fix(tests): correct spelling of 'throw' in error messages

Co-authored-by: Shivam Sharma <meshivam81@gmail.com>
Co-authored-by: Sebastian Beltran <bjohansebas@gmail.com>

.editorconfig

@@ -1,4 +1,4 @@
-# http://editorconfig.org
+# https://editorconfig.org
 root = true
 
 [*]

.eslintrc

@@ -1,8 +0,0 @@
-{
-  "rules": {
-    "eol-last": "error",
-    "indent": ["error", 2, { "SwitchCase": 1 }],
-    "no-trailing-spaces": "error",
-    "no-unused-vars": ["error", { "vars": "all", "args": "none", "ignoreRestSiblings": true }]
-  }
-}

.eslintrc.yml

@@ -0,0 +1,10 @@
+root: true
+env:
+  es2022: true
+  node: true
+rules:
+  eol-last: error
+  eqeqeq: [error, allow-null]
+  indent: [error, 2, { MemberExpression: "off", SwitchCase: 1 }]
+  no-trailing-spaces: error
+  no-unused-vars: [error, { vars: all, args: none, ignoreRestSiblings: true }]

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: monthly
+      time: "23:00"
+      timezone: Europe/London
+    open-pull-requests-limit: 10
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]

.github/workflows/ci.yml

@@ -0,0 +1,114 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+      - '4.x'
+      - '5.x'
+      - '5.0'
+    paths-ignore:
+      - '*.md'
+  pull_request:
+    paths-ignore:
+      - '*.md'
+
+permissions:
+  contents: read
+
+# Cancel in progress workflows
+# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run
+concurrency:
+  group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+
+      - name: Install dependencies
+        run: npm install --ignore-scripts --include=dev
+
+      - name: Run lint
+        run: npm run lint
+
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        node-version: [18, 19, 20, 21, 22, 23]
+        # Node.js release schedule: https://nodejs.org/en/about/releases/
+
+    name: Node.js ${{ matrix.node-version }} - ${{matrix.os}}
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Configure npm loglevel
+        run: |
+          npm config set loglevel error
+        shell: bash
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Output Node and NPM versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "NPM version: $(npm -v)"
+
+      - name: Run tests
+        shell: bash
+        run: npm run test-ci
+
+      - name: Upload code coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }}
+          path: ./coverage/lcov.info
+          retention-days: 1
+
+  coverage:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install lcov
+        shell: bash
+        run: sudo apt-get -y install lcov
+
+      - name: Collect coverage reports
+        uses: actions/download-artifact@v4
+        with:
+          path: ./coverage
+          pattern: coverage-node-*
+
+      - name: Merge coverage reports
+        shell: bash
+        run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info
+
+      - name: Upload coverage report
+        uses: coverallsapp/github-action@v2
+        with:
+          file: ./lcov.info

.github/workflows/codeql.yml

@@ -0,0 +1,66 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          languages: javascript
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      # - name: Autobuild
+      #   uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          category: "/language:javascript"

.github/workflows/legacy.yml

@@ -0,0 +1,98 @@
+name: legacy
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+      - '4.x'
+      - '5.x'
+      - '5.0'
+    paths-ignore:
+      - '*.md'
+  pull_request:
+    paths-ignore:
+      - '*.md'
+
+permissions:
+  contents: read
+
+# Cancel in progress workflows
+# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run
+concurrency:
+  group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        node-version: [16, 17]
+        # Node.js release schedule: https://nodejs.org/en/about/releases/
+
+    name: Node.js ${{ matrix.node-version }} - ${{matrix.os}}
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Configure npm loglevel
+        run: |
+          npm config set loglevel error
+        shell: bash
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Output Node and NPM versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "NPM version: $(npm -v)"
+
+      - name: Run tests
+        shell: bash
+        run: npm run test-ci
+
+      - name: Upload code coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }}
+          path: ./coverage/lcov.info
+          retention-days: 1
+
+  coverage:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install lcov
+        shell: bash
+        run: sudo apt-get -y install lcov
+
+      - name: Collect coverage reports
+        uses: actions/download-artifact@v4
+        with:
+          path: ./coverage
+          pattern: coverage-node-*
+
+      - name: Merge coverage reports
+        shell: bash
+        run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info
+
+      - name: Upload coverage report
+        uses: coverallsapp/github-action@v2
+        with:
+          file: ./lcov.info

.github/workflows/scorecard.yml

@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '16 21 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -1,26 +1,16 @@
-# OS X
-.DS_Store*
-Icon?
-._*
-
-# Windows
-Thumbs.db
-ehthumbs.db
-Desktop.ini
-
-# Linux
-.directory
-*~
-
-
 # npm
 node_modules
+package-lock.json
+npm-shrinkwrap.json
 *.log
 *.gz
 
-
 # Coveralls
+.nyc_output
 coverage
 
 # Benchmarking
 benchmarks/graphs
+
+# ignore additional files using core.excludesFile
+# https://git-scm.com/docs/gitignore

.npmrc

@@ -0,0 +1 @@
+package-lock=false

.travis.yml

@@ -1,33 +0,0 @@
-language: node_js
-node_js:
-  - "0.10"
-  - "0.12"
-  - "1.8"
-  - "2.5"
-  - "3.3"
-  - "4.8"
-  - "5.12"
-  - "6.11"
-  - "7.10"
-matrix:
-  include:
-    - node_js: "8.0"
-      env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
-  allow_failures:
-    # Allow the nightly installs to fail
-    - env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
-sudo: false
-cache:
-  directories:
-    - node_modules
-before_install:
-  # Remove all non-test dependencies
-  - "npm rm --save-dev connect-redis"
-
-  # Update Node.js modules
-  - "test ! -d node_modules || npm prune"
-  - "test ! -d node_modules || npm rebuild"
-script:
-  - "npm run test-ci"
-  - "npm run lint"
-after_script: "npm install coveralls@2.10.0 && cat ./coverage/lcov.info | coveralls"

Charter.md

@@ -0,0 +1,92 @@
+# Express Charter
+
+## Section 0: Guiding Principles
+
+The Express project is part of the OpenJS Foundation which operates
+transparently, openly, collaboratively, and ethically.
+Project proposals, timelines, and status must not merely be open, but
+also easily visible to outsiders.
+
+## Section 1: Scope
+
+Express is a HTTP web server framework with a simple and expressive API
+which is highly aligned with Node.js core. We aim to be the best in
+class for writing performant, spec compliant, and powerful web servers
+in Node.js. As one of the oldest and most popular web frameworks in
+the ecosystem, we have an important place for new users and experts
+alike.
+
+### 1.1: In-scope
+
+Express is made of many modules spread between three GitHub Orgs:
+
+- [expressjs](https://github.com/expressjs/): Top level middleware and
+  libraries
+- [pillarjs](https://github.com/pillarjs/): Components which make up
+  Express but can also be used for other web frameworks
+- [jshttp](https://github.com/jshttp/): Low level HTTP libraries
+
+### 1.2: Out-of-Scope
+
+Section Intentionally Left Blank
+
+## Section 2: Relationship with OpenJS Foundation CPC.
+
+Technical leadership for the projects within the OpenJS Foundation is
+delegated to the projects through their project charters by the OpenJS
+Cross Project Council (CPC). In the case of the Express project, it is
+delegated to the Express Technical Committee ("TC").
+
+This Technical Committee is in charge of both the day-to-day operations
+of the project, as well as its technical management. This charter can
+be amended by the TC requiring at least two approvals and a minimum two
+week comment period for other TC members or CPC members to object. Any
+changes the CPC wishes to propose will be considered a priority but
+will follow the same process.
+
+### 2.1 Other Formal Project Relationships
+
+Section Intentionally Left Blank
+
+## Section 3: Express Governing Body
+
+The Express project is managed by the Technical Committee ("TC").
+Members can be added to the TC at any time. Any committer can nominate
+another committer to the TC and the TC uses its standard consensus
+seeking process to evaluate whether or not to add this new member.
+Members who do not participate consistently at the level of a majority
+of the other members are expected to resign.
+
+## Section 4: Roles & Responsibilities
+
+The Express TC manages all aspects of both the technical and community
+parts of the project. Members of the TC should attend the regular
+meetings when possible, and be available for discussion of time
+sensitive or important issues.
+
+### Section 4.1 Project Operations & Management
+
+Section Intentionally Left Blank
+
+### Section 4.2: Decision-making, Voting, and/or Elections
+
+The Express TC uses a "consensus seeking" process for issues that are
+escalated to the TC. The group tries to find a resolution that has no
+open objections among TC members. If a consensus cannot be reached
+that has no objections then a majority wins vote is called. It is also
+expected that the majority of decisions made by the TC are via a
+consensus seeking process and that voting is only used as a last-resort.
+
+Resolution may involve returning the issue to committers with
+suggestions on how to move forward towards a consensus. It is not
+expected that a meeting of the TC will resolve all issues on its
+agenda during that meeting and may prefer to continue the discussion
+happening among the committers.
+
+### Section 4.3: Other Project Roles
+
+Section Intentionally Left Blank
+
+## Section 5: Definitions
+
+Section Intentionally Left Blank

Code-Of-Conduct.md

@@ -0,0 +1,139 @@
+# Contributor Covenant Code of Conduct
+
+As a member of the Open JS Foundation, Express has adopted the
+[Contributor Covenant 2.0][cc-20-doc].
+
+If an issue arises and you cannot resolve it directly with the parties
+involved, you can report it to the Express project TC through the following
+email: express-coc@lists.openjsf.org
+
+In addition, the OpenJS Foundation maintains a Code of Conduct Panel (CoCP).
+This is a foundation-wide team established to manage escalation when a reporter
+believes that a report to a member project or the CPC has not been properly
+handled. In order to escalate to the CoCP send an email to
+coc-escalation@lists.openjsf.org.
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances
+  of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for
+moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail
+address, posting via an official social media account, or acting as an
+appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+express-coc@lists.openjsf.org. All complaints will be reviewed and
+investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited
+interaction with those enforcing the Code of Conduct, is allowed during this
+period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+project community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant, version 2.0][cc-20-doc].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[cc-20-doc]: https://www.contributor-covenant.org/version/2/0/code_of_conduct/
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

Collaborator-Guide.md

@@ -1,3 +1,4 @@
+# Express Collaborator Guide
 
 ## Website Issues
 
@@ -6,7 +7,7 @@ Open issues for the expressjs.com website in https://github.com/expressjs/expres
 ## PRs and Code contributions
 
 * Tests must pass.
-* Follow the [JavaScript Standard Style](http://standardjs.com/) and `npm run lint`.
+* Follow the [JavaScript Standard Style](https://standardjs.com/) and `npm run lint`.
 * If you fix a bug, add a test.
 
