Express 5.0 Released, Focuses on Stability and Security

Write for InfoQ

The Express.js team has released version 5.0.0, 10 years after the first major version release in 2014. The release focuses on stability and security with a view to enabling developers to write more robust Node.js applications.

Express 5 drops support for old versions of Node.js. The release note states:

This release drops support for Node.js versions before v18. This is an important change because supporting old Node.js versions has been holding back many critical performance and maintainability changes. This change also enables more stable and maintainable continuous integration (CI), adopting new language and runtime features, and dropping dependencies that are no longer required.

Following a security audit, the team decided to introduce changes in how path route matching works. To avoid regular expression Denial of Service (ReDoS) attacks, Express 5 no longer supports sub-expressions in regular expressions, for example /:foo(\\d+).

// Express 4 example
app.get('/:id(\\d+)', (req, res) => res.send(`ID: ${req.params.id}`));

Blake Embrey, member of the Express.JS technical committee, provides an example of regular expression (e.g., /^\/flights\/([^\/]+?)-([^\/]+?)\/?$/i), that, when matched against '/flights/' + '-'.repeat(16_000) + '/x' may take 300ms instead of running below one millisecond. The Express team recommends using a robust input validation library.

Express 5 also requires wildcards in regular expressions to be explicitly named or replaced with (.*)** for clarity and predictability. Thus, paths like /foo* must be updated to /foo(.*).

The syntax for optional parameters in routes also changes. Former Express 4’s :name? becomes {/:name}:

// Express 4 example
app.get('/user/:id?', (req, res) => res.send(req.params.id || 'No ID'));
// Express 5 example
app.get('/user{/:id}', (req, res) => res.send(req.params.id || 'No ID'));

Unnamed parameters in regex capture groups can no longer be accessed by index. Parameters must now be named:

// Express 4 example
app.get('/user(s?)', (req, res) => res.send(req.params[0])); // 's'
// Express 5 example
app.get('/user:plural?', (req, res) => res.send(req.params.plural));

Express 5 additionally enforces valid HTTP status codes, as a defensive measure against silent failures and arduous sessions of debugging responses.

// Express 4 example
res.status(978).send('Invalid status'); // Silently fails
// Express 5 example
res.status(978).send('Invalid status'); // Throws an error

Express.js 5 makes it easier to handle errors in async middleware and routes. Express 5 improves error handling in async. middleware and routes by automatically passing rejected promises to the error-handling middleware, removing the need for try/catch blocks.

// Express 4 example
app.get('/data', async (req, res, next) => {
 try {
 const result = await fetchData();
 res.send(result);
 } catch (err) {
 next(err);
 }
});
// Express 5 example
app.get('/data', async (req, res) => {
 const result = await fetchData();
 res.send(result);
});

While the Express team strives to keep the breaking changes minimal, the new release will require interested developers to migrate their Express code to the new version. Developers can review the migration guide available online.

Express.js is a project of the OpenJS Foundation (At-Large category). Developers are invited to read the full release note for additional technical details and examples.

Related Topics:

• Development
• Web Development
• JavaScript Libraries
• JavaScript
• Server-side JavaScript

We protect your privacy.