Release: 4.22.1 #6934
Merged
Release: 4.22.1 #6934
+9
−107
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 6e97452.
jonchurch
approved these changes
Dec 1, 2025
|
@jonchurch why? |
|
@UlisesGascon why was this reverted? |
Member
Author
|
Hey @nelsonleblanc-rl! Thanks for the ping, I just included a small explanation on #6933 (comment) |
Member
|
Important The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release. |
Member
|
I replied in the other release here but TL;DR is that there was no vulnerability to fix, and the "fix" may have broken someone (by removing keys they expected). Copied here: I just wanted to jump in clarify that there wasn't a vulnerability here. There should be a post-mortem on why it was released at all, but GHSA-pj86-cfqh-vqx6 is invalid because there isn't any prototype pollution or other vulnerability. I wanted to further add that this is just the behavior of JavaScript and anything that parses user supplied data, such as The issue that can occur with your code is that you might want to do something like If you are concerned about object keys that match the names of prototype keys, you can provide your own parser: app.set('query parser', function (str) {
return qs.parse(str);
});But keep in mind that if you expect a key that matches one on the prototype, such as |
MightyPrytanis
added a commit
to MightyPrytanis/codebase
that referenced
this pull request
Dec 28, 2025
 <h3>Snyk has created this PR to upgrade express from 4.21.2 to 4.22.1.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **2 versions** ahead of your current version. - The recommended version was released **23 days ago**. <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>express</b></summary> <ul> <li> <b>4.22.1</b> - <a href="https://redirect.github.com/expressjs/express/releases/tag/v4.22.1">2025-12-01</a></br><h2>What's Changed</h2> <div class="markdown-alert markdown-alert-important"><p class="markdown-alert-title"><svg class="octicon octicon-report mr-2" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v9.5A1.75 1.75 0 0 1 14.25 13H8.06l-2.573 2.573A1.458 1.458 0 0 1 3 14.543V13H1.75A1.75 1.75 0 0 1 0 11.25Zm1.75-.25a.25.25 0 0 0-.25.25v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25Zm7 2.25v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 9a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path></svg>Important</p><p>The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (<a title="CVE-2024-51999" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-pj86-cfqh-vqx6/hovercard" href="https://redirect.github.com/advisories/GHSA-pj86-cfqh-vqx6">CVE-2024-51999</a> has been rejected). The change has been fully reverted in this release.</p> </div> <ul> <li>Release: 4.22.1 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/UlisesGascon/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3682359911" data-permission-text="Title is private" data-url="expressjs/express#6934" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6934/hovercard" href="https://redirect.github.com/expressjs/express/pull/6934">#6934</a></li> </ul> <p><strong>Full Changelog</strong>: <a class="commit-link" href="https://redirect.github.com/expressjs/express/compare/4.22.0...v4.22.1"><tt>4.22.0...v4.22.1</tt></a></p> </li> <li> <b>4.22.0</b> - <a href="https://redirect.github.com/expressjs/express/releases/tag/4.22.0">2025-12-01</a></br><h2>Important: Security</h2> <ul> <li>Security fix for <a href="https://www.cve.org/CVERecord?id=CVE-2024-51999" rel="nofollow">CVE-2024-51999</a> (<a href="https://redirect.github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6">GHSA-pj86-cfqh-vqx6</a>)</li> </ul> <h2>What's Changed</h2> <ul> <li>Refactor: improve readability by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/sazk07/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/sazk07">@ sazk07</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2699832614" data-permission-text="Title is private" data-url="expressjs/express#6190" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6190/hovercard" href="https://redirect.github.com/expressjs/express/pull/6190">#6190</a></li> <li>ci: add support for Node.js@23.0 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/UlisesGascon/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2600747827" data-permission-text="Title is private" data-url="expressjs/express#6080" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6080/hovercard" href="https://redirect.github.com/expressjs/express/pull/6080">#6080</a></li> <li>Method functions with no path should error by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/wesleytodd/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/wesleytodd">@ wesleytodd</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2523063687" data-permission-text="Title