 ## Branches
@@ -21,7 +22,7 @@ a future release of Express.
 
 1. [Create an issue](https://github.com/expressjs/express/issues/new) for the
    bug you want to fix or the feature that you want to add.
-2. Create your own [fork](https://github.com/expressjs/express) on github, then
+2. Create your own [fork](https://github.com/expressjs/express) on GitHub, then
    checkout your fork.
 3. Write your code in your local copy. It's good practice to create a branch for
    each new issue you work on, although not compulsory.

Contributing.md

@@ -12,14 +12,16 @@ contributors can be involved in decision making.
 
 * A **Contributor** is any individual creating or commenting on an issue or pull request.
 * A **Committer** is a subset of contributors who have been given write access to the repository.
+* A **Project Captain** is the lead maintainer of a repository.
 * A **TC (Technical Committee)** is a group of committers representing the required technical
 expertise to resolve rare disputes.
+* A **Triager** is a subset of contributors who have been given triage access to the repository.
 
-# Logging Issues
+## Logging Issues
 
 Log an issue for any question or problem you might have. When in doubt, log an issue, and
 any additional policies about what to include will be provided in the responses. The only
-exception is security dislosures which should be sent privately.
+exception is security disclosures which should be sent privately.
 
 Committers may direct you to another repository, ask for additional clarifications, and
 add appropriate metadata before the issue is addressed.
@@ -27,7 +29,7 @@ add appropriate metadata before the issue is addressed.
 Please be courteous and respectful. Every participant is expected to follow the
 project's Code of Conduct.
 
-# Contributions
+## Contributions
 
 Any change to resources in this repository must be through pull requests. This applies to all changes
 to documentation, code, binary files, etc. Even long term committers and TC members must use
@@ -41,7 +43,7 @@ weekends and other holiday periods to ensure active committers all have reasonab
 become involved in the discussion and review process if they wish.
 
 The default for each contribution is that it is accepted once no committer has an objection.
-During review committers may also request that a specific contributor who is most versed in a
+During a review, committers may also request that a specific contributor who is most versed in a
 particular area gives a "LGTM" before the PR can be merged. There is no additional "sign off"
 process for contributions to land. Once all issues brought by committers are addressed it can
 be landed by any committer.
@@ -56,15 +58,30 @@ discuss pending contributions in order to find a resolution. It is expected that
 small minority of issues be brought to the TC for resolution and that discussion and
 compromise among committers be the default resolution mechanism.
 
-# Becoming a Committer
+## Becoming a Triager
 
-All contributors who land a non-trivial contribution should be on-boarded in a timely manner,
+Anyone can become a triager! Read more about the process of being a triager in
+[the triage process document](Triager-Guide.md).
+
+Currently, any existing [organization member](https://github.com/orgs/expressjs/people) can nominate
+a new triager. If you are interested in becoming a triager, our best advice is to actively participate
+in the community by helping triaging issues and pull requests. As well we recommend
+to engage in other community activities like attending the TC meetings, and participating in the Slack
+discussions. If you feel ready and have been helping triage some issues, reach out to an active member of the organization to ask if they'd
+be willing to support you. If they agree, they can create a pull request to formalize your nomination. In the case of an objection to the nomination, the triage team is responsible for working with the individuals involved and finding a resolution.
+
+You can also reach out to any of the [organization members](https://github.com/orgs/expressjs/people)
+if you have questions or need guidance.
+
+## Becoming a Committer
+
+All contributors who have landed significant and valuable contributions should be onboarded in a timely manner,
 and added as a committer, and be given write access to the repository.
 
 Committers are expected to follow this policy and continue to send pull requests, go through
 proper review, and have other committers merge their pull requests.
 
-# TC Process
+## TC Process
 
 The TC uses a "consensus seeking" process for issues that are escalated to the TC.
 The group tries to find a resolution that has no open objections among TC members.
@@ -72,14 +89,157 @@ If a consensus cannot be reached that has no objections then a majority wins vot
 is called. It is also expected that the majority of decisions made by the TC are via
 a consensus seeking process and that voting is only used as a last-resort.
 
-Resolution may involve returning the issue to committers with suggestions on how to
-move forward towards a consensus. It is not expected that a meeting of the TC
+Resolution may involve returning the issue to project captains with suggestions on
+how to move forward towards a consensus. It is not expected that a meeting of the TC
 will resolve all issues on its agenda during that meeting and may prefer to continue
-the discussion happening among the committers.
+the discussion happening among the project captains.
 
-Members can be added to the TC at any time. Any committer can nominate another committer
+Members can be added to the TC at any time. Any TC member can nominate another committer
 to the TC and the TC uses its standard consensus seeking process to evaluate whether or
-not to add this new member. Members who do not participate consistently at the level of
-a majority of the other members are expected to resign.
+not to add this new member. The TC will consist of a minimum of 3 active members and a
+maximum of 10. If the TC should drop below 5 members the active TC members should nominate
+someone new. If a TC member is stepping down, they are encouraged (but not required) to
+nominate someone to take their place.
 
+TC members will be added as admin's on the Github orgs, npm orgs, and other resources as
+necessary to be effective in the role.
 
+To remain "active" a TC member should have participation within the last 12 months and miss
+no more than six consecutive TC meetings. Our goal is to increase participation, not punish
+people for any lack of participation, this guideline should be only be used as such
+(replace an inactive member with a new active one, for example). Members who do not meet this
+are expected to step down. If A TC member does not step down, an issue can be opened in the
+discussions repo to move them to inactive status. TC members who step down or are removed due
+to inactivity will be moved into inactive status.
+
+Inactive status members can become active members by self nomination if the TC is not already
+larger than the maximum of 10. They will also be given preference if, while at max size, an
+active member steps down.
+
+## Project Captains
+
+The Express TC can designate captains for individual projects/repos in the
+organizations. These captains are responsible for being the primary
+day-to-day maintainers of the repo on a technical and community front.
+Repo captains are empowered with repo ownership and package publication rights.
+When there are conflicts, especially on topics that effect the Express project
+at large, captains are responsible to raise it up to the TC and drive
+those conflicts to resolution. Captains are also responsible for making sure
+community members follow the community guidelines, maintaining the repo
+and the published package, as well as in providing user support.
+
+Like TC members, Repo captains are a subset of committers.
+
+To become a captain for a project the candidate is expected to participate in that
+project for at least 6 months as a committer prior to the request. They should have
+helped with code contributions as well as triaging issues. They are also required to
+have 2FA enabled on both their GitHub and npm accounts.
+
+Any TC member or an existing captain on the **same** repo can nominate another committer 
+to the captain role. To do so, they should submit a PR to this document, updating the 
+**Active Project Captains** section (while maintaining the sort order) with the project 
+name, the nominee's GitHub handle, and their npm username (if different).
+- Repos can have as many captains as make sense for the scope of work.
+- A TC member or an existing repo captain **on the same project** can nominate a new captain. 
+  Repo captains from other projects should not nominate captains for a different project.
+
+The PR will require at least 2 approvals from TC members and 2 weeks hold time to allow 
+for comment and/or dissent.  When the PR is merged, a TC member will add them to the 
+proper GitHub/npm groups.
+
+### Active Projects and Captains
+
+- [`expressjs/badgeboard`](https://github.com/expressjs/badgeboard): @wesleytodd
+- [`expressjs/basic-auth-connect`](https://github.com/expressjs/basic-auth-connect): @ulisesGascon
+- [`expressjs/body-parser`](https://github.com/expressjs/body-parser): @wesleytodd, @jonchurch, @ulisesGascon
+- [`expressjs/compression`](https://github.com/expressjs/compression): @ulisesGascon
+- [`expressjs/connect-multiparty`](https://github.com/expressjs/connect-multiparty): @ulisesGascon
+- [`expressjs/cookie-parser`](https://github.com/expressjs/cookie-parser): @wesleytodd, @UlisesGascon
+- [`expressjs/cookie-session`](https://github.com/expressjs/cookie-session): @ulisesGascon
+- [`expressjs/cors`](https://github.com/expressjs/cors): @jonchurch, @ulisesGascon
+- [`expressjs/discussions`](https://github.com/expressjs/discussions): @wesleytodd
+- [`expressjs/errorhandler`](https://github.com/expressjs/errorhandler): @ulisesGascon
+- [`expressjs/express-paginate`](https://github.com/expressjs/express-paginate): @ulisesGascon
+- [`expressjs/express`](https://github.com/expressjs/express): @wesleytodd, @ulisesGascon
+- [`expressjs/expressjs.com`](https://github.com/expressjs/expressjs.com): @crandmck, @jonchurch, @bjohansebas
+- [`expressjs/flash`](https://github.com/expressjs/flash): @ulisesGascon
+- [`expressjs/generator`](https://github.com/expressjs/generator): @wesleytodd
+- [`expressjs/method-override`](https://github.com/expressjs/method-override): @ulisesGascon
+- [`expressjs/morgan`](https://github.com/expressjs/morgan): @jonchurch, @ulisesGascon
+- [`expressjs/multer`](https://github.com/expressjs/multer): @LinusU, @ulisesGascon
+- [`expressjs/response-time`](https://github.com/expressjs/response-time): @UlisesGascon
+- [`expressjs/serve-favicon`](https://github.com/expressjs/serve-favicon): @ulisesGascon
+- [`expressjs/serve-index`](https://github.com/expressjs/serve-index): @ulisesGascon
+- [`expressjs/serve-static`](https://github.com/expressjs/serve-static): @ulisesGascon
+- [`expressjs/session`](https://github.com/expressjs/session): @ulisesGascon
+- [`expressjs/statusboard`](https://github.com/expressjs/statusboard): @wesleytodd
+- [`expressjs/timeout`](https://github.com/expressjs/timeout): @ulisesGascon
+- [`expressjs/vhost`](https://github.com/expressjs/vhost): @ulisesGascon
+- [`jshttp/accepts`](https://github.com/jshttp/accepts): @blakeembrey
+- [`jshttp/basic-auth`](https://github.com/jshttp/basic-auth): @blakeembrey
+- [`jshttp/compressible`](https://github.com/jshttp/compressible): @blakeembrey
+- [`jshttp/content-disposition`](https://github.com/jshttp/content-disposition): @blakeembrey
+- [`jshttp/content-type`](https://github.com/jshttp/content-type): @blakeembrey
+- [`jshttp/cookie`](https://github.com/jshttp/cookie): @blakeembrey
+- [`jshttp/etag`](https://github.com/jshttp/etag): @blakeembrey
+- [`jshttp/forwarded`](https://github.com/jshttp/forwarded): @blakeembrey
+- [`jshttp/fresh`](https://github.com/jshttp/fresh): @blakeembrey
+- [`jshttp/http-assert`](https://github.com/jshttp/http-assert): @wesleytodd, @jonchurch, @ulisesGascon
+- [`jshttp/http-errors`](https://github.com/jshttp/http-errors): @wesleytodd, @jonchurch, @ulisesGascon
+- [`jshttp/media-typer`](https://github.com/jshttp/media-typer): @blakeembrey
+- [`jshttp/methods`](https://github.com/jshttp/methods): @blakeembrey
+- [`jshttp/mime-db`](https://github.com/jshttp/mime-db): @blakeembrey, @UlisesGascon
+- [`jshttp/mime-types`](https://github.com/jshttp/mime-types): @blakeembrey, @UlisesGascon
+- [`jshttp/negotiator`](https://github.com/jshttp/negotiator): @blakeembrey
+- [`jshttp/on-finished`](https://github.com/jshttp/on-finished): @wesleytodd, @ulisesGascon
+- [`jshttp/on-headers`](https://github.com/jshttp/on-headers): @blakeembrey
+- [`jshttp/proxy-addr`](https://github.com/jshttp/proxy-addr): @wesleytodd, @ulisesGascon
+- [`jshttp/range-parser`](https://github.com/jshttp/range-parser): @blakeembrey
+- [`jshttp/statuses`](https://github.com/jshttp/statuses): @blakeembrey
+- [`jshttp/type-is`](https://github.com/jshttp/type-is): @blakeembrey
+- [`jshttp/vary`](https://github.com/jshttp/vary): @blakeembrey
+- [`pillarjs/cookies`](https://github.com/pillarjs/cookies): @blakeembrey
+- [`pillarjs/csrf`](https://github.com/pillarjs/csrf): @ulisesGascon
+- [`pillarjs/encodeurl`](https://github.com/pillarjs/encodeurl): @blakeembrey
+- [`pillarjs/finalhandler`](https://github.com/pillarjs/finalhandler): @wesleytodd, @ulisesGascon
+- [`pillarjs/hbs`](https://github.com/pillarjs/hbs): @ulisesGascon
+- [`pillarjs/multiparty`](https://github.com/pillarjs/multiparty): @blakeembrey
+- [`pillarjs/parseurl`](https://github.com/pillarjs/parseurl): @blakeembrey
+- [`pillarjs/path-to-regexp`](https://github.com/pillarjs/path-to-regexp): @blakeembrey
+- [`pillarjs/request`](https://github.com/pillarjs/request): @wesleytodd
+- [`pillarjs/resolve-path`](https://github.com/pillarjs/resolve-path): @blakeembrey
+- [`pillarjs/router`](https://github.com/pillarjs/router): @wesleytodd, @ulisesGascon
+- [`pillarjs/send`](https://github.com/pillarjs/send): @blakeembrey
+- [`pillarjs/understanding-csrf`](https://github.com/pillarjs/understanding-csrf): @ulisesGascon
+
+### Current Initiative Captains
+
+- Triage team [ref](https://github.com/expressjs/discussions/issues/227): @UlisesGascon
+
+## Developer's Certificate of Origin 1.1
+
+```text
+By making a contribution to this project, I certify that:
+
+ (a) The contribution was created in whole or in part by me and I
+     have the right to submit it under the open source license
+     indicated in the file; or
+
+ (b) The contribution is based upon previous work that, to the best
+     of my knowledge, is covered under an appropriate open source
+     license and I have the right under that license to submit that
+     work with modifications, whether created in whole or in part
+     by me, under the same open source license (unless I am
+     permitted to submit under a different license), as indicated
+     in the file; or
+
+ (c) The contribution was provided directly to me by some other
+     person who certified (a), (b) or (c) and I have not modified
+     it.
+
+ (d) I understand and agree that this project and the contribution
+     are public and that a record of the contribution (including all
+     personal information I submit with it, including my sign-off) is
+     maintained indefinitely and may be redistributed consistent with
+     this project or the open source license(s) involved.
+```

