[Snyk] Upgrade express from 4.16.3 to 5.1.0

[Gabo-Tech]

Snyk has created this PR to upgrade express from 4.16.3 to 5.1.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 32 versions ahead of your current version.

• The recommended version was released 8 months ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	529	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	529	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	529	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	529	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	529	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	529	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	529	No Known Exploit

Release notes

Package name: express

• 5.1.0 - 2025-03-31
  

  What's Changed

  • Update captains by @ UlisesGascon in #6027
  • build: Node.js 23.0 by @ bjohansebas in #6075
  • Add funding field (v5) by @ bjohansebas in #6064
  • ✅ add discarded middleware test by @ ctcpip in #5819
  • update homepage link http to https by @ bjohansebas in #5920
  • Improve readme by @ bjohansebas in #5994
  • Add bjohansebas as repo captain for expressjs.com by @ crandmck in #6058
  • Remove Object.setPrototypeOf polyfill by @ Phillip9587 in #6081
  • fix(buffer): use node:buffer instead of safe-buffer by @ bhavya3024 in #6071
  • docs: Add DCO by @ UlisesGascon in #6048
  • cleanup: remove promise support check from tests by @ Phillip9587 in #6148
  • Use loop for acceptParams by @ blakeembrey in #6066
  • Improve documentation step in release process by @ bjohansebas in #6150
  • cleanup: remove unnecessary require for global Buffer by @ Phillip9587 in #6146
  • cleanup: remove AsyncLocalStorage check by @ Phillip9587 in #6147
  • update history.md for acceptParams change by @ jonchurch in #6177
  • docs: add @ rxmarbles to the triage team by @ UlisesGascon in #6151
  • refactor: improve readability by @ sazk07 in #6173
  • docs: clarify the security process in the triage role by @ bjohansebas in #6217
  • chore: replace methods dependency with standard library by @ jonkoops in #6196
  • Remove utils-merge dependency - use spread syntax instead by @ Phillip9587 in #6091
  • fix(securite): fix vulnerabilities by @ Abdel-Monaam-Aouini in #6211
  • refactor: prefix built-in node module imports by @ slagiewka in #6236
  • fix: remove download size badges by @ wesleytodd in #6266
  • Remove unused depd dependency by @ jonkoops in #6197
  • fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @ hamirmahal in #6256
  • Add support for OSSF scorecard reporting by @ UlisesGascon in #5431
  • docs: add @ Phillip9587 to the triage team by @ bjohansebas in #6276
  • fix: added a missing semicolon in css styles in examples/auth by @ pr4j3sh in #6297
  • docs: include team email in the security policy by @ UlisesGascon in #6278
  • refactor: simplify normalizeTypes function by @ Ayoub-Mabrouk in #6097
  • ci: updated github actions ci workflow by @ Phillip9587 in #6314
  • ci: fix npm install --include typo by @ Phillip9587 in #6324
  • ci: updated scorecard actions by @ Phillip9587 in #6322
  • build(deps): use carat notation for dependency versions by @ dpopp07 in #6317
  • chore(deps): update debug to ^4.4.0 by @ Phillip9587 in #6313
  • docs: retroactively note 5.0.0-beta.1 api change in history file by @ dpopp07 in #6333
  • feat(deps): body-parser@^2.1.0 by @ wesleytodd in #6332
  • feat(deps): router@^2.1.0 by @ wesleytodd in #6331
  • Update repo captains by @ UlisesGascon in #6234
  • deps: upgrade nyc by @ agungjati in #6122
  • fix (deps): update deps by @ wesleytodd in #6337
  • response: add support for ETag option in res.sendFile by @ juanarbol in #6073
  • Update multiple links to use https instead of http by @ Phillip9587 in #6338
  • Extend res.links() to allow adding multiple links with the same rel #2729 by @ andvea in #4885
  • docs: update emeritus triagers by @ UlisesGascon in #6345
  • docs: update guidance for triager nominations by @ bjohansebas in #6349
  • docs: clarify guidelines for becoming a committer by @ bjohansebas in #6364
  • Nominate @ dpopp07 to the triage team by @ UlisesGascon in #6352
  • fix(deps): qs@^6.14.0 by @ wesleytodd in #6374
  • Add dependabot by @ UlisesGascon in #5435
  • fix dependabot config by @ bjohansebas in #6392
  • build(deps): bump github/codeql-action from 3.24.7 to 3.28.11 by @ dependabot in #6398
  • build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @ dependabot in #6397
  • feat(deps): finalhandler@2.1.0 by @ wesleytodd in #6373
  • build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 by @ dependabot in #6399
  • deps: body-parser@^2.2.0 by @ UlisesGascon in #6419
  • deps: type-is@^2.0.1 by @ UlisesGascon in #6420
  • deps: router@^2.2.0 by @ UlisesGascon in #6417
  • ci: use full SHAs for github action versions by @ Phillip9587 in #6415
  • doc: remove @ mertcanaltin from Triagers by @ mertcanaltin in #6408
  • deps: serve-static@^2.2.0 by @ UlisesGascon in #6418
  • 5.1.0 by @ wesleytodd in #6425