is private" data-url="expressjs/express#5957" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/5957/hovercard" href="https://redirect.github.com/expressjs/express/pull/5957">#5957</a></li> <li>ci: updated github actions ci workflow by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Phillip9587/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2832891965" data-permission-text="Title is private" data-url="expressjs/express#6323" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6323/hovercard" href="https://redirect.github.com/expressjs/express/pull/6323">#6323</a></li> <li>ci: reorder <code>npm i</code> steps to fix ci for older node versions by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Phillip9587/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2849001182" data-permission-text="Title is private" data-url="expressjs/express#6336" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6336/hovercard" href="https://redirect.github.com/expressjs/express/pull/6336">#6336</a></li> <li>Backport: ci: add node.js 24 to test matrix by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Phillip9587/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3048978479" data-permission-text="Title is private" data-url="expressjs/express#6506" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6506/hovercard" href="https://redirect.github.com/expressjs/express/pull/6506">#6506</a></li> <li>chore(4.x): wider range for query test skip by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jonchurch/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/jonchurch">@ jonchurch</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3064505138" data-permission-text="Title is private" data-url="expressjs/express#6513" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6513/hovercard" href="https://redirect.github.com/expressjs/express/pull/6513">#6513</a></li> <li>use tilde notation for certain dependencies by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/UlisesGascon/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3647756531" data-permission-text="Title is private" data-url="expressjs/express#6905" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6905/hovercard" href="https://redirect.github.com/expressjs/express/pull/6905">#6905</a></li> <li>deps: qs@6.14.0 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/UlisesGascon/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3651273165" data-permission-text="Title is private" data-url="expressjs/express#6909" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6909/hovercard" href="https://redirect.github.com/expressjs/express/pull/6909">#6909</a></li> <li>deps: use tilde notation for <code>qs</code> by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Phillip9587/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Phillip9587">@ Phillip9587</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3664544540" data-permission-text="Title is private" data-url="expressjs/express#6919" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6919/hovercard" href="https://redirect.github.com/expressjs/express/pull/6919">#6919</a></li> <li>Release: 4.22.0 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/UlisesGascon/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3664588541" data-permission-text="Title is private" data-url="expressjs/express#6921" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6921/hovercard" href="https://redirect.github.com/expressjs/express/pull/6921">#6921</a></li> </ul> <p><strong>Full Changelog</strong>: <a class="commit-link" href="https://redirect.github.com/expressjs/express/compare/4.21.2...4.22.0"><tt>4.21.2...4.22.0</tt></a></p> </li> <li> <b>4.21.2</b> - <a href="https://redirect.github.com/expressjs/express/releases/tag/4.21.2">2024-12-05</a></br><h2>What's Changed</h2> <ul> <li>Add funding field (v4) by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/bjohansebas/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/bjohansebas">@ bjohansebas</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2593149488" data-permission-text="Title is private" data-url="expressjs/express#6065" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6065/hovercard" href="https://redirect.github.com/expressjs/express/pull/6065">#6065</a></li> <li>deps: path-to-regexp@0.1.11 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/blakeembrey/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/blakeembrey">@ blakeembrey</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2523061308" data-permission-text="Title is private" data-url="expressjs/express#5956" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/5956/hovercard" href="https://redirect.github.com/expressjs/express/pull/5956">#5956</a></li> <li>deps: bump