Comparing express@4.22.1...express@4.22.2 • npm-diff.app 📦🔃

Bundlephobia

600.9 kB

241.8 kB

Size

Gzip

Dependencies

601.0 kB (+172 B)

241.8 kB (+35 B)

Bundlephobia

Size

Gzip

Dependencies

Packagephobia

216.6 kB

2.2 MB

Publish

Install

217.3 kB (+762 B)

2.2 MB (-75.5 kB)

Packagephobia

Publish

Install

Showing 3 changed files with 14 additions and 4 deletions

+++0---0

Showing 3 changed files with 14 additions and 4 deletions

Split Unified

lib/utils.js +++2---1

View file

package.json +++3---3

View file

History.md +++9---0

View file

 function parseExtendedQueryString(str) {
   return qs.parse(str, {
+    allowPrototypes: true
+    allowPrototypes: true,
+    arrayLimit: 1000
   });
+}

+{
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
+  "version": "4.22.1",
+  "version": "4.22.2",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
   "dependencies": {
     "accepts": "~1.3.8",
     "array-flatten": "1.1.1",
+    "body-parser": "~1.20.3",
+    "body-parser": "~1.20.5",
     "content-disposition": "~0.5.4",
     "content-type": "~1.0.4",
     "cookie": "~0.7.1",
     "parseurl": "~1.3.3",
     "path-to-regexp": "~0.1.12",
     "proxy-addr": "~2.0.7",
+    "qs": "~6.14.0",
+    "qs": "~6.15.1",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
     "send": "~0.19.0",

+.22.2 / 2026-05-011
+==========
+* fix: restore >20 array parsing for `req.query` repeated keys ([`8d09bfe6`](https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db))
+  * This also unifies array-cap behavior across notations. Indexed notation (`a[0]=...`) was historically capped at qs's default `arrayLimit` of 20 even in older qs versions; after this change it also allows up to 1000 items.
+* deps: qs@~6.15.1
+* deps: body-parser@~1.20.5
 .22.1 / 2025-12-01
 ==========
   * Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+    * The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
 .22.0 / 2025-12-01
 ==========

 function parseExtendedQueryString(str) {
   return qs.parse(str, {
+    allowPrototypes: true
+    allowPrototypes: true,
+    arrayLimit: 1000
   });
+}

+{
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
+  "version": "4.22.1",
+  "version": "4.22.2",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
   "dependencies": {
     "accepts": "~1.3.8",
     "array-flatten": "1.1.1",
+    "body-parser": "~1.20.3",
+    "body-parser": "~1.20.5",
     "content-disposition": "~0.5.4",
     "content-type": "~1.0.4",
     "cookie": "~0.7.1",
     "parseurl": "~1.3.3",
     "path-to-regexp": "~0.1.12",
     "proxy-addr": "~2.0.7",
+    "qs": "~6.14.0",
+    "qs": "~6.15.1",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
     "send": "~0.19.0",

Comparing
`express@4.22.1`

Comparing
`express@4.22.1`

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

+++0---0

Packagephobia

Bundlephobia

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

Source

Comparingexpress@4.22.1

Comparingexpress@4.22.1

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

+++0---0

Packagephobia

Bundlephobia

lib/utils.js +++2---1

package.json +++3---3

History.md +++9---0

Source

Comparing
`express@4.22.1`

Comparing
`express@4.22.1`