` to `latest`, as soon as we can. But for now, if you are uncomfortable being on -the bleeding edge (even if it is a rather dull edge) then please consider waiting until we move to `latest` to upgrade. That said, we look forward to working with you all as you -upgrade to support and address any bugs you encounter. +As soon as possible, we'll provide more details on our long-term support (LTS) plans, including when the release will move from `next` to `latest`. For now, if you are uncomfortable being on the bleeding edge (even if it is a rather dull edge) then you should wait to upgrade until the release is on tagged as `latest`. That said, we look forward to working with you to address any bugs you encounter as you upgrade. -## The Breaking Changes +## Breaking changes -As I said above, we did the minimum number of breaking changes we could. I try here to list them in order of impact to application owners, but there are a fair number of subtle -changes burried in here which you should read the changelog for more details on. +The v5 release has the minimum possible number of breaking changes, listed here in order of impact to applications. However, there are also number of subtle changes: for details, see the changelog. -### Goodbye Node.js 0.10, Hello Node 18 and Up +### Goodbye Node.js 0.10, hello Node 18+ -We dropped support for Node.js versions lower than 18. This was a long time coming, but it is probably the most important change for us as maintainers of these libraries. Keeping old -Node.js version support was holding us back from many critical performance and maintainability changes. Now that we have dropped these versions we have more stable and maintainable -CI, we can start adopting some newer language and runtime features, and we can drop many dependencies which are no longer required. +This release drops support for Node.js versions before v18. This is an important change the project maintainers because supporting old Node.js versions has been holding back many critical performance and maintainability changes. +Dropping support for old Node.js versions enables a more stable and maintainable CI, adopting new language and runtime features, and dropping dependencies that are no longer required. -We recognize that this might mean some enterprises have difficulty with older or "parked" applications, and because of this we are working on a partnership with HeroDevs to offer -"Never Ending Support" which will include critical security patches even after v4 enters End-of-Life (more on these plans will come soon). That said, we strongly suggest that folks -update to modern Node.js versions as soon as possible. +We recognize that this might cause difficulty for some enterprises with older or "parked" applications, and because of this we are working on a [partnership with HeroDevs](https://expressjs.com/2024/10/01/HeroDevs-partnership-announcement.html) to offer "never-ending support" that will include critical security patches even after v4 enters end-of-life (more on these plans soon). That said, we strongly suggest that you update to modern Node.js versions as soon as possible. -### Path Matching and Regular Expressions +### Path matching and regular expressions -We updated from `path-to-regexp@0.x` to `path-to-regexp@8.x` in v5, needless to say there were many years of changes in this. If you were using any of the 5.0.0-beta releases, we -landed a last minute update which greatly changed the path semantics so we could [remove any ReDoS chances going forward](https://blakeembrey.com/posts/2024-09-web-redos/). For +The v5 releases updates to `path-to-regexp@8.x` from `path-to-regexp@0.x`, which incorporates many years of changes. If you were using any of the 5.0.0-beta releases, a last-minute update which greatly changed the path semantics to [remove the possibility of any ReDoS attacks](https://blakeembrey.com/posts/2024-09-web-redos/). For more detailed changes, [see the `path-to-regexp` readme](https://github.com/pillarjs/path-to-regexp?tab=readme-ov-file#express--4x). -#### 1. No more regex. We dropped support for sub-expression regular expressions (ex. `/:foo(\\d+)`). +#### 1. No more regex -This is one of the most common patterns in wide use which we have removed. The unfortunate nature of regular expressions is how easy it is to write one with exponential time behaviors -when parsing input. The dreaded ReDoS. It turns out it is very difficult to prevent users from doing this, and as a library which converts strings to regular expressions, we are on -the hook for the security aspects of this. +This releases no longer supports "sub-expression" regular expressions, for example `/:foo(\\d+)`. +This is a commonly-used pattern, but we removed it for security reasons. Unfortunately, it's easy to write a regular expression that has exponential time behavior when parsing input: The dreaded regular expression denial of service (ReDoS) attack. It's very difficult to prevent this, but as a library that converts strings to regular expressions, we are on the hook for such security aspects. -*How to migrate:* We recommend using more robust input validation libraries. [There are many on `npm`](https://www.npmjs.com/search?q=validate%20express) depending on your needs. -Shameless plug from the author, I maintain [a middleware based "code first" OpenAPI library](https://www.npmjs.com/package/@wesleytodd/openapi) for this kind of thing. +*How to migrate:* The best approach to prevent ReDoS attacks is to use a robust input validation library. [There are many on `npm`](https://www.npmjs.com/search?q=validate%20express) depending on your needs. TC member Wes Todd maintains [a middleware-based "code first" OpenAPI library](https://www.npmjs.com/package/@wesleytodd/openapi) for this kind of thing. -#### 2. Splats, optional, and captures oh my. Simplified patterns for common route patterns. +#### 2. Splats, optional, and captures oh my -With the removal of regular expression semantics comes other small but impactful changes to how you write your routes. +This release includes simplified patterns for common route patterns. With the removal of regular expression semantics comes other small but impactful changes to how you write your routes. 1. `:name?` becomes `{:name}`. Usage of `{}` for optional parts of your route means you can now do things like `/base{/:optional}/:required` and what parts are actually optional is much more explicit. 2. `*` becomes `*name`. 3. `:name+` is equivalent to a `*name` and so has been removed -4. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those - characters mean specific things in previous versions. +4. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. *How to migrate:* (@wesleytodd to provide more info with codemods and migration tools) -#### 3. Name everything. Ordered numerical parameters are not supported. +#### 3. Name everything -In Express v4, using regex capture groups you could get numerical parameters (ex. `/user(s?)` => `req.params[0] === 's'`). Now all params must be named. Along with requiring a -name, we now support all valid JavaScript identifiers or quoted (ex. `/:"this"`). +This release no longer supports ordered numerical parameters. -### Promise Support +In Express v4, you could get numerical parameters using regex capture groups (for example, `/user(s?)` => `req.params[0] === 's'`). Now all parameters must be named. Along with requiring a name, Express now supports all valid JavaScript identifiers or quoted (for example, `/:"this"`). -This one may be a bit contentious, but I `Promise` we are moving in the right direction. We have added support for returned *rejected* promises from middleware raising errors. This -*does not include* calling `next` from returned *resolved* promises. There are a lot of edge cases in old express apps around expectations of `Promise` behavior, and before we can -run we need to walk. For most folks, this means you can now write middleware like the following: +### Promise support + +This one may be a bit contentious, but we "promise" we're moving in the right direction. We added support for returned *rejected* promises from errors raised in middleware. This *does not include* calling `next` from returned *resolved* promises. There are a lot of edge cases in old Express apps that have expectations of `Promise` behavior, and before we can run we need to walk. For most folks, this means you can now write middleware like the following: ```javascript app.use(async (req, res, next) => { @@ -95,25 +70,23 @@ app.use(async (req, res, next) => { }); ``` -Notice that we use `async/await` and the `getUser` call may throw (user does not exist, db is down, etc), but we still call `next` if it is successful. We dont need to catch the -error in line anymore if we want to rely on error handling middleware instead because the router will now catch the rejected promise and treat that as calling `next(err)`. +Notice that this example uses `async/await` and the `getUser` call may throw an error (if, for example, the user doesn't exist, the user database is down, and so on), but we still call `next` if it is successful. We don't need to catch the error in line anymore if we want to rely on error-handling middleware instead because the router will now catch the rejected promise and treat that as calling `next(err)`. -*editorial note:* Error handling is a huge topic, but one hill I will die on is that errors should be handled as close to the error site as possible. So while this is now handled -in the router, I would strongly urge you to catch this kind of error within the middleware and handle it without relying on separate error handling middleware. +NOTE: Best practice is to handle errors as close to the site as possible. So while this is now handled in the router, it's best to catch the error in the middleware and handle it without relying on separate error-handling middleware. -### Body Parser +### Body parser -We made an assortment of `body-parser` changes: +There are a number of `body-parser` changes: - Add option to customize the urlencoded body depth with a default value of 32 (@TODO see CVE) - Remove deprecated `bodyParser()` combination middleware - `req.body` is no longer always initialized to `{}` - `urlencoded` parser now defaults `extended` to false -- Added brotli support +- Added support for Brotli lossless data compression -### Deprecated API Method Signatures Removed in Express v5 +### Deprecated API method signatures removed -We have removed a number of deprecated API method signatures, many of which were carried over from v3 and deprecated under v4. Below are the changes you need to make: +Express v5 removes a number of deprecated API method signatures, many of which were carried over from v3. Below are the changes you need to make: - `res.redirect('back')` and `res.location('back')`: The magic string `'back'` is no longer supported. Use `req.get('Referrer') || '/'` explicitly instead. - `res.send(status, body)` and `res.send(body, status)` signatures: Use `res.status(status).send(body)`. @@ -130,7 +103,6 @@ We have removed a number of deprecated API method signatures, many of which were ## Our work is just starting -I know it seems like an odd thing to announce a "boring" major version release and then say the work is only starting after 10 years, but we hope that the ecosystem sees how -important this release is as a milestone toward a server side JavaScript ecosystem which is a stable and reliable tool for companies, governments, educators, and hobby projects. It -is our commitment as the new stewards of the Express project to do our best to help the ecosystem move forward with these goals in mind. If you would like to support this work, -which we do on a volunteer basis, please consider supporting the project and it's maintainers via our sponsorship opportunities (@TODO link here). +We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via our sponsorship opportunities (@TODO link here). + +We have an [extensive working backlog](https://github.com/expressjs/discussions/issues/266) of tasks, PRs, and issues for Express and dependencies. Naturally, we expect developers will continue to report issues to add to this backlog and open PRs moving forward, and we'll continue to collaborate with the community to triage and resolve them. We look forward to continuing to improve Express and making it useful for its users across the world. From 0c430e75436b40484d516f719c5ce16a123cc5cf Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Wed, 9 Oct 2024 00:54:47 -0700 Subject: [PATCH 07/27] Add a missing TO DO --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index ce1c846072..5709114f0c 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -51,7 +51,7 @@ This release includes simplified patterns for common route patterns. With the r 3. `:name+` is equivalent to a `*name` and so has been removed 4. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. -*How to migrate:* (@wesleytodd to provide more info with codemods and migration tools) +*How to migrate:* (TODO: @wesleytodd to provide more info with codemods and migration tools) #### 3. Name everything From 9daa4c10dac87b0c25facffd40fea6868120657a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 10:55:41 +0200 Subject: [PATCH 08/27] docs: removed ambiguous reference --- _posts/2024-09-12-v5-release.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 5709114f0c..202fb54396 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -48,8 +48,7 @@ This release includes simplified patterns for common route patterns. With the r 1. `:name?` becomes `{:name}`. Usage of `{}` for optional parts of your route means you can now do things like `/base{/:optional}/:required` and what parts are actually optional is much more explicit. 2. `*` becomes `*name`. -3. `:name+` is equivalent to a `*name` and so has been removed -4. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. +3. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. *How to migrate:* (TODO: @wesleytodd to provide more info with codemods and migration tools) From 57591269cdd0bf3fa7d059697d3a998c128deacc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:03:32 +0200 Subject: [PATCH 09/27] docs: Removed TODO --- _posts/2024-09-12-v5-release.md | 1 - 1 file changed, 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 202fb54396..52d929de4e 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -50,7 +50,6 @@ This release includes simplified patterns for common route patterns. With the r 2. `*` becomes `*name`. 3. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. -*How to migrate:* (TODO: @wesleytodd to provide more info with codemods and migration tools) #### 3. Name everything From 1712f98e8961c8b48fbf0633a401e7f0f463fbd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:04:04 +0200 Subject: [PATCH 10/27] docs: linting --- _posts/2024-09-12-v5-release.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 52d929de4e..1f774c1de2 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -31,8 +31,7 @@ We recognize that this might cause difficulty for some enterprises with older or ### Path matching and regular expressions -The v5 releases updates to `path-to-regexp@8.x` from `path-to-regexp@0.x`, which incorporates many years of changes. If you were using any of the 5.0.0-beta releases, a last-minute update which greatly changed the path semantics to [remove the possibility of any ReDoS attacks](https://blakeembrey.com/posts/2024-09-web-redos/). For -more detailed changes, [see the `path-to-regexp` readme](https://github.com/pillarjs/path-to-regexp?tab=readme-ov-file#express--4x). +The v5 releases updates to `path-to-regexp@8.x` from `path-to-regexp@0.x`, which incorporates many years of changes. If you were using any of the 5.0.0-beta releases, a last-minute update which greatly changed the path semantics to [remove the possibility of any ReDoS attacks](https://blakeembrey.com/posts/2024-09-web-redos/). For more detailed changes, [see the `path-to-regexp` readme](https://github.com/pillarjs/path-to-regexp?tab=readme-ov-file#express--4x). #### 1. No more regex @@ -45,12 +44,10 @@ This is a commonly-used pattern, but we removed it for security reasons. Unfortu This release includes simplified patterns for common route patterns. With the removal of regular expression semantics comes other small but impactful changes to how you write your routes. -1. `:name?` becomes `{:name}`. Usage of `{}` for optional parts of your route means you can now do things like `/base{/:optional}/:required` and what parts are actually optional is - much more explicit. +1. `:name?` becomes `{:name}`. Usage of `{}` for optional parts of your route means you can now do things like `/base{/:optional}/:required` and what parts are actually optional is much more explicit. 2. `*` becomes `*name`. 3. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. - #### 3. Name everything This release no longer supports ordered numerical parameters. From 3e74ca830276f569469773b8d75f18ce238fab52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:15:57 +0200 Subject: [PATCH 11/27] docs: added sponsorship link --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 1f774c1de2..49af28b740 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -98,6 +98,6 @@ Express v5 removes a number of deprecated API method signatures, many of which w ## Our work is just starting -We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via our sponsorship opportunities (@TODO link here). +We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via [our sponsorship opportunities](https://opencollective.com/express). We have an [extensive working backlog](https://github.com/expressjs/discussions/issues/266) of tasks, PRs, and issues for Express and dependencies. Naturally, we expect developers will continue to report issues to add to this backlog and open PRs moving forward, and we'll continue to collaborate with the community to triage and resolve them. We look forward to continuing to improve Express and making it useful for its users across the world. From f63fb375c5072a2a9281b0ad81a70028bdffc341 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:16:27 +0200 Subject: [PATCH 12/27] docs: added links to CVE-2024-45590, security triage team and last blog post --- _posts/2024-09-12-v5-release.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 49af28b740..17d716f4a0 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -14,7 +14,9 @@ Council](https://github.com/openjs-foundation/cross-project-council/) and its me This release is designed to be boring! That may seem odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. The focus of this release was on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. -Before going into the changes in this release, let's address why we released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security Working Group](https://github.com/expressjs/security-wg) and security triage team to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work that we did in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to enure the code and CVE reports went out together. While we weren't able to simultaneously release this blog post, our changelog, and the documentation, we felt it was most important to have a secure and stable release. +Before going into the changes in this release, let's address why we released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security Working Group](https://github.com/expressjs/security-wg) and [security triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team) to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work