History.md

@@ -1,3 +1,576 @@
+unreleased
+========================
+
+* Remove `utils-merge` dependency - use spread syntax instead
+* Remove `Object.setPrototypeOf` polyfill
+* cleanup: remove AsyncLocalStorage check from tests
+* cleanup: remove unnecessary require for global Buffer
+* perf: use loop for acceptParams
+* Replace `methods` dependency with standard library
+* refactor: prefix built-in node module imports
+* Remove unused `depd` dependency
+* Add support for `Uint8Array` in `res.send`
+* Add support for ETag option in res.sendFile
+* Extend res.links() to allow adding multiple links with the same rel
+* deps: debug@^4.4.0
+* deps: body-parser@^2.1.0
+* deps: router@^2.1.0
+* deps: nyc@^17.1.0
+* deps: mocha@^10.7.3
+* deps: marked@^15.0.3
+* deps: express-session@^1.18.1
+* deps: ejs@^3.1.10
+* deps: content-type@^1.0.5
+* deps: connect-redis@^8.0.1
+* deps: supertest@^6.3.4
+* deps: qs@^6.14.0
+
+5.0.1 / 2024-10-08
+==========
+
+* Update `cookie` semver lock to address [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764)
+
+5.0.0 / 2024-09-10
+=========================
+* remove:
+  - `path-is-absolute` dependency - use `path.isAbsolute` instead
+* breaking:
+  * `res.status()` accepts only integers, and input must be greater than 99 and less than 1000
+    * will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range
+    * will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs
+  * deps: send@1.0.0
+  * `res.redirect('back')` and `res.location('back')` is no longer a supported magic string, explicitly use `req.get('Referrer') || '/'`.
+* change:
+  - `res.clearCookie` will ignore user provided `maxAge` and `expires` options
+* deps: cookie-signature@^1.2.1
+* deps: debug@4.3.6
+* deps: merge-descriptors@^2.0.0
+* deps: serve-static@^2.1.0
+* deps: qs@6.13.0
+* deps: accepts@^2.0.0
+* deps: mime-types@^3.0.0
+  - `application/javascript` => `text/javascript`
+* deps: type-is@^2.0.0
+* deps: content-disposition@^1.0.0
+* deps: finalhandler@^2.0.0
+* deps: fresh@^2.0.0
+* deps: body-parser@^2.0.1
+* deps: send@^1.1.0
+
+5.0.0-beta.3 / 2024-03-25
+=========================
+
+This incorporates all changes after 4.19.1 up to 4.19.2.
+
+5.0.0-beta.2 / 2024-03-20
+=========================
+
+This incorporates all changes after 4.17.2 up to 4.19.1.
+
+5.0.0-beta.1 / 2022-02-14
+=========================
+
+This is the first Express 5.0 beta release, based off 4.17.2 and includes
+changes from 5.0.0-alpha.8.
+
+  * change:
+    - Default "query parser" setting to `'simple'`
+    - Requires Node.js 4+
+    - Use `mime-types` for file to content type mapping
+  * deps: array-flatten@3.0.0
+  * deps: body-parser@2.0.0-beta.1
+    - `req.body` is no longer always initialized to `{}`
+    - `urlencoded` parser now defaults `extended` to `false`
+    - Use `on-finished` to determine when body read
+  * deps: router@2.0.0-beta.1
+    - Add new `?`, `*`, and `+` parameter modifiers
+    - Internalize private `router.process_params` method
+    - Matching group expressions are only RegExp syntax
+    - Named matching groups no longer available by position in `req.params`
+    - Regular expressions can only be used in a matching group
+    - Remove `debug` dependency
+    - Special `*` path segment behavior removed
+    - deps: array-flatten@3.0.0
+    - deps: parseurl@~1.3.3
+    - deps: path-to-regexp@3.2.0
+    - deps: setprototypeof@1.2.0
+  * deps: send@1.0.0-beta.1
+    - Change `dotfiles` option default to `'ignore'`
+    - Remove `hidden` option; use `dotfiles` option instead
+    - Use `mime-types` for file to content type mapping
+    - deps: debug@3.1.0
+  * deps: serve-static@2.0.0-beta.1
+    - Change `dotfiles` option default to `'ignore'`
+    - Remove `hidden` option; use `dotfiles` option instead
+    - Use `mime-types` for file to content type mapping
+    - Remove `express.static.mime` export; use `mime-types` package instead
+    - deps: send@1.0.0-beta.1
+
+5.0.0-alpha.8 / 2020-03-25
+==========================
+
+This is the eighth Express 5.0 alpha release, based off 4.17.1 and includes
+changes from 5.0.0-alpha.7.
+
+5.0.0-alpha.7 / 2018-10-26
+==========================
+
+This is the seventh Express 5.0 alpha release, based off 4.16.4 and includes
+changes from 5.0.0-alpha.6.
+
+The major change with this alpha is the basic support for returned, rejected
+Promises in the router.
+
+  * remove:
+    - `path-to-regexp` dependency
+  * deps: debug@3.1.0
+    - Add `DEBUG_HIDE_DATE` environment variable
+    - Change timer to per-namespace instead of global
+    - Change non-TTY date format
+    - Remove `DEBUG_FD` environment variable support
+    - Support 256 namespace colors
+  * deps: router@2.0.0-alpha.1
+    - Add basic support for returned, rejected Promises
+    - Fix JSDoc for `Router` constructor
+    - deps: debug@3.1.0
+    - deps: parseurl@~1.3.2
+    - deps: setprototypeof@1.1.0
+    - deps: utils-merge@1.0.1
+
+5.0.0-alpha.6 / 2017-09-24
+==========================
+
+This is the sixth Express 5.0 alpha release, based off 4.15.5 and includes
+changes from 5.0.0-alpha.5.
+
+  * remove:
+    - `res.redirect(url, status)` signature - use `res.redirect(status, url)`
+    - `res.send(status, body)` signature - use `res.status(status).send(body)`
+  * deps: router@~1.3.1
+    - deps: debug@2.6.8
+
+5.0.0-alpha.5 / 2017-03-06
+==========================
+
+This is the fifth Express 5.0 alpha release, based off 4.15.2 and includes
+changes from 5.0.0-alpha.4.
+
+5.0.0-alpha.4 / 2017-03-01
+==========================
+
+This is the fourth Express 5.0 alpha release, based off 4.15.0 and includes
+changes from 5.0.0-alpha.3.
+
+  * remove:
+    - Remove Express 3.x middleware error stubs
+  * deps: router@~1.3.0
+    - Add `next("router")` to exit from router
+    - Fix case where `router.use` skipped requests routes did not
+    - Skip routing when `req.url` is not set
+    - Use `%o` in path debug to tell types apart
+    - deps: debug@2.6.1
+    - deps: setprototypeof@1.0.3
+    - perf: add fast match path for `*` route
+
+5.0.0-alpha.3 / 2017-01-28
+==========================
+
+This is the third Express 5.0 alpha release, based off 4.14.1 and includes
+changes from 5.0.0-alpha.2.
+
+  * remove:
+    - `res.json(status, obj)` signature - use `res.status(status).json(obj)`
+    - `res.jsonp(status, obj)` signature - use `res.status(status).jsonp(obj)`
+    - `res.vary()` (no arguments) -- provide a field name as an argument
+  * deps: array-flatten@2.1.1
+  * deps: path-is-absolute@1.0.1
+  * deps: router@~1.1.5
+    - deps: array-flatten@2.0.1
+    - deps: methods@~1.1.2
+    - deps: parseurl@~1.3.1
+    - deps: setprototypeof@1.0.2
+
+5.0.0-alpha.2 / 2015-07-06
+==========================
+
+This is the second Express 5.0 alpha release, based off 4.13.1 and includes
+changes from 5.0.0-alpha.1.
+
+  * remove:
+    - `app.param(fn)`
+    - `req.param()` -- use `req.params`, `req.body`, or `req.query` instead
+  * change:
+    - `res.render` callback is always async, even for sync view engines
+    - The leading `:` character in `name` for `app.param(name, fn)` is no longer removed
+    - Use `router` module for routing
+    - Use `path-is-absolute` module for absolute path detection
+
+5.0.0-alpha.1 / 2014-11-06
+==========================
+
+This is the first Express 5.0 alpha release, based off 4.10.1.
+
+  * remove:
+    - `app.del` - use `app.delete`
+    - `req.acceptsCharset` - use `req.acceptsCharsets`
+    - `req.acceptsEncoding` - use `req.acceptsEncodings`
+    - `req.acceptsLanguage` - use `req.acceptsLanguages`
+    - `res.json(obj, status)` signature - use `res.json(status, obj)`
+    - `res.jsonp(obj, status)` signature - use `res.jsonp(status, obj)`
+    - `res.send(body, status)` signature - use `res.send(status, body)`
+    - `res.send(status)` signature - use `res.sendStatus(status)`
+    - `res.sendfile` - use `res.sendFile` instead
+    - `express.query` middleware
+  * change:
+    - `req.host` now returns host (`hostname:port`) - use `req.hostname` for only hostname
+    - `req.query` is now a getter instead of a plain property
+  * add:
+    - `app.router` is a reference to the base router
+
+4.20.0 / 2024-09-10
+==========
+  * deps: serve-static@0.16.0
+    * Remove link renderization in html while redirecting
+  * deps: send@0.19.0
+    * Remove link renderization in html while redirecting
+  * deps: body-parser@0.6.0
+    * add `depth` option to customize the depth level in the parser
+    * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)
+  * Remove link renderization in html while using `res.redirect`
+  * deps: path-to-regexp@0.1.10
+    - Adds support for named matching groups in the routes using a regex
+    - Adds backtracking protection to parameters without regexes defined
+  * deps: encodeurl@~2.0.0
+    - Removes encoding of `\`, `|`, and `^` to align better with URL spec
+  * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie`
+    - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie
+
+4.19.2 / 2024-03-25
+==========
+
+  * Improved fix for open redirect allow list bypass
+
+4.19.1 / 2024-03-20
+==========
+
+  * Allow passing non-strings to res.location with new encoding handling checks
+
+4.19.0 / 2024-03-20
+==========
+
+  * Prevent open redirect allow list bypass due to encodeurl
+  * deps: cookie@0.6.0
+
+4.18.3 / 2024-02-29
+==========
+
+  * Fix routing requests without method
+  * deps: body-parser@1.20.2
+    - Fix strict json error message on Node.js 19+
+    - deps: content-type@~1.0.5
+    - deps: raw-body@2.5.2
+  * deps: cookie@0.6.0
+    - Add `partitioned` option
+
+4.18.2 / 2022-10-08
+===================
+
+  * Fix regression routing a large stack in a single route
+  * deps: body-parser@1.20.1
+    - deps: qs@6.11.0
+    - perf: remove unnecessary object clone
+  * deps: qs@6.11.0
+
+4.18.1 / 2022-04-29
+===================
+
+  * Fix hanging on large stack of sync routes
+
+4.18.0 / 2022-04-25
+===================
+
+  * Add "root" option to `res.download`
+  * Allow `options` without `filename` in `res.download`
+  * Deprecate string and non-integer arguments to `res.status`
+  * Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie`
+  * Fix handling very large stacks of sync middleware
+  * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
+  * Invoke `default` with same arguments as types in `res.format`
+  * Support proper 205 responses using `res.send`
+  * Use `http-errors` for `res.format` error
+  * deps: body-parser@1.20.0
+    - Fix error message for json parse whitespace in `strict`
+    - Fix internal error when inflated body exceeds limit
+    - Prevent loss of async hooks context
+    - Prevent hanging when request already read
+    - deps: depd@2.0.0
+    - deps: http-errors@2.0.0
+    - deps: on-finished@2.4.1
+    - deps: qs@6.10.3
+    - deps: raw-body@2.5.1
+  * deps: cookie@0.5.0
+    - Add `priority` option
+    - Fix `expires` option to reject invalid dates
+  * deps: depd@2.0.0
+    - Replace internal `eval` usage with `Function` constructor
+    - Use instance methods on `process` to check for listeners
+  * deps: finalhandler@1.2.0
+    - Remove set content headers that break response
+    - deps: on-finished@2.4.1
+    - deps: statuses@2.0.1
+  * deps: on-finished@2.4.1
+    - Prevent loss of async hooks context
+  * deps: qs@6.10.3
+  * deps: send@0.18.0
+    - Fix emitted 416 error missing headers property
+    - Limit the headers removed for 304 response
+    - deps: depd@2.0.0
+    - deps: destroy@1.2.0
+    - deps: http-errors@2.0.0
+    - deps: on-finished@2.4.1
+    - deps: statuses@2.0.1
+  * deps: serve-static@1.15.0
+    - deps: send@0.18.0
+  * deps: statuses@2.0.1
+    - Remove code 306
+    - Rename `425 Unordered Collection` to standard `425 Too Early`
+
+4.17.3 / 2022-02-16
+===================
+
+  * deps: accepts@~1.3.8
+    - deps: mime-types@~2.1.34
+    - deps: negotiator@0.6.3
+  * deps: body-parser@1.19.2
+    - deps: bytes@3.1.2
+    - deps: qs@6.9.7
+    - deps: raw-body@2.4.3
+  * deps: cookie@0.4.2
+  * deps: qs@6.9.7
+    * Fix handling of `__proto__` keys
+  * pref: remove unnecessary regexp for trust proxy
+
+4.17.2 / 2021-12-16
+===================
+
+  * Fix handling of `undefined` in `res.jsonp`
+  * Fix handling of `undefined` when `"json escape"` is enabled
+  * Fix incorrect middleware execution with unanchored `RegExp`s
+  * Fix `res.jsonp(obj, status)` deprecation message
+  * Fix typo in `res.is` JSDoc
+  * deps: body-parser@1.19.1
+    - deps: bytes@3.1.1
+    - deps: http-errors@1.8.1
+    - deps: qs@6.9.6
+    - deps: raw-body@2.4.2
+    - deps: safe-buffer@5.2.1
+    - deps: type-is@~1.6.18
+  * deps: content-disposition@0.5.4
+    - deps: safe-buffer@5.2.1
+  * deps: cookie@0.4.1
+    - Fix `maxAge` option to reject invalid values
+  * deps: proxy-addr@~2.0.7
+    - Use `req.socket` over deprecated `req.connection`
+    - deps: forwarded@0.2.0
+    - deps: ipaddr.js@1.9.1
+  * deps: qs@6.9.6
+  * deps: safe-buffer@5.2.1
+  * deps: send@0.17.2
+    - deps: http-errors@1.8.1
+    - deps: ms@2.1.3
+    - pref: ignore empty http tokens
+  * deps: serve-static@1.14.2
+    - deps: send@0.17.2
+  * deps: setprototypeof@1.2.0
+
+4.17.1 / 2019-05-25
+===================
+
+  * Revert "Improve error message for `null`/`undefined` to `res.status`"
+
+4.17.0 / 2019-05-16
+===================
+
+  * Add `express.raw` to parse bodies into `Buffer`
+  * Add `express.text` to parse bodies into string
+  * Improve error message for non-strings to `res.sendFile`
+  * Improve error message for `null`/`undefined` to `res.status`
+  * Support multiple hosts in `X-Forwarded-Host`
+  * deps: accepts@~1.3.7
+  * deps: body-parser@1.19.0
+    - Add encoding MIK
+    - Add petabyte (`pb`) support
+    - Fix parsing array brackets after index
+    - deps: bytes@3.1.0
+    - deps: http-errors@1.7.2
+    - deps: iconv-lite@0.4.24
+    - deps: qs@6.7.0
+    - deps: raw-body@2.4.0
+    - deps: type-is@~1.6.17
+  * deps: content-disposition@0.5.3
+  * deps: cookie@0.4.0
+    - Add `SameSite=None` support
+  * deps: finalhandler@~1.1.2
+    - Set stricter `Content-Security-Policy` header
+    - deps: parseurl@~1.3.3
+    - deps: statuses@~1.5.0
+  * deps: parseurl@~1.3.3
+  * deps: proxy-addr@~2.0.5
+    - deps: ipaddr.js@1.9.0
+  * deps: qs@6.7.0
+    - Fix parsing array brackets after index
+  * deps: range-parser@~1.2.1
+  * deps: send@0.17.1
+    - Set stricter CSP header in redirect & error responses
+    - deps: http-errors@~1.7.2
+    - deps: mime@1.6.0
+    - deps: ms@2.1.1
+    - deps: range-parser@~1.2.1
+    - deps: statuses@~1.5.0
+    - perf: remove redundant `path.normalize` call
+  * deps: serve-static@1.14.1
+    - Set stricter CSP header in redirect response
+    - deps: parseurl@~1.3.3
+    - deps: send@0.17.1
+  * deps: setprototypeof@1.1.1
+  * deps: statuses@~1.5.0
+    - Add `103 Early Hints`
+  * deps: type-is@~1.6.18
+    - deps: mime-types@~2.1.24
+    - perf: prevent internal `throw` on invalid type
+
+4.16.4 / 2018-10-10
+===================
+
+  * Fix issue where `"Request aborted"` may be logged in `res.sendfile`
+  * Fix JSDoc for `Router` constructor
+  * deps: body-parser@1.18.3
+    - Fix deprecation warnings on Node.js 10+
+    - Fix stack trace for strict json parse error
+    - deps: depd@~1.1.2
+    - deps: http-errors@~1.6.3
+    - deps: iconv-lite@0.4.23
+    - deps: qs@6.5.2
+    - deps: raw-body@2.3.3
+    - deps: type-is@~1.6.16
+  * deps: proxy-addr@~2.0.4
+    - deps: ipaddr.js@1.8.0
+  * deps: qs@6.5.2
+  * deps: safe-buffer@5.1.2
+
+4.16.3 / 2018-03-12
+===================
+
+  * deps: accepts@~1.3.5
+    - deps: mime-types@~2.1.18
+  * deps: depd@~1.1.2
+    - perf: remove argument reassignment
+  * deps: encodeurl@~1.0.2
+    - Fix encoding `%` as last character
+  * deps: finalhandler@1.1.1
+    - Fix 404 output for bad / missing pathnames
+    - deps: encodeurl@~1.0.2
+    - deps: statuses@~1.4.0
+  * deps: proxy-addr@~2.0.3
+    - deps: ipaddr.js@1.6.0
+  * deps: send@0.16.2
+    - Fix incorrect end tag in default error & redirects
+    - deps: depd@~1.1.2
+    - deps: encodeurl@~1.0.2
+    - deps: statuses@~1.4.0
+  * deps: serve-static@1.13.2
+    - Fix incorrect end tag in redirects
+    - deps: encodeurl@~1.0.2
+    - deps: send@0.16.2
+  * deps: statuses@~1.4.0
+  * deps: type-is@~1.6.16
+    - deps: mime-types@~2.1.18
+
+4.16.2 / 2017-10-09
+===================
+
+  * Fix `TypeError` in `res.send` when given `Buffer` and `ETag` header set
+  * perf: skip parsing of entire `X-Forwarded-Proto` header
+
+4.16.1 / 2017-09-29
+===================
+
+  * deps: send@0.16.1
+  * deps: serve-static@1.13.1
+    - Fix regression when `root` is incorrectly set to a file
+    - deps: send@0.16.1
+
+4.16.0 / 2017-09-28
+===================
+
+  * Add `"json escape"` setting for `res.json` and `res.jsonp`
+  * Add `express.json` and `express.urlencoded` to parse bodies
+  * Add `options` argument to `res.download`
+  * Improve error message when autoloading invalid view engine
+  * Improve error messages when non-function provided as middleware
+  * Skip `Buffer` encoding when not generating ETag for small response
+  * Use `safe-buffer` for improved Buffer API
+  * deps: accepts@~1.3.4
+    - deps: mime-types@~2.1.16
+  * deps: content-type@~1.0.4
+    - perf: remove argument reassignment
+    - perf: skip parameter parsing when no parameters
+  * deps: etag@~1.8.1
+    - perf: replace regular expression with substring
+  * deps: finalhandler@1.1.0
+    - Use `res.headersSent` when available
+  * deps: parseurl@~1.3.2
+    - perf: reduce overhead for full URLs
+    - perf: unroll the "fast-path" `RegExp`
+  * deps: proxy-addr@~2.0.2
+    - Fix trimming leading / trailing OWS in `X-Forwarded-For`
+    - deps: forwarded@~0.1.2
+    - deps: ipaddr.js@1.5.2
+    - perf: reduce overhead when no `X-Forwarded-For` header
+  * deps: qs@6.5.1
+    - Fix parsing & compacting very deep objects
+  * deps: send@0.16.0
+    - Add 70 new types for file extensions
+    - Add `immutable` option
+    - Fix missing `</html>` in default error & redirects
+    - Set charset as "UTF-8" for .js and .json
+    - Use instance methods on steam to check for listeners
+    - deps: mime@1.4.1
+    - perf: improve path validation speed
+  * deps: serve-static@1.13.0
+    - Add 70 new types for file extensions
+    - Add `immutable` option
+    - Set charset as "UTF-8" for .js and .json
+    - deps: send@0.16.0
+  * deps: setprototypeof@1.1.0
+  * deps: utils-merge@1.0.1
+  * deps: vary@~1.1.2
+    - perf: improve header token parsing speed
+  * perf: re-use options object when generating ETags
+  * perf: remove dead `.charset` set in `res.jsonp`
+
+4.15.5 / 2017-09-24
+===================
+
+  * deps: debug@2.6.9
+  * deps: finalhandler@~1.0.6
+    - deps: debug@2.6.9
+    - deps: parseurl@~1.3.2
+  * deps: fresh@0.5.2
+    - Fix handling of modified headers with invalid dates
+    - perf: improve ETag match loop
+    - perf: improve `If-None-Match` token parsing
+  * deps: send@0.15.6
+    - Fix handling of modified headers with invalid dates
+    - deps: debug@2.6.9
+    - deps: etag@~1.8.1
+    - deps: fresh@0.5.2
+    - perf: improve `If-Match` token parsing
+  * deps: serve-static@1.12.6
+    - deps: parseurl@~1.3.2
+    - deps: send@0.15.6
+    - perf: improve slash collapsing
+
 4.15.4 / 2017-08-06
 ===================
 