path-to-regexp@0.1.12 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jonchurch/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/jonchurch">@ jonchurch</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2721541419" data-permission-text="Title is private" data-url="expressjs/express#6209" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6209/hovercard" href="https://redirect.github.com/expressjs/express/pull/6209">#6209</a></li> <li>Release: 4.21.2 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/UlisesGascon/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/UlisesGascon">@ UlisesGascon</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2621467921" data-permission-text="Title is private" data-url="expressjs/express#6094" data-hovercard-type="pull_request" data-hovercard-url="/expressjs/express/pull/6094/hovercard" href="https://redirect.github.com/expressjs/express/pull/6094">#6094</a></li> </ul> <p><strong>Full Changelog</strong>: <a class="commit-link" href="https://redirect.github.com/expressjs/express/compare/4.21.1...4.21.2"><tt>4.21.1...4.21.2</tt></a></p> </li> </ul> from <a href="https://redirect.github.com/expressjs/express/releases">express GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI2MTdiNTRmZi05NzhlLTRjMjMtOTk1Yy0zZDY1MmU5M2Y5YmEiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjYxN2I1NGZmLTk3OGUtNGMyMy05OTVjLTNkNjUyZTkzZjliYSJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b/settings/integration?pkg=express&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) [//]: # 'snyk:metadata:{"breakingChangeRiskLevel":null,"FF_showPullRequestBreakingChanges":false,"FF_showPullRequestBreakingChangesWebSearch":false,"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"express","from":"4.21.2","to":"4.22.1"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"617b54ff-978e-4c23-995c-3d652e93f9ba","prPublicId":"617b54ff-978e-4c23-995c-3d652e93f9ba","packageManager":"npm","priorityScoreList":[],"projectPublicId":"bcb5f568-d266-4cb2-8e80-1c9ebed57c1b","projectUrl":"https://app.snyk.io/org/mightyprytanis/project/bcb5f568-d266-4cb2-8e80-1c9ebed57c1b?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":[],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":2,"publishedDate":"2025-12-01T20:50:41.122Z"},"vulns":[]}'
mergify bot
added a commit
to robfrank/linklift
that referenced
this pull request
Jan 9, 2026
Bumps [qs](https://github.com/ljharb/qs) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `qs` from 6.13.0 to 6.14.1 Changelog *Sourced from [qs's changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md).* > **6.14.1** > ---------- > > * [Fix] ensure arrayLength applies to `[]` notation as well > * [Fix] `parse`: when a custom decoder returns `null` for a key, ignore that key > * [Refactor] `parse`: extract key segment splitting helper > * [meta] add threat model > * [actions] add workflow permissions > * [Tests] `stringify`: increase coverage > * [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `npmignore`, `es-value-fixtures`, `for-each`, `object-inspect` > > **6.14.0** > ---------- > > * [New] `parse`: add `throwOnParameterLimitExceeded` option ([#517](https://redirect.github.com/ljharb/qs/issues/517)) > * [Refactor] `parse`: use `utils.combine` more > * [patch] `parse`: add explicit `throwOnLimitExceeded` default > * [actions] use shared action; re-add finishers > * [meta] Fix changelog formatting bug > * [Deps] update `side-channel` > * [Dev Deps] update `es-value-fixtures`, `has-bigints`, `has-proto`, `has-symbols` > * [Tests] increase coverage > > **6.13.1** > ---------- > > * [Fix] `stringify`: avoid a crash when a `filter` key is `null` > * [Fix] `utils.merge`: functions should not be stringified into keys > * [Fix] `parse`: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset > * [Fix] `stringify`: ensure a non-string `filter` does not crash > * [Refactor] use `__proto__` syntax instead of `Object.create` for null objects > * [Refactor] misc cleanup > * [Tests] `utils.merge`: add some coverage > * [Tests] fix a test case > * [actions] split out node 10-20, and 20+ > * [Dev Deps] update `es-value-fixtures`, `mock-property`, `object-inspect`, `tape` Commits * [`3fa11a5`](ljharb/qs@3fa11a5) v6.14.1 * [`a626704`](ljharb/qs@a626704) [Dev Deps] update `npmignore` * [`3086902`](ljharb/qs@3086902) [Fix] ensure arrayLength applies to `[]` notation as well * [`fc7930e`](ljharb/qs@fc7930e) [Dev Deps] update `eslint`, `@ljharb/eslint-config` * [`0b06aac`](ljharb/qs@0b06aac) [Dev Deps] update `@ljharb/eslint-config` * [`64951f6`](ljharb/qs@64951f6) [Refactor] `parse`: extract key segment splitting helper * [`e1bd259`](ljharb/qs@e1bd259) [Dev Deps] update `@ljharb/eslint-config` * [`f4b3d39`](ljharb/qs@f4b3d39) [eslint] add eslint 9 optional peer dep * [`6e94d95`](ljharb/qs@6e94d95) [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `npmignore` * [`973dc3c`](ljharb/qs@973dc3c) [actions] add workflow permissions * Additional commits viewable in [compare view](ljharb/qs@v6.13.0...v6.14.1) Updates `express` from 4.21.2 to 4.22.1 Release notes *Sourced from [express's releases](https://github.com/expressjs/express/releases).