that we did in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to ensure the code and CVE reports went out together. You can find a summary of the most recent vulnerabilities patched in [our security release notes](https://expressjs.com/2024/09/29/security-releases.html). + +While we weren't able to simultaneously release this blog post, our changelog, and the documentation, we felt it was most important to have a secure and stable release. As soon as possible, we'll provide more details on our long-term support (LTS) plans, including when the release will move from `next` to `latest`. For now, if you are uncomfortable being on the bleeding edge (even if it is a rather dull edge) then you should wait to upgrade until the release is on tagged as `latest`. That said, we look forward to working with you to address any bugs you encounter as you upgrade. @@ -73,7 +75,7 @@ NOTE: Best practice is to handle errors as close to the site as possible. So whi There are a number of `body-parser` changes: -- Add option to customize the urlencoded body depth with a default value of 32 (@TODO see CVE) +- Add option to customize the urlencoded body depth with a default value of 32 as mitigation for [CVE-2024-45590](https://nvd.nist.gov/vuln/detail/CVE-2024-45590) ([technical details](https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce)) - Remove deprecated `bodyParser()` combination middleware - `req.body` is no longer always initialized to `{}` - `urlencoded` parser now defaults `extended` to false From 0757b4b2798ccaa4d2b5c01f528c2fd2fb47b2d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:34:42 +0200 Subject: [PATCH 13/27] docs: improved metadata --- _posts/2024-09-12-v5-release.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 17d716f4a0..0ac0d3fcaa 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -1,7 +1,7 @@ --- -title: Express v5 +title: "Introducing Express v5: A New Era for Node.js Framework" tags: releases -author: Wes Todd and the Express TC +author: Wes Todd and the Express Technical Committee description: Announcing the release of Express version 5 --- From eea125540482980f218c67a8a8cc355c15120cba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:42:33 +0200 Subject: [PATCH 14/27] docs: added explanation in the deprecated APIs --- _posts/2024-09-12-v5-release.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 0ac0d3fcaa..714dfc78df 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -98,6 +98,8 @@ Express v5 removes a number of deprecated API method signatures, many of which w - `req.acceptsLanguage`: Use `req.acceptsLanguages` (plural). - `res.sendfile` method: Use `res.sendFile` instead. +As a framework, we aim to ensure that the API is as consistent as possible. We've removed these deprecated signatures to make the API more predictable and easier to use. By streamlining each method to use a single, consistent signature, we simplify the developer experience and reduce confusion. + ## Our work is just starting We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via [our sponsorship opportunities](https://opencollective.com/express). From 3e0f923351dcabffce8780b918d6e590df35f3c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:58:54 +0200 Subject: [PATCH 15/27] docs: added section for Migration and Security Guidance --- _posts/2024-09-12-v5-release.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 714dfc78df..1905fddede 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -100,6 +100,12 @@ Express v5 removes a number of deprecated API method signatures, many of which w As a framework, we aim to ensure that the API is as consistent as possible. We've removed these deprecated signatures to make the API more predictable and easier to use. By streamlining each method to use a single, consistent signature, we simplify the developer experience and reduce confusion. +## Migration and Security Guidance + +For developers looking to migrate from v4 to v5, we have created a [detailed migration guide](https://expressjs.com/en/guide/migrating-5.html) that will help you navigate through the changes and ensure a smooth upgrade process. + +Additionally, we’ve been working hard on a comprehensive [Threat Model](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) that helps illustrate our philosophy of a "Fast, unopinionated, minimalist web framework for Node.js." It provides critical insights into areas like user input validation and security practices that are essential for safe and secure usage of Express in your applications. + ## Our work is just starting We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via [our sponsorship opportunities](https://opencollective.com/express). From 88dcaeff713944d2998fb4a6eed5ecf9c564e9a6 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Thu, 10 Oct 2024 20:33:44 -0700 Subject: [PATCH 16/27] Final polish, add toc links to breaking change sections --- _posts/2024-09-12-v5-release.md | 47 ++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 1905fddede..4025b87c43 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -5,44 +5,53 @@ author: Wes Todd and the Express Technical Committee description: Announcing the release of Express version 5 --- -Ten years ago the [Express v5 release PR](https://github.com/expressjs/express/pull/2237) was opened, and now at long last it's been merged and published! We want to recognize the work of all our contributors, especially [Doug Wilson](https://github.com/dougwilson), who spent the last ten years ensuring Express was the most stable project around. Without his contributions and those of many others, this release could not have happened. +Ten years ago the [Express v5 release pull request](https://github.com/expressjs/express/pull/2237) was opened, and now at long last it's been merged and published! We want to recognize the work of all our contributors, especially [Doug Wilson](https://github.com/dougwilson), who spent the last ten years ensuring Express was the most stable project around. Without his contributions and those of many others, this release could not have happened. -Eight months ago we went public with a plan to move [Express forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing to the governance we outlined many years before and working to onboard more contributors to help kickstart progress again. Many people may not realize that robust project governance is critical to the health of large open-source projects. We want to thank the [OpenJS