@@ -162,7 +735,7 @@
     - Fix including type extensions in parameters in `Accept` parsing
     - Fix parsing `Accept` parameters with quoted equals
     - Fix parsing `Accept` parameters with quoted semicolons
-    - Many performance improvments
+    - Many performance improvements
     - deps: mime-types@~2.1.11
     - deps: negotiator@0.6.1
   * deps: content-type@~1.0.2
@@ -177,7 +750,7 @@
     - perf: enable strict mode
     - perf: hoist regular expression
     - perf: use for loop in parse
-    - perf: use string concatination for serialization
+    - perf: use string concatenation for serialization
   * deps: finalhandler@0.5.0
     - Change invalid or non-numeric status code to 500
     - Overwrite status message to match set status code
@@ -187,7 +760,7 @@
   * deps: proxy-addr@~1.1.2
     - Fix accepting various invalid netmasks
     - Fix IPv6-mapped IPv4 validation edge cases
-    - IPv4 netmasks must be contingous
+    - IPv4 netmasks must be contiguous
     - IPv6 addresses cannot be used as a netmask
     - deps: ipaddr.js@1.1.1
   * deps: qs@6.2.0
@@ -965,13 +1538,13 @@
    - deps: negotiator@0.4.6
  * deps: debug@1.0.2
  * deps: send@0.4.3
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
    - Use `escape-html` for HTML escaping
    - deps: debug@1.0.2
    - deps: finished@1.2.2
    - deps: fresh@0.2.2
  * deps: serve-static@1.2.3
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
    - deps: send@0.4.3
 
 4.4.2 / 2014-06-09
@@ -1812,7 +2385,7 @@
  * deps: connect@2.21.0
    - deprecate `connect(middleware)` -- use `app.use(middleware)` instead
    - deprecate `connect.createServer()` -- use `connect()` instead
-   - fix `res.setHeader()` patch to work with with get -> append -> set pattern
+   - fix `res.setHeader()` patch to work with get -> append -> set pattern
    - deps: compression@~1.0.8
    - deps: errorhandler@~1.1.1
    - deps: express-session@~1.5.0
@@ -1851,7 +2424,7 @@
    - deps: serve-static@1.2.3
  * deps: debug@1.0.2
  * deps: send@0.4.3
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
    - Use `escape-html` for HTML escaping
    - deps: debug@1.0.2
    - deps: finished@1.2.2
@@ -3023,8 +3596,8 @@ Shaw]
   * Added node v0.1.97 compatibility
   * Added support for deleting cookies via Request#cookie('key', null)
   * Updated haml submodule
-  * Fixed not-found page, now using using charset utf-8
-  * Fixed show-exceptions page, now using using charset utf-8
+  * Fixed not-found page, now using charset utf-8
+  * Fixed show-exceptions page, now using charset utf-8
   * Fixed view support due to fs.readFile Buffers
   * Changed; mime.type() no longer accepts ".type" due to node extname() changes
 
@@ -3036,7 +3609,7 @@ Shaw]
   * Updated haml submodule
   * Changed ETag; removed inode, modified time only
   * Fixed LF to CRLF for setting multiple cookies
-  * Fixed cookie complation; values are now urlencoded
+  * Fixed cookie compilation; values are now urlencoded
   * Fixed cookies parsing; accepts quoted values and url escaped cookies
 
 0.11.0 / 2010-05-06
@@ -3059,7 +3632,7 @@ Shaw]
 ==================
 
   * Added charset support via Request#charset (automatically assigned to 'UTF-8' when respond()'s
-    encoding is set to 'utf8' or 'utf-8'.
+    encoding is set to 'utf8' or 'utf-8').
   * Added "encoding" option to Request#render(). Closes #299
   * Added "dump exceptions" setting, which is enabled by default.
   * Added simple ejs template engine support
@@ -3098,7 +3671,7 @@ Shaw]
   * Added [haml.js](http://github.com/visionmedia/haml.js) submodule; removed haml-js
   * Added callback function support to Request#halt() as 3rd/4th arg
   * Added preprocessing of route param wildcards using param(). Closes #251
-  * Added view partial support (with collections etc)
+  * Added view partial support (with collections etc.)
   * Fixed bug preventing falsey params (such as ?page=0). Closes #286
   * Fixed setting of multiple cookies. Closes #199
   * Changed; view naming convention is now NAME.TYPE.ENGINE (for example page.html.haml)
@@ -3231,7 +3804,7 @@ Shaw]
 
   * Added "plot" format option for Profiler (for gnuplot processing)
   * Added request number to Profiler plugin
-  * Fixed binary encoding for multi-part file uploads, was previously defaulting to UTF8
+  * Fixed binary encoding for multipart file uploads, was previously defaulting to UTF8
   * Fixed issue with routes not firing when not files are present. Closes #184
   * Fixed process.Promise -> events.Promise
 
