Comparing express@4.22.1...express@4.22.2 • npm-diff.app 📦🔃

Bundlephobia

600.9 kB

241.8 kB

Size

Gzip

Dependencies

601.0 kB (+172 B)

241.8 kB (+35 B)

Bundlephobia

Size

Gzip

Dependencies

Packagephobia

216.6 kB

2.2 MB

Publish

Install

217.3 kB (+762 B)

2.2 MB (-75.5 kB)

Packagephobia

Publish

Install

Showing 3 changed files with 14 additions and 4 deletions

+++0---0

Showing 3 changed files with 14 additions and 4 deletions

Split Unified

lib/utils.js +++2---1

View file

package.json +++3---3

View file

History.md +++9---0

View file

@@ -287,7 +287,8 @@
287		287
288	function parseExtendedQueryString(str) {	288	function parseExtendedQueryString(str) {
289	return qs.parse(str, {	289	return qs.parse(str, {
290	allowPrototypes: true	290	allowPrototypes: true,
		291	arrayLimit: 1000
291	});	292	});
292	}	293	}
293		294

@@ -1,7 +1,7 @@
1	{	1	{
2	"name": "express",	2	"name": "express",
3	"description": "Fast, unopinionated, minimalist web framework",	3	"description": "Fast, unopinionated, minimalist web framework",
4	"version": "4.22.1",	4	"version": "4.22.2",
5	"author": "TJ Holowaychuk <tj@vision-media.ca>",	5	"author": "TJ Holowaychuk <tj@vision-media.ca>",
6	"contributors": [	6	"contributors": [
7	"Aaron Heckmann <aaron.heckmann+github@gmail.com>",	7	"Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -34,7 +34,7 @@
34	"dependencies": {	34	"dependencies": {
35	"accepts": "~1.3.8",	35	"accepts": "~1.3.8",
36	"array-flatten": "1.1.1",	36	"array-flatten": "1.1.1",
37	"body-parser": "~1.20.3",	37	"body-parser": "~1.20.5",
38	"content-disposition": "~0.5.4",	38	"content-disposition": "~0.5.4",
39	"content-type": "~1.0.4",	39	"content-type": "~1.0.4",
40	"cookie": "~0.7.1",	40	"cookie": "~0.7.1",
@@ -53,7 +53,7 @@
53	"parseurl": "~1.3.3",	53	"parseurl": "~1.3.3",
54	"path-to-regexp": "~0.1.12",	54	"path-to-regexp": "~0.1.12",
55	"proxy-addr": "~2.0.7",	55	"proxy-addr": "~2.0.7",
56	"qs": "~6.14.0",	56	"qs": "~6.15.1",
57	"range-parser": "~1.2.1",	57	"range-parser": "~1.2.1",
58	"safe-buffer": "5.2.1",	58	"safe-buffer": "5.2.1",
59	"send": "~0.19.0",	59	"send": "~0.19.0",

+.22.2 / 2026-05-011
+==========
+* fix: restore >20 array parsing for `req.query` repeated keys ([`8d09bfe6`](https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db))
+  * This also unifies array-cap behavior across notations. Indexed notation (`a[0]=...`) was historically capped at qs's default `arrayLimit` of 20 even in older qs versions; after this change it also allows up to 1000 items.
+* deps: qs@~6.15.1
+* deps: body-parser@~1.20.5
 .22.1 / 2025-12-01
 ==========
   * Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+    * The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
 .22.0 / 2025-12-01
 ==========

@@ -287,7 +287,8 @@
287		287
288	function parseExtendedQueryString(str) {	288	function parseExtendedQueryString(str) {
289	return qs.parse(str, {	289	return qs.parse(str, {
290	allowPrototypes: true	290	allowPrototypes: true,
		291	arrayLimit: 1000
291	});	292	});
292	}	293	}
293		294

@@ -1,7 +1,7 @@
1	{	1	{
2	"name": "express",	2	"name": "express",
3	"description": "Fast, unopinionated, minimalist web framework",	3	"description": "Fast, unopinionated, minimalist web framework",
4	"version": "4.22.1",	4	"version": "4.22.2",
5	"author": "TJ Holowaychuk <tj@vision-media.ca>",	5	"author": "TJ Holowaychuk <tj@vision-media.ca>",
6	"contributors": [	6	"contributors": [
7	"Aaron Heckmann <aaron.heckmann+github@gmail.com>",	7	"Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -34,7 +34,7 @@
34	"dependencies": {	34	"dependencies": {
35	"accepts": "~1.3.8",	35	"accepts": "~1.3.8",
36	"array-flatten": "1.1.1",	36	"array-flatten": "1.1.1",
37	"body-parser": "~1.20.3",	37	"body-parser": "~1.20.5",
38	"content-disposition": "~0.5.4",	38	"content-disposition": "~0.5.4",
39	"content-type": "~1.0.4",	39	"content-type": "~1.0.4",
40	"cookie": "~0.7.1",	40	"cookie": "~0.7.1",
@@ -53,7 +53,7 @@
53	"parseurl": "~1.3.3",	53	"parseurl": "~1.3.3",
54	"path-to-regexp": "~0.1.12",	54	"path-to-regexp": "~0.1.12",
55	"proxy-addr": "~2.0.7",	55	"proxy-addr": "~2.0.7",
56	"qs": "~6.14.0",	56	"qs": "~6.15.1",
57	"range-parser": "~1.2.1",	57	"range-parser": "~1.2.1",
58	"safe-buffer": "5.2.1",	58	"safe-buffer": "5.2.1",
59	"send": "~0.19.0",	59	"send": "~0.19.0",

Comparing
`express@4.22.1`

Comparing
`express@4.22.1`

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

+++0---0

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

Packagephobia

Source

Bundlephobia

Comparingexpress@4.22.1

Comparingexpress@4.22.1

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

+++0---0

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

Packagephobia

Source

Bundlephobia

Comparing
`express@4.22.1`

Comparing
`express@4.22.1`