Skip to content

Commit b8d426e

Browse files
VishalRMahajanbjohansebas
VishalRMahajan
and
bjohansebas
authored
docs(migrating-5): add section about express.static dotfiles defaulting to ignore (#1987) (#1989)
Co-authored-by: bjohansebas <[email protected]>
1 parent 8c4ae2a commit b8d426e

File tree

1 file changed

+26
-0
lines changed

1 file changed

+26
-0
lines changed

en/guide/migrating-5.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ You can find the list of available codemods [here](https://github.com/expressjs/
6666
<li><a href="#path-syntax">Path route matching syntax</a></li>
6767
<li><a href="#rejected-promises">Rejected promises handled from middleware and handlers</a></li>
6868
<li><a href="#express.urlencoded">express.urlencoded</a></li>
69+
<li><a href="#express.static.dotfiles">express.static dotfiles</a></li>
6970
<li><a href="#app.listen">app.listen</a></li>
7071
<li><a href="#app.router">app.router</a></li>
7172
<li><a href="#req.body">req.body</a></li>
@@ -76,6 +77,7 @@ You can find the list of available codemods [here](https://github.com/expressjs/
7677
<li><a href="#res.vary">res.vary</a></li>
7778
</ul>
7879

80+
7981
**Improvements**
8082

8183
<ul class="doclist">
@@ -462,6 +464,30 @@ Details of how Express handles errors is covered in the [error handling document
462464

463465
The `express.urlencoded` method makes the `extended` option `false` by default.
464466

467+
<h3 id="express.static.dotfiles">express.static dotfiles</h3>
468+
469+
In Express 5, the `express.static` middleware's `dotfiles` option now defaults to `"ignore"`. This is a change from Express 4, where dotfiles were served by default. As a result, files inside a directory that starts with a dot (`.`), such as `.well-known`, will no longer be accessible and will return a **404 Not Found** error. This can break functionality that depends on serving dot-directories, such as Android App Links, and Apple Universal Links.
470+
471+
Example of breaking code:
472+
473+
```js
474+
// v4
475+
app.use(express.static('public'))
476+
```
477+
478+
After migrating to Express 5, a request to `/.well-known/assetlinks.json` will result in a **404 Not Found**.
479+
480+
To fix this, serve specific dot-directories explicitly using the `dotfiles: "allow"` option:
481+
482+
```js
483+
// v5
484+
app.use('/.well-known', express.static('public/.well-known', { dotfiles: 'allow' }))
485+
app.use(express.static('public'))
486+
```
487+
488+
This approach allows you to safely serve only the intended dot-directories while keeping the default secure behavior for other dotfiles, which remain inaccessible.
489+
490+
465491
<h3 id="app.listen">app.listen</h3>
466492

467493
In Express 5, the `app.listen` method will invoke the user-provided callback function (if provided) when the server receives an error event. In Express 4, such errors would be thrown. This change shifts error-handling responsibility to the callback function in Express 5. If there is an error, it will be passed to the callback as an argument.

0 commit comments

Comments
 (0)