@@ -3277,7 +3850,7 @@ Shaw]
   * Updated sample chat app to show messages on load
   * Updated libxmljs parseString -> parseHtmlString
   * Fixed `make init` to work with older versions of git
-  * Fixed specs can now run independent specs for those who cant build deps. Closes #127
+  * Fixed specs can now run independent specs for those who can't build deps. Closes #127
   * Fixed issues introduced by the node url module changes. Closes 126.
   * Fixed two assertions failing due to Collection#keys() returning strings
   * Fixed faulty Collection#toArray() spec due to keys() returning strings

Readme.md

@@ -1,18 +1,35 @@
-[![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](http://expressjs.com/)
+[![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](https://expressjs.com/)
 
-  Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
+**Fast, unopinionated, minimalist web framework for [Node.js](https://nodejs.org).**
+
+**This project has a [Code of Conduct][].**
+
+## Table of contents
+
+* [Installation](#Installation)
+* [Features](#Features)
+* [Docs & Community](#docs--community)
+* [Quick Start](#Quick-Start)
+* [Running Tests](#Running-Tests)
+* [Philosophy](#Philosophy)
+* [Examples](#Examples)
+* [Contributing to Express](#Contributing)
+* [TC (Technical Committee)](#tc-technical-committee)
+* [Triagers](#triagers)
+* [License](#license)
+
+
+[![NPM Version][npm-version-image]][npm-url]
+[![NPM Downloads][npm-downloads-image]][npm-downloads-url]
+[![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]
 
-  [![NPM Version][npm-image]][npm-url]
-  [![NPM Downloads][downloads-image]][downloads-url]
-  [![Linux Build][travis-image]][travis-url]
-  [![Windows Build][appveyor-image]][appveyor-url]
-  [![Test Coverage][coveralls-image]][coveralls-url]
 
 ```js
-var express = require('express')
-var app = express()
+import express from 'express'
 
-app.get('/', function (req, res) {
+const app = express()
+
+app.get('/', (req, res) => {
   res.send('Hello World')
 })
 
@@ -21,10 +38,25 @@ app.listen(3000)
 
 ## Installation
 
+This is a [Node.js](https://nodejs.org/en/) module available through the
+[npm registry](https://www.npmjs.com/).
+
+Before installing, [download and install Node.js](https://nodejs.org/en/download/).
+Node.js 18 or higher is required.
+
+If this is a brand new project, make sure to create a `package.json` first with
+the [`npm init` command](https://docs.npmjs.com/creating-a-package-json-file).
+
+Installation is done using the
+[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):
+
 ```bash
-$ npm install express
+npm install express
 ```
 
+Follow [our installing guide](https://expressjs.com/en/starter/installing.html)
+for more information.
+
 ## Features
 
   * Robust routing
@@ -37,18 +69,11 @@ $ npm install express
 
 ## Docs & Community
 
-  * [Website and Documentation](http://expressjs.com/) - [[website repo](https://github.com/expressjs/expressjs.com)]
-  * [#express](https://webchat.freenode.net/?channels=express) on freenode IRC
+  * [Website and Documentation](https://expressjs.com/) - [[website repo](https://github.com/expressjs/expressjs.com)]
   * [GitHub Organization](https://github.com/expressjs) for Official Middleware & Modules
-  * Visit the [Wiki](https://github.com/expressjs/express/wiki)
-  * [Google Group](https://groups.google.com/group/express-js) for discussion
-  * [Gitter](https://gitter.im/expressjs/express) for support and discussion
+  * [Github Discussions](https://github.com/expressjs/discussions) for discussion on the development and usage of Express
 
-**PROTIP** Be sure to read [Migrating from 3.x to 4.x](https://github.com/expressjs/express/wiki/Migrating-from-3.x-to-4.x) as well as [New features in 4.x](https://github.com/expressjs/express/wiki/New-features-in-4.x).
-
-### Security Issues
-
-If you discover a security vulnerability in Express, please see [Security Policies and Procedures](Security.md).
+**PROTIP** Be sure to read the [migration guide to v5](https://expressjs.com/en/guide/migrating-5)
 
 ## Quick Start
 
@@ -57,85 +82,185 @@ If you discover a security vulnerability in Express, please see [Security Polici
   Install the executable. The executable's major version will match Express's:
 
 ```bash
-$ npm install -g express-generator@4
+npm install -g express-generator@4
 ```
 
   Create the app:
 
 ```bash
-$ express /tmp/foo && cd /tmp/foo
+express /tmp/foo && cd /tmp/foo
 ```
 
   Install dependencies:
 
 ```bash
-$ npm install
+npm install
 ```
 
   Start the server:
 
 ```bash
-$ npm start
+npm start
 ```
 
+  View the website at: http://localhost:3000
+
 ## Philosophy
 
   The Express philosophy is to provide small, robust tooling for HTTP servers, making
-  it a great solution for single page applications, web sites, hybrids, or public
+  it a great solution for single page applications, websites, hybrids, or public
   HTTP APIs.
 
   Express does not force you to use any specific ORM or template engine. With support for over
-  14 template engines via [Consolidate.js](https://github.com/tj/consolidate.js),
+  14 template engines via [@ladjs/consolidate](https://github.com/ladjs/consolidate),
   you can quickly craft your perfect framework.
 
 ## Examples
 
-  To view the examples, clone the Express repo and install the dependencies:
+  To view the examples, clone the Express repository:
 
 ```bash
-$ git clone git://github.com/expressjs/express.git --depth 1
-$ cd express
-$ npm install
+git clone https://github.com/expressjs/express.git --depth 1 && cd express
+```
+
+  Then install the dependencies:
+
+```bash
+npm install
 ```
 
   Then run whichever example you want:
 
 ```bash
-$ node examples/content-negotiation
+node examples/content-negotiation
 ```
 
-## Tests
+## Contributing
 
-  To run the test suite, first install the dependencies, then run `npm test`:
+  [![Linux Build][github-actions-ci-image]][github-actions-ci-url]
+  [![Test Coverage][coveralls-image]][coveralls-url]
+
+The Express.js project welcomes all constructive contributions. Contributions take many forms,
+from code for bug fixes and enhancements, to additions and fixes to documentation, additional
+tests, triaging incoming pull requests and issues, and more!
+
+See the [Contributing Guide](Contributing.md) for more technical details on contributing.
+
+### Security Issues
+
+If you discover a security vulnerability in Express, please see [Security Policies and Procedures](Security.md).
+
+### Running Tests
+
+To run the test suite, first install the dependencies:
 
