Release: 5.2.0

[UlisesGascon]

Context

• Related to Release: 4.22.0 #6921
• It will include a security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's included in the HISTORY.md

5.2.0 / 2025-12-01
========================

* Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
* deps: `body-parser@^2.2.1`
* A deprecation warning was added when using `res.redirect` with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 #6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in Refactor: simplify acceptsLanguages implementation using spread operator #6137
• increased code coverage of utils.js file by @ashish3011 in increased code coverage of utils.js file #6386
• chore: remove duplicate word by @dufucun in chore: remove duplicate word #6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 #6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 #6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 #6496
• ci: add node.js 24 to test matrix by @Phillip9587 in ci: add node.js 24 to test matrix #6504
• ci: update codeql config by @Phillip9587 in ci: update codeql config #6488
• chore: wider range for query test skip by @jonchurch in chore: wider range for query test skip #6512
• chore: fix typos in test by @noritaka1166 in chore: fix typos in test #6535
• ci: disable credential persistence for checkout actions by @mertssmnoglu in ci: disable credential persistence for checkout actions #6522
• ci: allow manual triggering of workflow by @shivarm in ci: allow manual triggering of workflow #6515
• test: add coverage for app.listen() variants by @kgarg1 in test: add coverage for app.listen() variants #6476
• docs: move documentation and charters to the discussions and .github … by @bjohansebas in docs: move documentation and charters to the discussions and .github … #6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 #6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 #6548
• chore: enforce explicit Buffer import and add lint rule by @shivarm in chore: enforce explicit Buffer import and add lint rule #6525
• chore: use node protocol for querystring by @shivarm in chore: use node protocol for querystring #6520
• chore: fix typo by @mountdisk in chore: fix typo #6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 #6618
• add deprecation warnings for redirect arguments undefined by @bjohansebas in add deprecation warnings for redirect arguments undefined #6405
• ci: run CI when the markdown changes by @bjohansebas in ci: run CI when the markdown changes #6632
• doc: fix CONTRIBUTING link by @jonchurch in doc: fix CONTRIBUTING link #6653
• doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in doc: update contributing guidelines and code of conduct links #6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in build(deps-dev): bump morgan from 1.10.0 to 1.10.1 #6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 #6678
• lint: add --fix flag to automatic fix linting issue by @shivarm in lint: add --fix flag to automatic fix linting issue #6644
• chore: ignore yarn.lock file and update example by @shivarm in chore: ignore yarn.lock file and update example #6588
• lib: use req.socket over deprecated req.connection by @bjohansebas in lib: use req.socket over deprecated req.connection #6705
• doc: update express app example by @shivarm in doc: update express app example #6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 #6675
• Remove history.md from being packaged on publish by @sheplu in Remove history.md from being packaged on publish #6780
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in build(deps): bump actions/checkout from 4.2.2 to 5.0.0 #6797
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 #6796
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 #6795
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 #6794
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 #6793
• ci: add node.js 25 to test matrix by @Phillip9587 in ci: add node.js 25 to test matrix #6843
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 #6871
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 #6870
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 #6869
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 #6868
• chore: switch badges from badgen.net to shields.io by @Phillip9587 in chore: switch badges from badgen.net to shields.io #6900
• refactor: use cached slice in app.listen by @Tacit1 in refactor: use cached slice in app.listen #6897
• Nominate to @efekrskl for triage team by @bjohansebas in Nominate to @efekrskl for triage team #6888
• docs: update emeritus triagers by @bjohansebas in docs: update emeritus triagers #6890
• fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 by @shivarm in fix: upgrade body-parser to 2.2.1 to address CVE-2025-13466 #6922

New Contributors

• @ashish3011 made their first contribution in increased code coverage of utils.js file #6386
• @dufucun made their first contribution in chore: remove duplicate word #6456
• @noritaka1166 made their first contribution in chore: fix typos in test #6535
• @mertssmnoglu made their first contribution in ci: disable credential persistence for checkout actions #6522
• @shivarm made their first contribution in ci: allow manual triggering of workflow #6515
• @kgarg1 made their first contribution in test: add coverage for app.listen() variants #6476
• @mountdisk made their first contribution in chore: fix typo #6609
• @ShubhamOulkar made their first contribution in doc: update contributing guidelines and code of conduct links #6601
• @sheplu made their first contribution in Remove history.md from being packaged on publish #6780
• @Tacit1 made their first contribution in refactor: use cached slice in app.listen #6897

Full Changelog: v5.1.0...master