Foundation Cross Project +Eight months ago we went public with a plan to move [Express forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing to the governance outlined years ago and adding more contributors to help kickstart progress. Many people may not realize that robust project governance is critical to the health of a large open-source project. We want to thank the [OpenJS Foundation Cross Project Council](https://github.com/openjs-foundation/cross-project-council/) and its members for helping us put together this plan. ## So what about v5? -This release is designed to be boring! That may seem odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. The focus of this release was on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. +This release is designed to be boring! That may sound odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. The focus of this release is on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. -Before going into the changes in this release, let's address why we released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security Working Group](https://github.com/expressjs/security-wg) and [security triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team) to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work that we did in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to ensure the code and CVE reports went out together. You can find a summary of the most recent vulnerabilities patched in [our security release notes](https://expressjs.com/2024/09/29/security-releases.html). +Before going into the changes in this release, let's address why it was released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security working group](https://github.com/expressjs/security-wg) and [security triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team) to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work done in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to ensure the code and CVE reports went out together. You can find a summary of the most recent vulnerabilities patched in [our security release notes](https://expressjs.com/2024/09/29/security-releases.html). -While we weren't able to simultaneously release this blog post, our changelog, and the documentation, we felt it was most important to have a secure and stable release. +While we weren't able to simultaneously release v5, this blog post, the changelog, and documentation, we felt it was most important to have a secure and stable release. -As soon as possible, we'll provide more details on our long-term support (LTS) plans, including when the release will move from `next` to `latest`. For now, if you are uncomfortable being on the bleeding edge (even if it is a rather dull edge) then you should wait to upgrade until the release is on tagged as `latest`. That said, we look forward to working with you to address any bugs you encounter as you upgrade. +As soon as possible, we'll provide more details on our long-term support (LTS) plans, including when the release will move from `next` to `latest`. For now, if you are uncomfortable being on the bleeding edge (even if it is a rather dull edge) then you should wait to upgrade until the release is tagged `latest`. That said, we look forward to working with you to address any bugs you encounter as you upgrade. ## Breaking changes -The v5 release has the minimum possible number of breaking changes, listed here in order of impact to applications. However, there are also number of subtle changes: for details, see the changelog. +The v5 release has the minimum possible number of breaking changes, listed here in order of impact to applications. -### Goodbye Node.js 0.10, hello Node 18+ +- [Ending support for old Node.js versions](#goodbye-nodejs-010-hello-node-18) +- [Changes to path matching and regular expressions](#changes-to-path-matching-and-regular-expressions) +- [Promise support](#promise-support) +- [Body parser changes](#body-parser-changes) +- [Removing deprecated method signatures](#removing-deprecated-method-signatures) -This release drops support for Node.js versions before v18. This is an important change the project maintainers because supporting old Node.js versions has been holding back many critical performance and maintainability changes. -Dropping support for old Node.js versions enables a more stable and maintainable CI, adopting new language and runtime features, and dropping dependencies that are no longer required. +There are also number of subtle changes: for details, see the changelog. + +### Ending support for old Node.js versions + +Goodbye Node.js 0.10, hello Node 18 and up! + +This release drops support for Node.js versions before v18. This is an important change because supporting old Node.js versions has been holding back many critical performance and maintainability changes. This change also enables more stable and maintainable continuous integration (CI), adopting new language and runtime features, and dropping dependencies that are no longer required. We recognize that this might cause difficulty for some enterprises with older or "parked" applications, and because of this we are working on a [partnership with HeroDevs](https://expressjs.com/2024/10/01/HeroDevs-partnership-announcement.html) to offer "never-ending support" that will include critical security patches even after v4 enters end-of-life (more on these plans soon). That said, we strongly suggest that you update to modern Node.js versions as soon as possible. -### Path matching and regular expressions +### Changes to path matching and regular expressions The v5 releases updates to `path-to-regexp@8.x` from `path-to-regexp@0.x`, which incorporates many years of changes. If you were using any of the 5.0.0-beta releases, a last-minute update which greatly changed the path semantics to [remove the possibility of any ReDoS attacks](https://blakeembrey.com/posts/2024-09-web-redos/). For more detailed changes, [see the `path-to-regexp` readme](https://github.com/pillarjs/path-to-regexp?tab=readme-ov-file#express--4x). -#### 1. No more regex +#### No more regex This releases no longer supports "sub-expression" regular expressions, for example `/:foo(\\d+)`. This is a commonly-used pattern, but we removed it for security reasons. Unfortunately, it's easy to write a regular expression that has exponential time behavior when parsing input: The dreaded regular expression denial of service (ReDoS) attack. It's very difficult to prevent this, but as a library that converts strings to regular expressions, we are on the hook for such security aspects. *How to migrate:* The best approach to prevent ReDoS attacks is to use a robust input validation library. [There are many on `npm`](https://www.npmjs.com/search?q=validate%20express) depending on your needs. TC member Wes Todd maintains [a middleware-based "code first" OpenAPI library](https://www.npmjs.com/package/@wesleytodd/openapi) for this kind of thing. -#### 2. Splats, optional, and captures oh my +#### Splats, optional, and captures oh my This release includes simplified patterns for common route patterns. With the removal of regular expression semantics comes other small but impactful changes to how you write your routes. @@ -50,11 +59,11 @@ This release includes simplified patterns for common route patterns. With the r 2. `*` becomes `*name`. 