  New Contributors

  • @ bhavya3024 made their first contribution in #6071
  • @ jonkoops made their first contribution in #6196
  • @ Abdel-Monaam-Aouini made their first contribution in #6211
  • @ slagiewka made their first contribution in #6236
  • @ hamirmahal made their first contribution in #6256
  • @ pr4j3sh made their first contribution in #6297
  • @ Ayoub-Mabrouk made their first contribution in #6097
  • @ dpopp07 made their first contribution in #6317
  • @ agungjati made their first contribution in #6122
  • @ andvea made their first contribution in #4885
  • @ dependabot made their first contribution in #6398

  Full Changelog: 5.0.1...v5.1.0

• 5.0.1 - 2024-10-08
  

  What's Changed

  • remove --bail from test script by @ jonchurch in #5962
  • Nominate @ bjohansebas to the triage team by @ UlisesGascon in #6009
  • Link and update captains by @ blakeembrey in #6013
  • Update cookie semver lock to address CVE-2024-47764 by @ joshbuker in #6017
  • Release: 5.0.1 by @ UlisesGascon in #6032

  Full Changelog: v5.0.0...5.0.1

• 5.0.0 - 2024-09-10
• 5.0.0-beta.3 - 2024-03-25
• 5.0.0-beta.2 - 2024-03-21
• 5.0.0-beta.1 - 2022-02-15
• 5.0.0-alpha.8 - 2020-03-26
• 5.0.0-alpha.7 - 2018-10-27
• 5.0.0-alpha.6 - 2017-09-25
• 5.0.0-alpha.5 - 2017-03-06
• 5.0.0-alpha.4 - 2017-03-02
• 5.0.0-alpha.3 - 2017-01-29
• 5.0.0-alpha.2 - 2015-07-07
• 5.0.0-alpha.1 - 2014-11-07
• 4.22.1 - 2025-12-01
  

  What's Changed

  Important

  The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

  • Release: 4.22.1 by @ UlisesGascon in #6934

  Full Changelog: 4.22.0...v4.22.1

• 4.22.0 - 2025-12-01
  

  Important: Security

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

  What's Changed

  • Refactor: improve readability by @ sazk07 in #6190
  • ci: add support for Node.js@23.0 by @ UlisesGascon in #6080
  • Method functions with no path should error by @ wesleytodd in #5957
  • ci: updated github actions ci workflow by @ Phillip9587 in #6323
  • ci: reorder npm i steps to fix ci for older node versions by @ Phillip9587 in #6336
  • Backport: ci: add node.js 24 to test matrix by @ Phillip9587 in

[Gabo-Tech]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.