Express.js 5 has been released, ten years after Express.js 4. The new release has dropped support for outdated versions of Node.js, addresses security concerns, and brings simplified maintenance.

Express.js (often referred to just as Express) is described as a fast, unopinionated, minimalist web framework for Node.js, providing a robust set of features for web and mobile applications.

It can be used for building RESTful APIs with Node.js, and is important as the standard server framework for Node.js, and as the back-end component for the MEAN stack alongside MongoDB as the database and the Angular JavaScript web framework. Express.js was created by TJ Holowaychuk, a well-known open-source developer who has contributed to projects including Jade, Mocha, Stylus, and Koa. He was inspired by the Sinatra small and flexible Ruby web framework, so the main Express.js framework is minimal with extra features available as plugins. Popular Express middleware includes body-parser, cookie-parser, cors, helmet, morgan, and passport.

The developers say the new release has been designed to be boring, with the aim of unblocking the ecosystem and enabling more impactful changes in future releases. They also say this is about signaling to the Node.js ecosystem that Express is moving again.

A large part of the work of reviving Express.js has involved addressing security, starting with a security audit and security work in private forks, the results of which have now been incorporated into the new release.

One security related change is the dropping of support for "sub-expression" regular expressions (regex). The team says that unfortunately, it's easy to write a regular expression that has exponential time behavior when parsing input: The dreaded regular expression denial of service (ReDoS) attack. They say that it's very difficult to prevent this, but as a library that converts strings to regular expressions, the team is on the hook for such security aspects.

This release also no longer supports ordered numerical parameters. In Express v4, you could get numerical parameters using regex capture groups, but now all parameters must be named.

This release drops support for Node.js versions before v18. The developers say supporting old Node.js versions has been holding back many critical performance and maintainability changes. This change also enables more stable and maintainable continuous integration (CI), adopting new language and runtime features, and dropping dependencies that are no longer required.

Promise support has been addressed in as far as added support for returned rejected promises from errors raised in middleware. This does not include calling next from returned resolved promises. The team acknowledges that there's a lot more to be added, and that they are working on other aspects.

There are also a number of body-parser changes, and Express v5 removes a number of deprecated method signatures to make the API more predictable and easier to use.

Express.js 5 is available now.

• Ian Elliot is the author of Just jQuery: The Core UI and Just jQuery: Events, Async & AJAX, part of the I Programmer Library published by I/O Press.

More Information

Express.js Website

Related Articles

Jobs Need More Than JavaScript

Getting MEAN (book review)

Getting Started with Node.js

Angular 13 Includes Ivy Improvements

Learn JavaScript and Node.js With Microsoft

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info

<ASIN:1871962501>

<ASIN:1871962528>