3. New reserved characters: `(`, `)`, `[`, `]`, `?`, `+`, & `!`. These have been reserved to leave room for future improvements and to prevent mistakes when migrating where those characters mean specific things in previous versions. -#### 3. Name everything +#### Name everything This release no longer supports ordered numerical parameters. -In Express v4, you could get numerical parameters using regex capture groups (for example, `/user(s?)` => `req.params[0] === 's'`). Now all parameters must be named. Along with requiring a name, Express now supports all valid JavaScript identifiers or quoted (for example, `/:"this"`). +In Express v4, you could get numerical parameters using regex capture groups (for example, `/user(s?)` => `req.params[0] === 's'`). Now all parameters must be named. Along with requiring a name, Express now supports all valid JavaScript identifiers or quoted (for example, `/:"this"`). ### Promise support @@ -71,7 +80,7 @@ Notice that this example uses `async/await` and the `getUser` call may throw an NOTE: Best practice is to handle errors as close to the site as possible. So while this is now handled in the router, it's best to catch the error in the middleware and handle it without relying on separate error-handling middleware. -### Body parser +### Body parser changes There are a number of `body-parser` changes: @@ -81,9 +90,9 @@ There are a number of `body-parser` changes: - `urlencoded` parser now defaults `extended` to false - Added support for Brotli lossless data compression -### Deprecated API method signatures removed +### Removing deprecated method signatures -Express v5 removes a number of deprecated API method signatures, many of which were carried over from v3. Below are the changes you need to make: +Express v5 removes a number of deprecated method signatures, many of which were carried over from v3. Below are the changes you need to make: - `res.redirect('back')` and `res.location('back')`: The magic string `'back'` is no longer supported. Use `req.get('Referrer') || '/'` explicitly instead. - `res.send(status, body)` and `res.send(body, status)` signatures: Use `res.status(status).send(body)`. @@ -100,7 +109,7 @@ Express v5 removes a number of deprecated API method signatures, many of which w As a framework, we aim to ensure that the API is as consistent as possible. We've removed these deprecated signatures to make the API more predictable and easier to use. By streamlining each method to use a single, consistent signature, we simplify the developer experience and reduce confusion. -## Migration and Security Guidance +## Migration and security guidance For developers looking to migrate from v4 to v5, we have created a [detailed migration guide](https://expressjs.com/en/guide/migrating-5.html) that will help you navigate through the changes and ensure a smooth upgrade process. From d9fbc6e4a244f2b3e3bbcc651b7ea4034df67535 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Sat, 12 Oct 2024 08:41:17 -0700 Subject: [PATCH 17/27] Change xref to migration guide from changelog --- _posts/2024-09-12-v5-release.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 4025b87c43..9db1d9a782 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -30,7 +30,7 @@ The v5 release has the minimum possible number of breaking changes, listed here - [Body parser changes](#body-parser-changes) - [Removing deprecated method signatures](#removing-deprecated-method-signatures) -There are also number of subtle changes: for details, see the changelog. +There are also number of subtle changes: for details, see [Migrating to Express 5]({{site.url}}/{{page.lang}}/guide/migrating-5). ### Ending support for old Node.js versions @@ -111,7 +111,7 @@ As a framework, we aim to ensure that the API is as consistent as possible. We'v ## Migration and security guidance -For developers looking to migrate from v4 to v5, we have created a [detailed migration guide](https://expressjs.com/en/guide/migrating-5.html) that will help you navigate through the changes and ensure a smooth upgrade process. +For developers looking to migrate from v4 to v5, there's a [detailed migration guide]({{site.url}}/{{page.lang}}/guide/migrating-5) to help you navigate through the changes and ensure a smooth upgrade process. Additionally, we’ve been working hard on a comprehensive [Threat Model](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) that helps illustrate our philosophy of a "Fast, unopinionated, minimalist web framework for Node.js." It provides critical insights into areas like user input validation and security practices that are essential for safe and secure usage of Express in your applications. From 5b1b2a0bc5b07474d02a66a49b201d6390688854 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:17:39 +0200 Subject: [PATCH 18/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 9db1d9a782..4a1b57d080 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -30,7 +30,7 @@ The v5 release has the minimum possible number of breaking changes, listed here - [Body parser changes](#body-parser-changes) - [Removing deprecated method signatures](#removing-deprecated-method-signatures) -There are also number of subtle changes: for details, see [Migrating to Express 5]({{site.url}}/{{page.lang}}/guide/migrating-5). +There are also a number of subtle changes: for details, see [Migrating to Express 5]({{site.url}}/{{page.lang}}/guide/migrating-5). ### Ending support for old Node.js versions From 1cd04c1d1527774844ef0f67e276277450ac61f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:17:45 +0200 Subject: [PATCH 19/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 4a1b57d080..1f7ec6fac8 