Skip to content

Bump express from 4.18.2 to 4.22.2#657

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/express-4.22.0
Open

Bump express from 4.18.2 to 4.22.2#657
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/express-4.22.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Dec 1, 2025

Copy link
Copy Markdown
Contributor

Bumps express from 4.18.2 to 4.22.2.

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

New Contributors

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Dec 1, 2025
@tyler-reitz

Copy link
Copy Markdown
Contributor

@dependabot rebase

Bumps [express](https://github.com/expressjs/express) from 4.18.2 to 4.22.2.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@4.18.2...v4.22.2)

---
updated-dependencies:
- dependency-name: express
  dependency-version: 4.22.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump express from 4.18.2 to 4.22.0 Bump express from 4.18.2 to 4.22.2 Jul 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/express-4.22.0 branch from a3bbd1b to a056bc0 Compare July 2, 2026 19:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant