chore(deps): update dependency express to v5.2.0 [security] #6007
Conversation
WalkthroughExpress dependency upgraded from ^4.21.2 to ^5.0.0 across nine package.json files spanning e2e tests and example projects for React and Solid frameworks. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes
Suggested labels
Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx affected --targets=test:eslint,test:unit,tes... |
❌ Failed | 10m 33s | View ↗ |
nx run-many --target=build --exclude=examples/*... |
❌ Failed | 1m 37s | View ↗ |
☁️ Nx Cloud last updated this comment at 2025-12-01 21:13:50 UTC
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
examples/solid/basic-ssr-streaming-file-based/package.json (1)
18-29: Update @types/express to v5 to match the Express runtime version.The
expressdependency is pinned to ^5.0.0, but@types/expressremains at ^4.17.21. This creates a type mismatch where TypeScript types will be out of sync with the runtime, leading to type validation failures and incomplete IDE support.Update line 29:
- "@types/express": "^4.17.21", + "@types/express": "^5.0.0",
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (9)
e2e/react-start/custom-basepath/package.json(1 hunks)e2e/solid-start/custom-basepath/package.json(1 hunks)examples/react/basic-ssr-file-based/package.json(1 hunks)examples/react/basic-ssr-streaming-file-based/package.json(1 hunks)examples/react/with-trpc-react-query/package.json(1 hunks)examples/react/with-trpc/package.json(1 hunks)examples/solid/basic-ssr-file-based/package.json(1 hunks)examples/solid/basic-ssr-streaming-file-based/package.json(1 hunks)examples/solid/with-trpc/package.json(1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**/package.json
📄 CodeRabbit inference engine (AGENTS.md)
Use workspace protocol for internal dependencies (workspace:*)
Files:
e2e/solid-start/custom-basepath/package.jsonexamples/solid/basic-ssr-file-based/package.jsonexamples/react/with-trpc-react-query/package.jsonexamples/react/basic-ssr-streaming-file-based/package.jsonexamples/solid/with-trpc/package.jsonexamples/react/basic-ssr-file-based/package.jsonexamples/solid/basic-ssr-streaming-file-based/package.jsone2e/react-start/custom-basepath/package.jsonexamples/react/with-trpc/package.json
🧠 Learnings (4)
📚 Learning: 2025-11-25T00:18:21.282Z
Learnt from: CR
Repo: TanStack/router PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T00:18:21.282Z
Learning: Applies to packages/solid-router/**/*.{ts,tsx} : Solid Router components and primitives should use the tanstack/solid-router package
Applied to files:
e2e/solid-start/custom-basepath/package.jsonexamples/solid/basic-ssr-file-based/package.jsonexamples/react/basic-ssr-streaming-file-based/package.jsonexamples/solid/with-trpc/package.jsonexamples/react/basic-ssr-file-based/package.jsonexamples/solid/basic-ssr-streaming-file-based/package.jsone2e/react-start/custom-basepath/package.jsonexamples/react/with-trpc/package.json
📚 Learning: 2025-11-25T00:18:21.282Z
Learnt from: CR
Repo: TanStack/router PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T00:18:21.282Z
Learning: Applies to packages/react-router/**/*.{ts,tsx} : React Router components and hooks should use the tanstack/react-router package
Applied to files:
e2e/solid-start/custom-basepath/package.jsonexamples/solid/basic-ssr-file-based/package.jsonexamples/react/with-trpc-react-query/package.jsonexamples/react/basic-ssr-streaming-file-based/package.jsonexamples/solid/with-trpc/package.jsonexamples/react/basic-ssr-file-based/package.jsonexamples/solid/basic-ssr-streaming-file-based/package.jsone2e/react-start/custom-basepath/package.jsonexamples/react/with-trpc/package.json
📚 Learning: 2025-11-25T00:18:21.282Z
Learnt from: CR
Repo: TanStack/router PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T00:18:21.282Z
Learning: Applies to **/package.json : Use workspace protocol for internal dependencies (workspace:*)
Applied to files:
e2e/solid-start/custom-basepath/package.jsone2e/react-start/custom-basepath/package.json
📚 Learning: 2025-11-02T16:16:24.898Z
Learnt from: nlynzaad
Repo: TanStack/router PR: 5732
File: packages/start-client-core/src/client/hydrateStart.ts:6-9
Timestamp: 2025-11-02T16:16:24.898Z
Learning: In packages/start-client-core/src/client/hydrateStart.ts, the `import/no-duplicates` ESLint disable is necessary for imports from `#tanstack-router-entry` and `#tanstack-start-entry` because both aliases resolve to the same placeholder file (`fake-start-entry.js`) in package.json during static analysis, even though they resolve to different files at runtime.
Applied to files:
e2e/solid-start/custom-basepath/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Preview
- GitHub Check: Test
🔇 Additional comments (2)
e2e/solid-start/custom-basepath/package.json (1)
14-17: Express v5.0.0 upgrade properly matched with @types/express ^5.0.3.The version alignment and workspace protocol usage for internal dependencies (@tanstack/*) are correct. The express-server.ts implementation is compatible with Express 5.x—it uses standard middleware patterns (app.use(), express.static(), app.listen()) and contains no query parser configuration, req.query usage, or other breaking change patterns. The upgrade is safe to proceed.
e2e/react-start/custom-basepath/package.json (1)
14-17: Express v5.0.0 upgrade with correct type definitions.The express upgrade to ^5.0.0 is properly matched with @types/express ^5.0.3. The workspace protocol is correctly applied to internal dependencies.
Note: The CVE-2024-51999 vulnerability (prototype pollution in Express's extended query parser) is addressed by Express v5's default to the simple parser. However, this server code does not use query parsing, so the change has no impact on this particular application.
| "@tanstack/router-plugin": "^1.139.12", | ||
| "compression": "^1.8.0", | ||
| "express": "^4.21.2", | ||
| "express": "^5.0.0", |
There was a problem hiding this comment.
Critical: Type definitions version mismatch with Express v5.
Express is upgraded to v5.0.0 but @types/express remains at v4.17.23. This causes type incompatibilities and will lead to TypeScript errors or missed type safety issues.
Update @types/express to v5.x to match the express version:
"@tanstack/router-devtools": "^1.139.12",
- "@types/express": "^4.17.23",
+ "@types/express": "^5.0.3",Also applies to: 25-25
🤖 Prompt for AI Agents
In examples/react/basic-ssr-file-based/package.json around lines 17 and 25, the
project lists "express": "^5.0.0" while @types/express is still v4.x, causing
TypeScript mismatch; update the @types/express dependency to a 5.x-compatible
version in package.json (or remove it if using Express's built-in types), then
run your package manager (npm/yarn/pnpm install) to refresh lockfiles and
rebuild TypeScript; ensure any type imports or code paths that rely on v4-only
types are adjusted to the v5 type shapes if necessary.
| "@tanstack/router-plugin": "^1.139.12", | ||
| "compression": "^1.7.5", | ||
| "express": "^4.21.2", | ||
| "express": "^5.0.0", |
There was a problem hiding this comment.
Critical: Type definitions version mismatch with Express v5.
Express is upgraded to v5.0.0 but @types/express remains at v4.17.21. This causes type incompatibilities and will lead to TypeScript errors or missed type safety issues.
Update @types/express to v5.x to match the express version:
"compression": "^1.7.5",
"express": "^5.0.0",
"get-port": "^7.1.0",And in devDependencies:
- "@types/express": "^4.17.21",
+ "@types/express": "^5.0.3",Also applies to: 25-25
🤖 Prompt for AI Agents
In examples/react/basic-ssr-streaming-file-based/package.json around lines 17
and 25, the project lists "express": "^5.0.0" while still using "@types/express"
v4.x; update the type package to a v5-compatible release to avoid type
mismatches by replacing the current @types/express entry with a matching v5
version (e.g., "^5.0.0" or the latest 5.x) in devDependencies (or dependencies
if present), then run npm/yarn install and re-run TypeScript to confirm no type
errors remain.
| "@trpc/server": "^11.4.3", | ||
| "@trpc/tanstack-react-query": "^11.4.3", | ||
| "express": "^4.21.2", | ||
| "express": "^5.0.0", |
There was a problem hiding this comment.
Critical: Type definitions version mismatch with Express v5.
Express is upgraded to v5.0.0 but @types/express remains at v4.17.23. This causes type incompatibilities and will lead to TypeScript errors or missed type safety issues.
Update @types/express to v5.x to match the express version:
"@trpc/tanstack-react-query": "^11.4.3",
- "@types/express": "^4.17.23",
+ "@types/express": "^5.0.3",Also applies to: 31-31
🤖 Prompt for AI Agents
In examples/react/with-trpc-react-query/package.json around lines 22 and 31, the
project lists "express": "^5.0.0" while @types/express is pinned to the v4.x
release, causing TypeScript mismatch; update the dev dependency @types/express
to a v5-compatible release (or remove it if types are included) in package.json,
run npm/yarn install to update lockfile, and verify TypeScript compiles without
type errors.
| "@trpc/client": "^11.4.3", | ||
| "@trpc/server": "^11.4.3", | ||
| "express": "^4.21.2", | ||
| "express": "^5.0.0", |
There was a problem hiding this comment.
Critical: Type definitions version mismatch with Express v5.