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -46,7 +46,7 @@ The v5 releases updates to `path-to-regexp@8.x` from `path-to-regexp@0.x`, which #### No more regex -This releases no longer supports "sub-expression" regular expressions, for example `/:foo(\\d+)`. +This release no longer supports "sub-expression" regular expressions, for example `/:foo(\\d+)`. This is a commonly-used pattern, but we removed it for security reasons. Unfortunately, it's easy to write a regular expression that has exponential time behavior when parsing input: The dreaded regular expression denial of service (ReDoS) attack. It's very difficult to prevent this, but as a library that converts strings to regular expressions, we are on the hook for such security aspects. *How to migrate:* The best approach to prevent ReDoS attacks is to use a robust input validation library. [There are many on `npm`](https://www.npmjs.com/search?q=validate%20express) depending on your needs. TC member Wes Todd maintains [a middleware-based "code first" OpenAPI library](https://www.npmjs.com/package/@wesleytodd/openapi) for this kind of thing. From 7c2104cad2b41ff5ceb649b55024e660e17595ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:17:56 +0200 Subject: [PATCH 20/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 1f7ec6fac8..041380a26b 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -5,7 +5,9 @@ author: Wes Todd and the Express Technical Committee description: Announcing the release of Express version 5 --- -Ten years ago the [Express v5 release pull request](https://github.com/expressjs/express/pull/2237) was opened, and now at long last it's been merged and published! We want to recognize the work of all our contributors, especially [Doug Wilson](https://github.com/dougwilson), who spent the last ten years ensuring Express was the most stable project around. Without his contributions and those of many others, this release could not have happened. +Ten years ago (July 2014) the [Express v5 release pull request](https://github.com/expressjs/express/pull/2237) was opened, and now at long last it's been merged and published! + +We want to recognize the work of all our contributors, especially [Doug Wilson](https://github.com/dougwilson), who spent the last ten years ensuring Express was the most stable project around. Without his contributions and those of many others, this release could not have happened. Eight months ago we went public with a plan to move [Express forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing to the governance outlined years ago and adding more contributors to help kickstart progress. Many people may not realize that robust project governance is critical to the health of a large open-source project. We want to thank the [OpenJS Foundation Cross Project Council](https://github.com/openjs-foundation/cross-project-council/) and its members for helping us put together this plan. From c31e2174f6646a872d4c22a24f95cad09633cea4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:18:04 +0200 Subject: [PATCH 21/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 041380a26b..8f75e7b7bf 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -9,7 +9,7 @@ Ten years ago (July 2014) the [Express v5 release pull request](https://github.c We want to recognize the work of all our contributors, especially [Doug Wilson](https://github.com/dougwilson), who spent the last ten years ensuring Express was the most stable project around. Without his contributions and those of many others, this release could not have happened. -Eight months ago we went public with a plan to move [Express forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing to the governance outlined years ago and adding more contributors to help kickstart progress. Many people may not realize that robust project governance is critical to the health of a large open-source project. We want to thank the [OpenJS Foundation Cross Project +Eight months ago we went public with a plan to move [Express forward](https://github.com/expressjs/discussions/issues/160). This plan included re-committing to the governance outlined years ago and adding more contributors to help kickstart progress. Many people may not realize that robust project governance is critical to the health of a large open-source project. We want to thank the [OpenJS Foundation Cross Project Council](https://github.com/openjs-foundation/cross-project-council/) and its members for helping us put together this plan. ## So what about v5? From eacff0cb9f6508f78806e06933460d40d8e0d885 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:18:12 +0200 Subject: [PATCH 22/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 8f75e7b7bf..76503bb81a 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -14,7 +14,9 @@ Council](https://github.com/openjs-foundation/cross-project-council/) and its me ## So what about v5? -This release is designed to be boring! That may sound odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. The focus of this release is on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. +This release is designed to be boring! +That may sound odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. This is also about signaling to the Node.js ecosystem that Express is moving again. +The focus of this release is on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. Before going into the changes in this release, let's address why it was released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security working group](https://github.com/expressjs/security-wg) and [security triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team) to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work done in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to ensure the code and CVE reports went out together. You can find a summary of the most recent vulnerabilities patched in [our security release notes](https://expressjs.com/2024/09/29/security-releases.html). From 7cd9b157cddbf97fbea7a5f6b1d62e36622cbe84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:18:20 +0200 Subject: [PATCH 23/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 76503bb81a..5c80bb3900 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -18,7 +18,8 @@ This release is designed to be boring! That may sound odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. This is also about signaling to the Node.js ecosystem that Express is moving again. The focus of this release is on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. -Before going into the