fix(deps): upgrade express to v5 and http-proxy-middleware to v3#7927
Merged
fix(deps): upgrade express to v5 and http-proxy-middleware to v3#7927
Conversation
serhalp
force-pushed
the
fix/upgrade-express
branch
from
d9576cb to
e4fe843
Compare
`express > qs` and `express > body-parser > qs` have `high` security vulnerabilities that cannot be addressed without upgrading from v4 to v5, as the fixes have not been backported: GHSA-6rw7-vpxm-498p. - Upgrade express from v4 to v5: https://github.com/expressjs/express/blob/master/History.md#500--2024-09-10 - Upgrade http-proxy-middleware from v2 to v3 (required due to express upgrade): https://github.com/chimurai/http-proxy-middleware/blob/master/MIGRATION.md Note: ideally we wouldn't be using express at all, as it is overkill for our use cases. At the very least, since we're already using fastify, we should use that. Otherwise, we could be using something like https://npmx.dev/package/@tinyhttp/app. But all this is even more moot, because all the code that uses express, fastify, and http-proxy-middleware has already been extracted into [`@netlify/dev`](https://github.com/netlify/primitives/tree/main/packages/dev), where it has been refactored to not use any of these. But pulling that back in is a significant refactor. We'll get to it eventually.
serhalp
force-pushed
the
fix/upgrade-express
branch
from
e4fe843 to
43ae859
Compare
serhalp
commented
Feb 4, 2026
| await withDevServer({ cwd: builder.directory }, async (server) => { | ||
| const getResponse = await fetch(`${server.url}/api/ping`) | ||
| const jsonPingWithGet = await getResponse.json() | ||
| t.expect(jsonPingWithGet).toHaveProperty('body', {}) |
Member
Author
There was a problem hiding this comment.
req.body defaults to undefined instead of {} when no body parser matches now. I deleted the assertions instead of updating them because there's nothing valuable to test here — GETs don't have request bodies.
(If you're confused that this appears to be a response body, it's because the test is setting up a Function that echoes back some request fields.)
eduardoboucas
approved these changes
Feb 4, 2026
Member
Author
|
I did some local testing of functions emulation for good measure ✅. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
express > qsandexpress > body-parser > qshavehighsecurity vulnerabilities that cannot be addressed without upgrading from v4 to v5, as the fixes have not been backported: GHSA-6rw7-vpxm-498p.This PR upgrades to v5, which resolves all remaining security vulnerabilities:
As a bonus, this removes 20 transitive deps and ~1 MB from the install size.
Upgrade express from v4 to v5
Release notes: https://github.com/expressjs/express/blob/master/History.md#500--2024-09-10
Upgrade http-proxy-middleware from v2 to v3
This is required due to the express upgrade.
Release notes: https://github.com/chimurai/http-proxy-middleware/blob/master/MIGRATION.md
Notes
Note: ideally we wouldn't be using express at all, as it is overkill for our use cases. At the very least, since we're already using fastify, we should use that. Otherwise, we could be using something like https://npmx.dev/package/@tinyhttp/app. But all this is even more moot, because all the code that uses express, fastify, and http-proxy-middleware has already been extracted into
@netlify/dev, where it has been refactored to not use any of these. But pulling that back in is a significant refactor. We'll get to it eventually.