 ```bash
-$ npm install
-$ npm test
+npm install
+```
+
+Then run `npm test`:
+
+```bash
+npm test
 ```
 
 ## People
 
-The original author of Express is [TJ Holowaychuk](https://github.com/tj) [![TJ's Gratipay][gratipay-image-visionmedia]][gratipay-url-visionmedia]
-
-The current lead maintainer is [Douglas Christopher Wilson](https://github.com/dougwilson) [![Doug's Gratipay][gratipay-image-dougwilson]][gratipay-url-dougwilson]
+The original author of Express is [TJ Holowaychuk](https://github.com/tj)
 
 [List of all contributors](https://github.com/expressjs/express/graphs/contributors)
 
+### TC (Technical Committee)
+
+* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him)
+* [jonchurch](https://github.com/jonchurch) - **Jon Church**
+* [wesleytodd](https://github.com/wesleytodd) - **Wes Todd**
+* [LinusU](https://github.com/LinusU) - **Linus Unnebäck**
+* [blakeembrey](https://github.com/blakeembrey) - **Blake Embrey**
+* [sheplu](https://github.com/sheplu) - **Jean Burellier**
+* [crandmck](https://github.com/crandmck) - **Rand McKinney**
+* [ctcpip](https://github.com/ctcpip) - **Chris de Almeida**
+
+<details>
+<summary>TC emeriti members</summary>
+
+#### TC emeriti members
+
+  * [dougwilson](https://github.com/dougwilson) - **Douglas Wilson**
+  * [hacksparrow](https://github.com/hacksparrow) - **Hage Yaapa**
+  * [jonathanong](https://github.com/jonathanong) - **jongleberry**
+  * [niftylettuce](https://github.com/niftylettuce) - **niftylettuce**
+  * [troygoode](https://github.com/troygoode) - **Troy Goode**
+</details>
+
+
+### Triagers
+
+* [aravindvnair99](https://github.com/aravindvnair99) - **Aravind Nair**
+* [bjohansebas](https://github.com/bjohansebas) - **Sebastian Beltran**
+* [carpasse](https://github.com/carpasse) - **Carlos Serrano**
+* [CBID2](https://github.com/CBID2) - **Christine Belzie**
+* [dpopp07](https://github.com/dpopp07) - **Dustin Popp**
+* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him)
+* [mertcanaltin](https://github.com/mertcanaltin) - **Mert Can Altin**
+* [3imed-jaberi](https://github.com/3imed-jaberi) - **Imed Jaberi**
+* [IamLizu](https://github.com/IamLizu) - **S M Mahmudul Hasan** (he/him)
+* [Phillip9587](https://github.com/Phillip9587) - **Phillip Barta**
+* [Sushmeet](https://github.com/Sushmeet) - **Sushmeet Sunger**
+* [rxmarbles](https://github.com/rxmarbles) **Rick Markins** (He/him)
+
+<details>
+<summary>Triagers emeriti members</summary>
+
+#### Emeritus Triagers
+
+  * [AuggieH](https://github.com/AuggieH) - **Auggie Hudak**
+  * [G-Rath](https://github.com/G-Rath) - **Gareth Jones**
+  * [MohammadXroid](https://github.com/MohammadXroid) - **Mohammad Ayashi**
+  * [NawafSwe](https://github.com/NawafSwe) - **Nawaf Alsharqi**
+  * [NotMoni](https://github.com/NotMoni) - **Moni**
+  * [VigneshMurugan](https://github.com/VigneshMurugan) - **Vignesh Murugan**
+  * [davidmashe](https://github.com/davidmashe) - **David Ashe**
+  * [digitaIfabric](https://github.com/digitaIfabric) - **David**
+  * [e-l-i-s-e](https://github.com/e-l-i-s-e) - **Elise Bonner**
+  * [fed135](https://github.com/fed135) - **Frederic Charette**
+  * [firmanJS](https://github.com/firmanJS) - **Firman Abdul Hakim**
+  * [getspooky](https://github.com/getspooky) - **Yasser Ameur**
+  * [ghinks](https://github.com/ghinks) - **Glenn**
+  * [ghousemohamed](https://github.com/ghousemohamed) - **Ghouse Mohamed**
+  * [gireeshpunathil](https://github.com/gireeshpunathil) - **Gireesh Punathil**
+  * [jake32321](https://github.com/jake32321) - **Jake Reed**
+  * [jonchurch](https://github.com/jonchurch) - **Jon Church**
+  * [lekanikotun](https://github.com/lekanikotun) - **Troy Goode**
+  * [marsonya](https://github.com/marsonya) - **Lekan Ikotun**
+  * [mastermatt](https://github.com/mastermatt) - **Matt R. Wilson**
+  * [maxakuru](https://github.com/maxakuru) - **Max Edell**
+  * [mlrawlings](https://github.com/mlrawlings) - **Michael Rawlings**
+  * [rodion-arr](https://github.com/rodion-arr) - **Rodion Abdurakhimov**
+  * [sheplu](https://github.com/sheplu) - **Jean Burellier**
+  * [tarunyadav1](https://github.com/tarunyadav1) - **Tarun yadav**
+  * [tunniclm](https://github.com/tunniclm) - **Mike Tunnicliffe**
+  * [enyoghasim](https://github.com/enyoghasim) - **David Enyoghasim**
+  * [0ss](https://github.com/0ss) - **Salah**
+  * [import-brain](https://github.com/import-brain) - **Eric Cheng** (he/him)
+  * [dakshkhetan](https://github.com/dakshkhetan) - **Daksh Khetan** (he/him)
+  * [lucasraziel](https://github.com/lucasraziel) - **Lucas Soares Do Rego**
+
+</details>
+
+
 ## License
 
   [MIT](LICENSE)
 
-[npm-image]: https://img.shields.io/npm/v/express.svg
-[npm-url]: https://npmjs.org/package/express
-[downloads-image]: https://img.shields.io/npm/dm/express.svg
-[downloads-url]: https://npmjs.org/package/express
-[travis-image]: https://img.shields.io/travis/expressjs/express/master.svg?label=linux
-[travis-url]: https://travis-ci.org/expressjs/express
-[appveyor-image]: https://img.shields.io/appveyor/ci/dougwilson/express/master.svg?label=windows
-[appveyor-url]: https://ci.appveyor.com/project/dougwilson/express
-[coveralls-image]: https://img.shields.io/coveralls/expressjs/express/master.svg
+[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/express/master
 [coveralls-url]: https://coveralls.io/r/expressjs/express?branch=master
-[gratipay-image-visionmedia]: https://img.shields.io/gratipay/visionmedia.svg
-[gratipay-url-visionmedia]: https://gratipay.com/visionmedia/
-[gratipay-image-dougwilson]: https://img.shields.io/gratipay/dougwilson.svg
-[gratipay-url-dougwilson]: https://gratipay.com/dougwilson/
+[github-actions-ci-image]: https://badgen.net/github/checks/expressjs/express/master?label=CI
+[github-actions-ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
+[npm-downloads-image]: https://badgen.net/npm/dm/express
+[npm-downloads-url]: https://npmcharts.com/compare/express?minimal=true
+[npm-url]: https://npmjs.org/package/express
+[npm-version-image]: https://badgen.net/npm/v/express
+[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/express/badge
+[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/express
+[Code of Conduct]: https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md

Release-Process.md

@@ -31,7 +31,7 @@ Before publishing, the following preconditions should be met:
   below) will exist documenting:
   - the proposed changes
   - the type of release: patch, minor or major
-  - the version number (according to semantic versioning - http://semver.org)
+  - the version number (according to semantic versioning - https://semver.org)
 - The proposed changes should be complete.
 
 There are two main release flows: patch and non-patch.
@@ -77,6 +77,13 @@ non-patch flow.
 - This branch contains the commits accepted so far that implement the proposal
   in the tracking pull request.
 
+### Pre-release Versions
+
+Alpha and Beta releases are made from a proposal branch. The version number should be
+incremented to the next minor version with a `-beta` or `-alpha` suffix.
+For example, if the next beta release is `5.0.1`, the beta release would be `5.0.1-beta.0`.
+The pre-releases are unstable and not suitable for production use.
+
 ### Patch flow
 
 In the patch flow, simple changes are committed to the release branch which
@@ -122,9 +129,10 @@ $ git merge --ff-only <proposal-branch>
 <release-branch> - see "Release branch" of "Branches" above.
 <proposal-branch> - see "Proposal branch" of "Non-patch flow" above.
 
-**NOTE:** You may need to rebase the proposal branch to allow a fast-forward
-          merge. Using a fast-forward merge keeps the history clean as it does
-          not introduce merge commits.
+> [!NOTE]
+> You may need to rebase the proposal branch to allow a fast-forward
+> merge. Using a fast-forward merge keeps the history clean as it does
+> not introduce merge commits.
 
 ### Step 3. Update the History.md and package.json to the new version number
 
@@ -182,5 +190,13 @@ $ npm login <npm-username>
 $ npm publish
 ```
 
-**NOTE:** The version number to publish will be picked up automatically from
-          package.json.
+> [!NOTE]
+> The version number to publish will be picked up automatically from 
+> package.json.
+          
+### Step 7. Update documentation website
+
+The documentation website https://expressjs.com/ documents the current release version in various places. To update these, follow these steps:
+
+1. Manually run the [`Update External Docs` workflow](https://github.com/expressjs/expressjs.com/actions/workflows/update-external-docs.yml) in expressjs.com repository.
+2. Add a new section to the [changelog](https://github.com/expressjs/expressjs.com/blob/gh-pages/en/changelog/index.md) in the expressjs.com website.

Security.md

@@ -14,7 +14,11 @@ Thank you for improving the security of Express. We appreciate your efforts and
 responsible disclosure and will make every effort to acknowledge your
 contributions.
 
-Report security bugs by emailing the lead maintainer in the Readme.md file.
+Report security bugs by emailing `express-security@lists.openjsf.org`.
+
+To ensure the timely response to your report, please ensure that the entirety
+of the report is contained within the email body and not solely behind a web
+link or an attachment.
 
 The lead maintainer will acknowledge your email within 48 hours, and will send a
 more detailed response within 48 hours indicating the next steps in handling
@@ -23,8 +27,13 @@ endeavor to keep you informed of the progress towards a fix and full
 announcement, and may ask for additional information or guidance.
 
 Report security bugs in third-party modules to the person or team maintaining
-the module. You can also report a vulnerability through the
-[Node Security Project](https://nodesecurity.io/report).
+the module.
+
+## Pre-release Versions
+
+Alpha and Beta releases are unstable and **not suitable for production use**.
+Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section.
+Due to the unstable nature of the branch it is not guaranteed that any fixes will be released in the next pre-release.
 
 ## Disclosure Policy
 
@@ -37,6 +46,10 @@ involving the following steps:
   * Prepare fixes for all releases still under maintenance. These fixes will be
     released as fast as possible to npm.
 
+## The Express Threat Model
+
+We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md)
+
 ## Comments on this Policy
 
 If you have suggestions on how this process could be improved please submit a

Triager-Guide.md

@@ -0,0 +1,72 @@
+# Express Triager Guide
+
+## Issue Triage Process
+
+When a new issue or pull request is opened the issue will be labeled with `needs triage`.
+If a triage team member is available they can help make sure all the required information
+is provided. Depending on the issue or PR there are several next labels they can add for further
+classification:
+
+* `needs triage`: This can be kept if the triager is unsure which next steps to take
+* `awaiting more info`: If more info has been requested from the author, apply this label.
+* `bug`: Issues that present a reasonable conviction there is a reproducible bug.
+* `enhancement`: Issues that are found to be a reasonable candidate feature additions.
+
+If the issue is a question or discussion, it should be moved to GitHub Discussions.
+
+### Moving Discussions and Questions to GitHub Discussions
+
+For issues labeled with `question` or `discuss`, it is recommended to move them to GitHub Discussions instead:
+
+* **Questions**: User questions that do not appear to be bugs or enhancements should be moved to GitHub Discussions.
+* **Discussions**: Topics for discussion should be moved to GitHub Discussions. If the discussion leads to a new feature or bug identification, it can be moved back to Issues.
+
+In all cases, issues may be closed by maintainers if they don't receive a timely response when
+further information is sought, or when additional questions are asked.
+
+## Approaches and Best Practices for getting into triage contributions
+
+Review the organization's [StatusBoard](https://expressjs.github.io/statusboard/),
+pay special attention to these columns: stars, watchers, open issues, and contributors.
+This gives you a general idea about the criticality and health of the repository.
+Pick a few projects based on that criteria, your interests, and skills (existing or aspiring).
+
+Review the project's contribution guideline if present. In a nutshell,
+commit to the community's standards and values. Review the
+documentation, for most of the projects it is just the README.md, and
+make sure you understand the key APIs, semantics, configurations, and use cases.
+
+It might be helpful to write your own test apps to re-affirm your
+understanding of the key functions. This may identify some gaps in
+documentation, record those as they might be good PR's to open.
+Skim through the issue backlog; identify low hanging issues and mostly new ones.
+From those, attempt to recreate issues based on the OP description and
+ask questions if required. No question is a bad question!
+
+## Removal of Triage Role
+
+There are a few cases where members can be removed as triagers:
+
+- Breaking the CoC or project contributor guidelines
+- Abuse or misuse of the role as deemed by the TC
+- Lack of participation for more than 6 months
+
+If any of these happen we will discuss as a part of the triage portion of the regular TC meetings.
+If you have questions feel free to reach out to any of the TC members.
+
+## Other Helpful Hints:
+
+- Everyone is welcome to attend the [Express Technical Committee Meetings](https://github.com/expressjs/discussions#expressjs-tc-meetings), and as a triager, it might help to get a better idea of what's happening with the project.
+- When exploring the module's functionality there are a few helpful steps:
+  - Turn on `DEBUG=*` (see https://www.npmjs.com/package/debug) to get detailed log information
+  - It is also a good idea to do live debugging to follow the control flow, try using `node --inspect`
+  - It is a good idea to make at least one pass of reading through the entire source
+- When reviewing the list of open issues there are some common types and suggested actions:
+  - New/unattended issues or simple questions: A good place to start
+  - Hard bugs & ongoing discussions: always feel free to chime in and help
+  - Issues that imply gaps in the documentation: open PRs with changes or help the user to do so
+- For recurring issues, it is helpful to create functional examples to demonstrate (publish as gists or a repo)
+- Review and identify the maintainers. If necessary, at-mention one or more of them if you are unsure what to do
+- Make sure all your interactions are professional, welcoming, and respectful to the parties involved.
+- When an issue refers to security concerns, responsibility is delegated to the repository captain or the security group in any public communication. 
+  - If an issue has been open for a long time, the person in charge should be contacted internally through the private Slack chat.