Express is upgraded to v5.0.0 but @types/express remains at v4.17.23. This causes type incompatibilities and will lead to TypeScript errors or missed type safety issues.
Update @types/express to v5.x to match the express version:
"@trpc/server": "^11.4.3",
- "@types/express": "^4.17.23",
+ "@types/express": "^5.0.3",Also applies to: 28-28
🤖 Prompt for AI Agents
In examples/react/with-trpc/package.json around lines 19 and 28, the project
lists "express": "^5.0.0" while still depending on "@types/express" v4.x which
causes TypeScript mismatches; update the @types/express dependency to a
v5-compatible release (or remove it if Express v5 bundles its own types) in
package.json and run npm/yarn install to refresh lockfile so the installed type
definitions match Express v5.
| "@tanstack/router-plugin": "^1.139.12", | ||
| "compression": "^1.8.0", | ||
| "express": "^4.21.2", | ||
| "express": "^5.0.0", |
There was a problem hiding this comment.
Critical: Type definitions version mismatch with Express v5.
Express is upgraded to v5.0.0 but @types/express remains at v4.17.23. This causes type incompatibilities and will lead to TypeScript errors or missed type safety issues.
Update @types/express to v5.x to match the express version:
"@tanstack/solid-router-devtools": "^1.139.12",
- "@types/express": "^4.17.23",
+ "@types/express": "^5.0.3",Also applies to: 24-24
🤖 Prompt for AI Agents
In examples/solid/basic-ssr-file-based/package.json around lines 17 and 24, the
project lists "express": "^5.0.0" while @types/express is still at v4.17.23,
causing TypeScript type mismatches; update the @types/express dependency to a
v5-compatible release (or remove it if using express v5's built-in types) in
package.json and run npm/yarn install, then verify TypeScript compiles and
adjust any type imports if the v5 typings changed.
| "@trpc/client": "^11.4.3", | ||
| "@trpc/server": "^11.4.3", | ||
| "express": "^4.21.2", | ||
| "express": "^5.0.0", |
There was a problem hiding this comment.
Critical: Type definitions version mismatch with Express v5.
Express is upgraded to v5.0.0 but @types/express remains at v4.17.23. This causes type incompatibilities and will lead to TypeScript errors or missed type safety issues.
Update @types/express to v5.x to match the express version:
"@trpc/server": "^11.4.3",
- "express": "^5.0.0",
+ "@types/express": "^5.0.3",Note: This appears to show express in dependencies instead of devDependencies. Please verify @types/express placement and version:
"devDependencies": {
- "@types/express": "^4.17.23",
+ "@types/express": "^5.0.3",Also applies to: 27-27
🤖 Prompt for AI Agents
In examples/solid/with-trpc/package.json around lines 19 and 27, the project
lists "express": "^5.0.0" but still uses @types/express v4.x which mismatches
Express v5 and causes TypeScript errors; update the @types/express entry to a
v5.x release (or remove it if types are bundled) and move @types/express into
devDependencies (or ensure the correct devDependency entry exists), then run
npm/yarn install and rebuild to validate types.
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This PR contains the following updates:
^4.21.2->^5.0.05.1.0->5.2.0GitHub Vulnerability Alerts
CVE-2024-51999
Impact
when using the extended query parser in express (
'query parser': 'extended'), therequest.queryobject inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property namesImportant
the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser
Patches
the issue has been patched to ensure
request.queryis a plain object sorequest.queryno longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parserWorkaround
this only impacts users using extended query parsing (
'query parser': 'extended'), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:provide
qsdirectly and specifyplainObjects: trueRelease Notes
expressjs/express (express)
v5.2.0Compare Source
========================
body-parser@^2.2.1res.redirectwith undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.v5.1.0Compare Source
========================
Uint8Arrayinres.send()res.sendFile()res.links()setprototypeofsafe-bufferutils-mergemethodsdepddebug@^4.4.0body-parser@^2.2.0router@^2.2.0content-type@^1.0.5finalhandler@^2.1.0qs@^6.14.0[email protected][email protected]v5.0.1Compare Source
==========
cookiesemver lock to address CVE-2024-47764v5.0.0Compare Source
=========================
path-is-absolutedependency - usepath.isAbsoluteinsteadres.status()accepts only integers, and input must be greater than 99 and less than 1000RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.for inputs outside this rangeTypeError: Invalid status code: ${code}. Status code must be an integer.for non integer inputsres.redirect('back')andres.location('back')is no longer a supported magic string, explicitly usereq.get('Referrer') || '/'.res.clearCookiewill ignore user providedmaxAgeandexpiresoptionsapplication/javascript=>text/javascriptv4.22.1Compare Source
v4.22.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.