This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [express](https://expressjs.com/) ([source](https://redirect.github.com/expressjs/express)) | [`5.1.0` -> `5.2.0`](https://renovatebot.com/diffs/npm/express/5.1.0/5.2.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/express/5.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/5.1.0/5.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-51999](https://redirect.github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6) ### Impact when using the extended query parser in express (`'query parser': 'extended'`), the `request.query` object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names > [!IMPORTANT] > the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser ### Patches the issue has been patched to ensure `request.query` is a plain object so `request.query` no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser ### Workaround this only impacts users using extended query parsing (`'query parser': 'extended'`), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue: #### provide `qs` directly and specify `plainObjects: true` ```js app.set('query parser', function (str) { return qs.parse(str, { plainObjects: true }); }); ``` --- ### Release Notes <details> <summary>expressjs/express (express)</summary> ### [`v5.2.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#520--2025-12-01) [Compare Source](https://redirect.github.com/expressjs/express/compare/v5.1.0...v5.2.0) \======================== - Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://redirect.github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6)) - deps: `body-parser@^2.2.1` - A deprecation warning was added when using `res.redirect` with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/LUISDASARTIMANHAS/template-server-express-node-js).