Update dependency express to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
express (source)	4.21.2 → 5.2.1
express (source)	4.21.1 → 5.2.1
@types/express (source)	4.17.21 → 5.0.6

---

Release Notes

expressjs/express (express)

v5.2.1

Compare Source

=======================

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

v5.2.0

Compare Source

========================

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

v5.1.0

Compare Source

========================

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: [email protected]
• deps: [email protected]

v5.0.1

Compare Source

==========

• Update cookie semver lock to address CVE-2024-47764

v5.0.0

Compare Source

=========================

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@​1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@​4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@​6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

v4.22.1

Compare Source

v4.22.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - Monday through Friday ( * * * * 1-5 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Note

Dependency upgrades

• Bump express to 5.2.1 in express-test (dev), http-stream (dev), and prometheus-metrics (runtime)
• Update @types/express to 5.0.6 in prometheus-metrics

Lockfile refresh (Express 5 tree)

• Pulls in body-parser@^2, finalhandler@^2, router@^2, send@^1.2, serve-static@^2.2, qs@^6.14, type-is@^2, debug@^4, and related updates; removes Express 4-era pins

Scope/Risk

• Express v5 and v5 typings include breaking changes; verify server behavior and compilation where these packages are used

^{Written by Cursor Bugbot for commit e599ff5. This will update automatically on new commits. Configure here.}

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on February 3

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Express v5 wildcard route syntax breaks test code

Upgrading Express from v4 to v5 breaks existing test code in packages/http-stream/test/HttpStream.test.js. The test uses app.post('*', ...) which was valid in Express v4, but Express v5's path-to-regexp v8 requires a different syntax for wildcard routes (e.g., /*splat or /{*path}). This will cause a TypeError when the tests are run, as the * character is no longer treated as a wildcard in route definitions.