Release: 4.21.3

[UlisesGascon]

What's included in the HISTORY.md

4.21.3 / 2025-11-21
==========

  * deps: use tilde notation for dependencies

What's Changed

• Refactor: improve readability by @sazk07 in Refactor: improve readability #6190
• ci: add support for Node.js@23.0 by @UlisesGascon in ci: add support for Node.js@23.0 #6080
• Method functions with no path should error by @wesleytodd in Method functions with no path should error #5957
• ci: updated github actions ci workflow by @Phillip9587 in ci: updated github actions ci workflow #6323
• ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in ci: reorder npm i steps to fix ci for older node versions #6336
• Backport: ci: add node.js 24 to test matrix by @Phillip9587 in Backport: ci: add node.js 24 to test matrix #6506
• chore(4.x): wider range for query test skip by @jonchurch in chore(4.x): wider range for query test skip #6513
• use tilde notation for certain dependencies by @UlisesGascon in use tilde notation for certain dependencies #6905

Full Changelog: 4.21.2...4.x

[Phillip9587]

Should we update qs for this release? I just saw that we are on 6.13.0 and there is a 6.13.1 and a 6.14.0 release?
cc @ljharb

[Phillip9587]

@UlisesGascon If we release this we should actually release a body-parser 1.x update before which updates body-parsers dependencies to use tilde notation or we get dependency duplication problems accross our dependency graph.

Edit: We would also need to update qs for body-parser v1 or it is also duplicated.

[ljharb]

Yes, and ideally the semver range updated to use ^ as well.

[bjohansebas]

for qs@6.14.0 expressjs/body-parser#664

[Phillip9587]

@UlisesGascon I think there is some additional work needed before finalizing this release.

Switching dependencies to use tilde notation causes several packages to be duplicated in our express v4 dependency tree. With the current changes, these packages end up duplicated in the graph:

• send
• statuses
• http-errors
• qs
• encode-url

To avoid this duplication, we should also update our own packages to use tilde version ranges. At minimum, these packages would require a release with updated ranges:

• serve-static: deps: send@~0.19.1 serve-static#227
• send: deps: use tilde notation and update certain dependencies pillarjs/send#279
• finalhandler: deps: use tilde notation and update certain dependencies pillarjs/finalhandler#118
• raw-body: release 2.5.3 stream-utils/raw-body#130
• body-parser: deps: use tilde notation and update certain dependencies body-parser#668

I can prepare PRs for these updates if this approach makes sense.

[bjohansebas]

For raw-body, I just created the v2 branch, which includes the changes up to the latest version of that line, and I’ve just opened the PR to use tilde notation in the dependencies (stream-utils/raw-body#126). Tomorrow or the day after I could make the release so that http-errors can already be deduplicated by raw-body.

@Phillip9587 i think it makes sense for you to open the other PRs for the packages you mentioned.

[bjohansebas]

The deduplication of those dependencies doesn’t block this release, since we’re already using the tilde here in version 4, so there wouldn’t be any issue because of that. They can be handled as independent releases.”

[bjohansebas]

raw-body@2.5.3 has been released https://github.com/stream-utils/raw-body/releases/tag/2.5.3

[Phillip9587]

I created all the necessary PRs to remove the dependency duplication. They are linked in the commet above.

[UlisesGascon]

I think that serve-static , send and finalhandler can take a bit to be released based on expressjs/discussions#380, but I can try to program a release for body-parser@1.x.

I will convert this Release to semver-minor to support the security patch: https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6 and probably target Monday or Tuesday

[Phillip9587]

@UlisesGascon Please include #6919 in this release. cc @ljharb