* > v4.22.1 > ------- > > What's Changed > -------------- > > > [!IMPORTANT] > > The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release. > > * Release: 4.22.1 by [`@UlisesGascon`](https://github.com/UlisesGascon) in [expressjs/express#6934](https://redirect.github.com/expressjs/express/pull/6934) > > **Full Changelog**: <expressjs/express@4.22.0...v4.22.1> > > 4.22.0 > ------ > > Important: Security > ------------------- > > * Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](GHSA-pj86-cfqh-vqx6)) > > What's Changed > -------------- > > * Refactor: improve readability by [`@sazk07`](https://github.com/sazk07) in [expressjs/express#6190](https://redirect.github.com/expressjs/express/pull/6190) > * ci: add support for Node.js@23.0 by [`@UlisesGascon`](https://github.com/UlisesGascon) in [expressjs/express#6080](https://redirect.github.com/expressjs/express/pull/6080) > * Method functions with no path should error by [`@wesleytodd`](https://github.com/wesleytodd) in [expressjs/express#5957](https://redirect.github.com/expressjs/express/pull/5957) > * ci: updated github actions ci workflow by [`@Phillip9587`](https://github.com/Phillip9587) in [expressjs/express#6323](https://redirect.github.com/expressjs/express/pull/6323) > * ci: reorder `npm i` steps to fix ci for older node versions by [`@Phillip9587`](https://github.com/Phillip9587) in [expressjs/express#6336](https://redirect.github.com/expressjs/express/pull/6336) > * Backport: ci: add node.js 24 to test matrix by [`@Phillip9587`](https://github.com/Phillip9587) in [expressjs/express#6506](https://redirect.github.com/expressjs/express/pull/6506) > * chore(4.x): wider range for query test skip by [`@jonchurch`](https://github.com/jonchurch) in [expressjs/express#6513](https://redirect.github.com/expressjs/express/pull/6513) > * use tilde notation for certain dependencies by [`@UlisesGascon`](https://github.com/UlisesGascon) in [expressjs/express#6905](https://redirect.github.com/expressjs/express/pull/6905) > * deps: qs@6.14.0 by [`@UlisesGascon`](https://github.com/UlisesGascon) in [expressjs/express#6909](https://redirect.github.com/expressjs/express/pull/6909) > * deps: use tilde notation for `qs` by [`@Phillip9587`](https://github.com/Phillip9587) in [expressjs/express#6919](https://redirect.github.com/expressjs/express/pull/6919) > * Release: 4.22.0 by [`@UlisesGascon`](https://github.com/UlisesGascon) in [expressjs/express#6921](https://redirect.github.com/expressjs/express/pull/6921) > > **Full Changelog**: <expressjs/express@4.21.2...4.22.0> Changelog *Sourced from [express's changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md).* > 4.22.1 / 2025-12-01 > =================== > > * Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](GHSA-pj86-cfqh-vqx6)) > > 4.22.0 / 2025-12-01 > =================== > > * Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](GHSA-pj86-cfqh-vqx6)) > * deps: use tilde notation for dependencies > * deps: qs@6.14.0 Commits * [`12fae14`](expressjs/express@12fae14) 4.22.1 * [`5ddf311`](expressjs/express@5ddf311) Revert "sec: security patch for CVE-2024-51999" * [`49744ab`](expressjs/express@49744ab) 4.22.0 ([#6921](https://redirect.github.com/expressjs/express/issues/6921)) * [`6e97452`](expressjs/express@6e97452) sec: security patch for CVE-2024-51999 * [`6a23d34`](expressjs/express@6a23d34) deps: use tilde notation for `qs` ([#6919](https://redirect.github.com/expressjs/express/issues/6919)) * [`8c12cdf`](expressjs/express@8c12cdf) deps: qs@6.14.0 ([#6909](https://redirect.github.com/expressjs/express/issues/6909)) * [`7fea74f`](expressjs/express@7fea74f) deps: use tilde notation for certain dependencies ([#6905](https://redirect.github.com/expressjs/express/issues/6905)) * [`dac7a04`](expressjs/express@dac7a04) chore: wider range for query test skip ([#6513](https://redirect.github.com/expressjs/express/issues/6513)) * [`997919b`](expressjs/express@997919b) ci: add node.js 24 to test matrix ([#6506](https://redirect.github.com/expressjs/express/issues/6506)) * [`36fb59c`](expressjs/express@36fb59c) fix(ci): reorder `npm i` steps to fix ci for older node versions ([#6336](https://redirect.github.com/expressjs/express/issues/6336)) * Additional commits viewable in [compare view](expressjs/express@4.21.2...v4.22.1) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/robfrank/linklift/network/alerts).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.