Update express and entities

[depshub-app]

This PR includes 2 dependency updates, including 🔴 1 vulnerability, 🟠 1 major updates.

package.json

📦 Package	⬅️ Previous Version	➡️ New Version	📅 Released	⚠️ Vulnerability
express	4.18.2	🔴 5.0.0	5 months ago	GHSA-jj78-5fmv-mv28
entities	4.5.0	🟠 5.0.0	7 months ago

express 4.18.2 -> 🔴 5.0.0 - Changelog

## 5.0.0

• Express v5.0.0

• 🎉 Express v5 is finally here! 🎉
• After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.
• For detailed information, please check out the official Express v5 release blog post.

• Most relevant details

• Major Changes in v5

• • Node.js version support: Dropped support for Node.js versions before v18.
• • Routing changes: Updated to path-to-regexp8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• • Promise support: Middleware can now return rejected promises, caught by the router as errors.
• • body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• • Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.
• For a complete list of breaking changes and API deprecations, see the migration guide.

• Security Updates

• This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

• Migration

• Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

• Security Guidance

• For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

• What's Changed

• • 4.19.2 Staging by wesleytodd in 4.19.2 Staging expressjs/express#5561
• • remove duplicate location test for data uri by wesleytodd in remove duplicate location test for data uri expressjs/express#5562
• • feat: document beta releases expectations by marco-ippolito in feat: document beta releases expectations expressjs/express#5565
• • Cut down on duplicated CI runs by jonchurch in Cut down on duplicated CI runs expressjs/express#5564
• • Add a Threat Model by UlisesGascon in Add a Threat Model expressjs/express#5526
• • Assign captain of encodeurl by blakeembrey in Assign captain of encodeurl expressjs/express#5579
• • Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by jonchurch in Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser expressjs/express#5587
• • docs: update Security.md by inigomarquinez in docs: update Security.md expressjs/express#5590
• • docs: update triage nomination policy by UlisesGascon in docs: update triage nomination policy expressjs/express#5600
• • Add CodeQL (SAST) by UlisesGascon in Add CodeQL (SAST) expressjs/express#5433
• • docs: add UlisesGascon as triage initiative captain by UlisesGascon in docs: add UlisesGascon as triage initiative captain expressjs/express#5605
• • Use object with null prototype for various app properties by EvanHahn in Use object with null prototype for various app properties expressjs/express#4861
• • deps: encodeurl~2.0.0 by blakeembrey in deps: encodeurl@~2.0.0 expressjs/express#5569
• • skip QUERY method test by jonchurch in skip QUERY method test expressjs/express#5628
• • ignore ETAG query test on 21 and 22, reuse skip util by jonchurch in ignore ETAG query test on 21 and 22, reuse skip util expressjs/express#5639
• • add support Node.js22 in the CI by mertcanaltin in add support Node.js@22 in the CI expressjs/express#5627
• • doc: add table of contents, tc/triager lists to readme by mertcanaltin in doc: add table of contents, tc/triager lists to readme expressjs/express#5619
• • List and sort all projects, add captains by blakeembrey in List and sort all projects, add captains expressjs/express#5653
• • Call callback once on listen error by wesleytodd in Call callback once on listen error expressjs/express#3216
• • docs: add UlisesGascon as captain for cookie-parser by UlisesGascon in docs: add @UlisesGascon as captain for cookie-parser expressjs/express#5666
• • ✨ bring back query tests for node 21 by ctcpip in ✨ bring back query tests for node 21 expressjs/express#5690
• • [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by jonchurch in [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires expressjs/express#5672
• • skip QUERY tests for Node 21 only, still not supported by jonchurch in skip QUERY tests for Node 21 only, still not supported expressjs/express#5695
• • 📝 update people, add ctcpip to TC by ctcpip in 📝 update people, add ctcpip to TC expressjs/express#5683
• • remove minor version pinning from ci by jonchurch in remove minor version pinning from ci expressjs/express#5722
• • Fix link variable use in attribution section of CODE OF CONDUCT by IamLizu in Fix link variable use in attribution section of CODE OF CONDUCT expressjs/express#5762
• • Replace Appveyor windows testing with GHA by jonchurch in Replace Appveyor windows testing with GHA expressjs/express#5599
• • Add OSSF Scorecard badge by UlisesGascon in Add OSSF Scorecard badge expressjs/express#5436
• • Throw on invalid status codes by jonchurch in Throw on invalid status codes expressjs/express#4212
• • Use Array.flat instead of array-flatten by almic in Use Array.flat instead of array-flatten expressjs/express#5677
• • Adopt Node18 as the minimum supported version by UlisesGascon in Adopt Node@18 as the minimum supported version expressjs/express#5803
• • Ignore expires and maxAge in res.clearCookie() by jonchurch in Ignore expires and maxAge in res.clearCookie() expressjs/express#5792
• • send1.0.0 by wesleytodd in send@1.0.0 expressjs/express#5786
• • chore: upgrade debug dep from 3.10 to 4.3.6 by carpasse in chore: upgrade debug dep from 3.10 to 4.3.6 expressjs/express#5829
• • refactor: replace 'path-is-absolute' dep with node:path isAbsolute method by carpasse in refactor: replace 'path-is-absolute' dep with node:path isAbsolute method expressjs/express#5830
• • update scorecard link by bjohansebas in update scorecard link expressjs/express#5814
• • Nominate IamLizu to the triage team by UlisesGascon in Nominate @IamLizu to the triage team expressjs/express#5836
• • deps: path-to-regexp0.1.8 by blakeembrey in deps: path-to-regexp@0.1.8 expressjs/express#5603
• • docs: specify new instructions for question and discuss by IamLizu in docs: specify new instructions for question and discuss expressjs/express#5835
• • 5.x: Upgrading merge-descriptors with allowing minors by RobinTail in 5.x: Upgrading merge-descriptors with allowing minors expressjs/express#5782
• • 4.x: Upgrade merge-descriptors dependency by RobinTail in 4.x: Upgrade merge-descriptors dependency expressjs/express#5781
• • WIP: serve-static2 by wesleytodd in WIP: serve-static@2 expressjs/express#5790
• • chore: upgrade qs dp from 6.11.0 to 6.13.0 by carpasse in chore: upgrade qs dp from 6.11.0 to 6.13.0 expressjs/express#5847
• • Upgrade cookie signature by IamLizu in Upgrade cookie signature expressjs/express#5833
• • accepts2 by wesleytodd in accepts@2 expressjs/express#5881
• • mime-types3 by wesleytodd in mime-types@3 expressjs/express#5882
• • type-is^2.0.0 by wesleytodd in type-is@^2.0.0 expressjs/express#5883
• • content-disposition^1.0.0 by wesleytodd in content-disposition@^1.0.0 expressjs/express#5884
• • fix(deps): finalhandler^2.0.0 by wesleytodd in fix(deps): finalhandler@^2.0.0 expressjs/express#5899
• • path-to-regexp0.1.10 by blakeembrey in path-to-regexp@0.1.10 expressjs/express#5902
• • update to fresh^2.0.0 by jonchurch in update to fresh@^2.0.0 expressjs/express#5916
• • router^2.0.0 by wesleytodd in router@^2.0.0 expressjs/express#5885
• • Adopt Node18 as the minimum supported version by UlisesGascon in Adopt Node@18 as the minimum supported version expressjs/express#5595
• • master -> 5.0 by ctcpip in master -> 5.0 expressjs/express#5785
• • 🔧 update CI, remove unsupported versions, clean up by ctcpip in 🔧 update CI, remove unsupported versions, clean up expressjs/express#5931
• • Delete back as a magic string by blakeembrey in Delete back as a magic string expressjs/express#5933
• • Release 5.0 by dougwilson in Release 5.0 expressjs/express#2237

• New Contributors

• • marco-ippolito made their first contribution in feat: document beta releases expectations expressjs/express#5565
• • inigomarquinez made their first contribution in docs: update Security.md expressjs/express#5590
• • mertcanaltin made their first contribution in add support Node.js@22 in the CI expressjs/express#5627
• • ctcpip made their first contribution in ✨ bring back query tests for node 21 expressjs/express#5690
• • IamLizu made their first contribution in Fix link variable use in attribution section of CODE OF CONDUCT expressjs/express#5762
• • almic made their first contribution in Use Array.flat instead of array-flatten expressjs/express#5677
• • carpasse made their first contribution in chore: upgrade debug dep from 3.10 to 4.3.6 expressjs/express#5829
• • bjohansebas made their first contribution in update scorecard link expressjs/express#5814
• • RobinTail made their first contribution in 5.x: Upgrading merge-descriptors with allowing minors expressjs/express#5782
• Full Changelog: expressjs/express@v5.0.0-beta.3...v5.0.0

entities 4.5.0 -> 🟠 5.0.0 - Changelog

## 5.0.0

• What's Changed

• • Improved code style (based on eslint-plugin-unicorn) Improve code style with unicorn fb55/entities#1496
• • Upgraded toolchain (to tshy, vitest, and tsx) Upgrade toolchain fb55/entities#1497

• Breaking Changes

• • ⚠️ BREAKING: The lib directory was renamed to dist in #1497. Deep imports will have to be updated.
• Full Changelog: fb55/entities@v4.5.0...v5.0.0

---

• 🔒 Security updates available: 1 (changed by 1 since last month).
• ⚠️ Major updates available: 2 (changed by 2 since last month).

---

This pull request was created using DepsHub

[depshub-app]

Package express version 5.0.0 has the following breaking changes:

Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).

[depshub-app]

Package entities version 5.0.0 has the following breaking changes:

⚠️ BREAKING: The lib directory was renamed to dist in #1497. Deep imports will have to be updated.

[depshub-app]

Package entities version 5.0.0 has the following breaking changes:

⚠️ BREAKING: The lib directory was renamed to dist in #1497. Deep imports will have to be updated.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud