docs: add option to express.urlencoded middleware documentation (#2001)

bjohansebas · UlisesGascon · web-flow · commit c2e3f31802ee · 2025-08-04T08:35:51.000-05:00
This option was also not documented. It was added as part of a fix for a vulnerability (see GHSA-qwcr-r2fm-qrc7). ref: expressjs/express#5926, expressjs/body-parser@afd0f39 --------- Signed-off-by: Sebastian Beltran <bjohansebas@gmail.com> Co-authored-by: UlisesGascon <5110813+UlisesGascon@users.noreply.github.com>
diff --git a/_includes/api/en/4x/express.urlencoded.md b/_includes/api/en/4x/express.urlencoded.md
@@ -39,5 +39,10 @@ The following table describes the properties of the optional `options` object.
 | `parameterLimit` | This option controls the maximum number of parameters that are allowed in the URL-encoded data. If a request contains more parameters than this value, an error will be raised. | Number | `1000` |
 | `type`           | This is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function, `type` option is passed directly to the [type-is](https://www.npmjs.org/package/type-is#readme) library and this can be an extension name (like `urlencoded`), a mime type (like `application/x-www-form-urlencoded`), or a mime type with a wildcard (like `*/x-www-form-urlencoded`). If a function, the `type` option is called as `fn(req)` and the request is parsed if it returns a truthy value. | Mixed | `"application/x-www-form-urlencoded"` |
 | `verify`         | This option, if supplied, is called as `verify(req, res, buf, encoding)`, where `buf` is a `Buffer` of the raw request body and `encoding` is the encoding of the request. The parsing can be aborted by throwing an error. | Function | `undefined` |
+| `depth`          | Configure the maximum depth of the `qs` library when `extended` is `true`. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to `32`. It is recommended to keep this value as low as possible. | Number | `32` |
 
-</div>
+</div>
+
+<div class="doc-box doc-notice" markdown="1">
+The `depth` option was added in Express v4.20.0. If you are using an earlier version, this option will not be available.
+</div>  
diff --git a/_includes/api/en/5x/express.urlencoded.md b/_includes/api/en/5x/express.urlencoded.md
@@ -35,5 +35,6 @@ The following table describes the properties of the optional `options` object.
 | `parameterLimit` | This option controls the maximum number of parameters that are allowed in the URL-encoded data. If a request contains more parameters than this value, an error will be raised. | Number | `1000` |
 | `type`           | This is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function, `type` option is passed directly to the [type-is](https://www.npmjs.org/package/type-is#readme) library and this can be an extension name (like `urlencoded`), a mime type (like `application/x-www-form-urlencoded`), or a mime type with a wildcard (like `*/x-www-form-urlencoded`). If a function, the `type` option is called as `fn(req)` and the request is parsed if it returns a truthy value. | Mixed | `"application/x-www-form-urlencoded"` |
 | `verify`         | This option, if supplied, is called as `verify(req, res, buf, encoding)`, where `buf` is a `Buffer` of the raw request body and `encoding` is the encoding of the request. The parsing can be aborted by throwing an error. | Function | `undefined` |
+| `depth`          | Configure the maximum depth of the `qs` library when `extended` is `true`. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to `32`. It is recommended to keep this value as low as possible. | Number | `32` |
 
-</div>
+</div>
