what stackpulse tracks
Express releases from GitHub
StackPulse watches Express release notes and keeps the original source link close to every summary.
#stacks/express/framework
Express release notes, breaking changes, and upgrade notes.
Fast, unopinionated, minimalist web framework for Node.js StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
5
breaking
2
security
4
deprecated
1
migrations
0
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv4.22.2mediumfeatureMay 11, 2026
v4.22.2
This release fixes array parsing for `req.query` repeated keys, unifying behavior across notations and increasing the limit to 1000 items. Dependency updates for `qs` and `body-parser` are also included.
affected
Developers relying on array parsing in `req.query` with more than 20 items are affected.
action
Upgrade to ensure consistent array parsing behavior.
v4.22.1criticalbreakingsecurityDec 1, 2025
v4.22.1
This release reverts an erroneous breaking change introduced in version 4.22.0 related to the extended query parser, which was mistakenly associated with a rejected CVE (CVE-2024-51999).
affected
Users who upgraded to version 4.22.0 and experienced issues with the extended query parser are affected.
action
Upgrade to version 4.22.1 to revert the erroneous change.
release_signals
!CVE-2024-51999 has been rejected and is not associated with any security vulnerability.
v5.2.1mediumbreakingsecurityDec 1, 2025
v5.2.1
This release reverts an erroneous breaking change from the prior release (5.2.0) related to the extended query parser. No security vulnerability was associated with this behavior.
affected
Users who experienced issues with the extended query parser in version 5.2.0 are affected.
action
Upgrade to version 5.2.1 to revert the erroneous change.
release_signals
!CVE-2024-51999 has been rejected, confirming no security vulnerability related to the extended query parser change.
v5.2.0criticaldeprecationfeaturesecurityDec 1, 2025
v5.2.0
This release includes a critical security fix for CVE-2024-51999, along with various dependency updates, code refactoring, and documentation improvements.
affected
Users affected by CVE-2024-51999 should upgrade immediately to mitigate security risks.
action
Upgrade to version 5.2.0 to address the security vulnerability.
release_signals
!Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
!Deprecation warnings for redirect arguments undefined
!Use req.socket over deprecated req.connection
+Refactor: simplify `acceptsLanguages` implementation using spread operator
+Increased code coverage of utils.js file
+Add deprecation warnings for redirect arguments undefined
+Use req.socket over deprecated req.connection
+Refactor: use cached slice in app.listen
4.22.0criticalfeaturesecurityDec 1, 2025
4.22.0
This release includes a critical security fix for CVE-2024-51999 and adds support for Node.js 23.0 and 24.0. Various CI improvements and dependency updates were also made.
affected
Users are affected if they are using versions prior to 4.22.0 due to the security vulnerability.
action
Upgrade to version 4.22.0 immediately to address the security vulnerability.
release_signals
!Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
+Added support for Node.js@23.0
+Added Node.js 24 to the test matrix