changes in this release, let's address why it was released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security working group](https://github.com/expressjs/security-wg) and [security triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team) to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work done in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to ensure the code and CVE reports went out together. You can find a summary of the most recent vulnerabilities patched in [our security release notes](https://expressjs.com/2024/09/29/security-releases.html). +Before going into the changes in this release, let's address why it was released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security working group](https://github.com/expressjs/security-wg) and [security triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team) to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work done in public issues, we also did a lot of security work in private forks. +This security work required orchestration when releasing, to ensure the code and CVE reports went out together. You can find a summary of the most recent vulnerabilities patched in [our security release notes](https://expressjs.com/2024/09/29/security-releases.html). While we weren't able to simultaneously release v5, this blog post, the changelog, and documentation, we felt it was most important to have a secure and stable release. From 87408cab2831a111e677bb6cf62d5d4fa8766618 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:18:28 +0200 Subject: [PATCH 24/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 5c80bb3900..c8e1faafba 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -54,7 +54,7 @@ The v5 releases updates to `path-to-regexp@8.x` from `path-to-regexp@0.x`, which This release no longer supports "sub-expression" regular expressions, for example `/:foo(\\d+)`. This is a commonly-used pattern, but we removed it for security reasons. Unfortunately, it's easy to write a regular expression that has exponential time behavior when parsing input: The dreaded regular expression denial of service (ReDoS) attack. It's very difficult to prevent this, but as a library that converts strings to regular expressions, we are on the hook for such security aspects. -*How to migrate:* The best approach to prevent ReDoS attacks is to use a robust input validation library. [There are many on `npm`](https://www.npmjs.com/search?q=validate%20express) depending on your needs. TC member Wes Todd maintains [a middleware-based "code first" OpenAPI library](https://www.npmjs.com/package/@wesleytodd/openapi) for this kind of thing. +*How to migrate:* The best approach to prevent ReDoS attacks is to use a robust input validation library. [There are many on `npm`](https://www.npmjs.com/search?q=validate%20express) depending on your needs. TC member Wes Todd maintains [a middleware-based "code first" OpenAPI library](https://www.npmjs.com/package/@wesleytodd/openapi) for this kind of thing. #### Splats, optional, and captures oh my From ae42d7048a2a0d6a021f91de4be63889d999a131 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:18:34 +0200 Subject: [PATCH 25/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index c8e1faafba..ee00533f99 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -122,6 +122,6 @@ Additionally, we’ve been working hard on a comprehensive [Threat Model](https: ## Our work is just starting -We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via [our sponsorship opportunities](https://opencollective.com/express). +We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via [our sponsorship opportunities](https://opencollective.com/express). We have an [extensive working backlog](https://github.com/expressjs/discussions/issues/266) of tasks, PRs, and issues for Express and dependencies. Naturally, we expect developers will continue to report issues to add to this backlog and open PRs moving forward, and we'll continue to collaborate with the community to triage and resolve them. We look forward to continuing to improve Express and making it useful for its users across the world. From cf462b64f9c501b52cca5c0b9fa45a01846aabbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 15 Oct 2024 11:18:42 +0200 Subject: [PATCH 26/27] Update _posts/2024-09-12-v5-release.md Co-authored-by: Jean Burellier --- _posts/2024-09-12-v5-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index ee00533f99..63b412ee1d 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -124,4 +124,4 @@ Additionally, we’ve been working hard on a comprehensive [Threat Model](https: We see the v5 release as a milestone toward an Express ecosystem that's a stable and reliable tool for companies, governments, educators, and hobby projects. It is our commitment as the new stewards of the Express project to move the ecosystem forward with this goal in mind. If you want to support this work, which we do on a volunteer basis, please consider supporting the project and its maintainers via [our sponsorship opportunities](https://opencollective.com/express). -We have an [extensive working backlog](https://github.com/expressjs/discussions/issues/266) of tasks, PRs, and issues for Express and dependencies. Naturally, we expect developers will continue to report issues to add to this backlog and open PRs moving forward, and we'll continue to collaborate with the community to triage and resolve them. We look forward to continuing to improve Express and making it useful for its users across the world. +We have an [extensive working backlog](https://github.com/expressjs/discussions/issues/266) of tasks, PRs, and issues for Express and dependencies. Naturally, we expect developers will continue to report issues to add to this backlog and open PRs moving forward, and we'll continue to collaborate with the community to triage and resolve them. We look forward to continuing to improve Express and making it useful for its users across the world. From 146185b4f0660a6d841495f21fafe71f8fa5f9bd Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Tue, 15 Oct 2024 14:56:33 -0700 Subject: [PATCH 27/27] Move file to change post date --- _posts/{2024-09-12-v5-release.md => 2024-10-15-v5-release.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename _posts/{2024-09-12-v5-release.md => 2024-10-15-v5-release.md} (100%) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-10-15-v5-release.md similarity index 100% rename from _posts/2024-09-12-v5-release.md rename to _posts/2024-10-15-v5-release.md