appveyor.yml

@@ -1,26 +0,0 @@
-environment:
-  matrix:
-    - nodejs_version: "0.10"
-    - nodejs_version: "0.12"
-    - nodejs_version: "1.8"
-    - nodejs_version: "2.5"
-    - nodejs_version: "3.3"
-    - nodejs_version: "4.8"
-    - nodejs_version: "5.12"
-    - nodejs_version: "6.11"
-    - nodejs_version: "7.10"
-cache:
-  - node_modules
-install:
-  - ps: Install-Product node $env:nodejs_version
-  - npm rm --save-dev connect-redis
-  - if exist node_modules npm prune
-  - if exist node_modules npm rebuild
-  - npm install
-build: off
-test_script:
-  - node --version
-  - npm --version
-  - npm run test-ci
-  - npm run lint
-version: "{build}"

benchmarks/Makefile

@@ -1,13 +1,17 @@
 
 all:
-	@./run 1 middleware
-	@./run 5 middleware
-	@./run 10 middleware
-	@./run 15 middleware
-	@./run 20 middleware
-	@./run 30 middleware
-	@./run 50 middleware
-	@./run 100 middleware
+	@./run 1 middleware 50
+	@./run 5 middleware 50
+	@./run 10 middleware 50
+	@./run 15 middleware 50
+	@./run 20 middleware 50
+	@./run 30 middleware 50
+	@./run 50 middleware 50
+	@./run 100 middleware 50
+	@./run 10 middleware 100
+	@./run 10 middleware 250
+	@./run 10 middleware 500
+	@./run 10 middleware 1000
 	@echo
 
 .PHONY: all

benchmarks/README.md

@@ -0,0 +1,34 @@
+# Express Benchmarks
+
+## Installation
+
+You will need to install [wrk](https://github.com/wg/wrk/blob/master/INSTALL) in order to run the benchmarks.
+
+## Running
+
+To run the benchmarks, first install the dependencies `npm i`, then run `make`
+
+The output will look something like this:
+
+```
+  50 connections
+  1 middleware
+ 7.15ms
+ 6784.01
+
+ [...redacted...]
+
+  1000 connections
+  10 middleware
+ 139.21ms
+ 6155.19
+
+```
+
+### Tip: Include Node.js version in output
+
+You can use `make && node -v` to include the node.js version in the output.
+
+### Tip: Save the results to a file
+
+You can use `make > results.log` to save the results to a file `results.log`.

benchmarks/middleware.js

@@ -13,10 +13,8 @@ while (n--) {
   });
 }
 
-var body = new Buffer('Hello World');
-
-app.use(function(req, res, next){
-  res.send(body);
+app.use(function(req, res){
+  res.send('Hello World')
 });
 
 app.listen(3333);

benchmarks/run

@@ -4,13 +4,15 @@ echo
 MW=$1 node $2 &
 pid=$!
 
+echo "  $3 connections"
+
 sleep 2
 
 wrk 'http://localhost:3333/?foo[bar]=baz' \
   -d 3 \
-  -c 50 \
+  -c $3 \
   -t 8 \
-  | grep 'Requests/sec' \
-  | awk '{ print "  " $2 }'
+  | grep 'Requests/sec\|Latency' \
+  | awk '{ print " " $2 }'
 
 kill $pid

examples/README.md

@@ -0,0 +1,29 @@
+# Express examples
+
+This page contains list of examples using Express.
+
+- [auth](./auth) - Authentication with login and password
+- [content-negotiation](./content-negotiation) - HTTP content negotiation
+- [cookie-sessions](./cookie-sessions) - Working with cookie-based sessions
+- [cookies](./cookies) - Working with cookies
+- [downloads](./downloads) - Transferring files to client
+- [ejs](./ejs) - Working with Embedded JavaScript templating (ejs)
+- [error-pages](./error-pages) - Creating error pages
+- [error](./error) - Working with error middleware
+- [hello-world](./hello-world) - Simple request handler
+- [markdown](./markdown) - Markdown as template engine
+- [multi-router](./multi-router) - Working with multiple Express routers
+- [mvc](./mvc) - MVC-style controllers
+- [online](./online) - Tracking online user activity with `online` and `redis` packages
+- [params](./params) - Working with route parameters
+- [resource](./resource) - Multiple HTTP operations on the same resource
+- [route-map](./route-map) - Organizing routes using a map
+- [route-middleware](./route-middleware) - Working with route middleware
+- [route-separation](./route-separation) - Organizing routes per each resource
+- [search](./search) - Search API
+- [session](./session) - User sessions
+- [static-files](./static-files) - Serving static files
+- [vhost](./vhost) - Working with virtual hosts
+- [view-constructor](./view-constructor) - Rendering views dynamically
+- [view-locals](./view-locals) - Saving data in request object between middleware calls
+- [web-service](./web-service) - Simple API service

examples/auth/index.js

@@ -1,11 +1,12 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
-var bodyParser = require('body-parser');
 var hash = require('pbkdf2-password')()
-var path = require('path');
+var path = require('node:path');
 var session = require('express-session');
 
 var app = module.exports = express();
@@ -17,7 +18,7 @@ app.set('views', path.join(__dirname, 'views'));
 
 // middleware
 
-app.use(bodyParser.urlencoded({ extended: false }));
+app.use(express.urlencoded())
 app.use(session({
   resave: false, // don't save session if unmodified
   saveUninitialized: false, // don't create session until something stored
@@ -60,14 +61,14 @@ function authenticate(name, pass, fn) {
   if (!module.parent) console.log('authenticating %s:%s', name, pass);
   var user = users[name];
   // query the db for the given username
-  if (!user) return fn(new Error('cannot find user'));
+  if (!user) return fn(null, null)
   // apply the same algorithm to the POSTed password, applying
   // the hash against the pass / salt, if there is a match we
   // found the user
   hash({ password: pass, salt: user.salt }, function (err, pass, salt, hash) {
     if (err) return fn(err);
-    if (hash == user.hash) return fn(null, user);
-    fn(new Error('invalid password'));
+    if (hash === user.hash) return fn(null, user)
+    fn(null, null)
   });
 }
 
@@ -100,8 +101,10 @@ app.get('/login', function(req, res){
   res.render('login');
 });
 
-app.post('/login', function(req, res){
+app.post('/login', function (req, res, next) {
+  if (!req.body) return res.sendStatus(400)
   authenticate(req.body.username, req.body.password, function(err, user){
+    if (err) return next(err)
     if (user) {
       // Regenerate session when signing in
       // to prevent fixation
@@ -113,7 +116,7 @@ app.post('/login', function(req, res){
         req.session.success = 'Authenticated as ' + user.name
           + ' click to <a href="/logout">logout</a>. '
           + ' You may now access <a href="/restricted">/restricted</a>.';
-        res.redirect('back');
+        res.redirect(req.get('Referrer') || '/');
       });
     } else {
       req.session.error = 'Authentication failed, please check your '

examples/auth/views/head.ejs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
   <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title><%= title %></title>
     <style>
       body {
@@ -8,7 +10,7 @@
         font: 13px Helvetica, Arial, sans-serif;
       }
       .error {
-          color: red
+          color: red;
       }
       .success {
           color: green;

examples/auth/views/login.ejs

@@ -1,22 +1,21 @@
 
-<% var title = 'Authentication Example' %>
-<% include head %>
+<%- include('head', { title: 'Authentication Example' }) -%>
 
 <h1>Login</h1>
 <%- message %>
 Try accessing <a href="/restricted">/restricted</a>, then authenticate with "tj" and "foobar".
 <form method="post" action="/login">
   <p>
-    <label>Username:</label>
-    <input type="text" name="username">
+    <label for="username">Username:</label>
+    <input type="text" name="username" id="username">
   </p>
   <p>
-    <label>Password:</label>
-    <input type="text" name="password">
+    <label for="password">Password:</label>
+    <input type="text" name="password" id="password">
   </p>
   <p>
     <input type="submit" value="Login">
   </p>
 </form>
 
-<% include foot %>
+<%- include('foot') -%>

examples/content-negotiation/db.js

@@ -1,3 +1,5 @@
+'use strict'
+
 var users = [];
 
 users.push({ name: 'Tobi' });

examples/content-negotiation/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../');
 var app = module.exports = express();
 var users = require('./db');

examples/content-negotiation/users.js

@@ -1,3 +1,4 @@
+'use strict'
 
 var users = require('./db');
 

examples/cookie-sessions/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -11,13 +13,10 @@ var app = module.exports = express();
 app.use(cookieSession({ secret: 'manny is cool' }));
 
 // do something with the session
-app.use(count);
-
-// custom middleware
-function count(req, res) {
+app.get('/', function (req, res) {
   req.session.count = (req.session.count || 0) + 1
   res.send('viewed ' + req.session.count + ' times\n')
-}
+})
 
 /* istanbul ignore next */
 if (!module.parent) {

examples/cookies/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -6,10 +8,9 @@ var express = require('../../');
 var app = module.exports = express();
 var logger = require('morgan');
 var cookieParser = require('cookie-parser');
-var bodyParser = require('body-parser');
 
 // custom log format
-if ('test' != process.env.NODE_ENV) app.use(logger(':method :url'));
+if (process.env.NODE_ENV !== 'test') app.use(logger(':method :url'))
 
 // parses request cookies, populating
 // req.cookies and req.signedCookies
@@ -18,7 +19,7 @@ if ('test' != process.env.NODE_ENV) app.use(logger(':method :url'));
 app.use(cookieParser('my secret here'));
 
 // parses x-www-form-urlencoded
-app.use(bodyParser.urlencoded({ extended: false }));
+app.use(express.urlencoded())
 
 app.get('/', function(req, res){
   if (req.cookies.remember) {
@@ -32,13 +33,17 @@ app.get('/', function(req, res){
 
 app.get('/forget', function(req, res){
   res.clearCookie('remember');
-  res.redirect('back');
+  res.redirect(req.get('Referrer') || '/');
 });
 
 app.post('/', function(req, res){
   var minute = 60000;
-  if (req.body.remember) res.cookie('remember', 1, { maxAge: minute });
-  res.redirect('back');
+
+  if (req.body && req.body.remember) {
+    res.cookie('remember', 1, { maxAge: minute })
+  }
+
+  res.redirect(req.get('Referrer') || '/');
 });
 
 /* istanbul ignore next */

examples/downloads/files/notes/groceries.txt

@@ -0,0 +1,3 @@
+* milk
+* eggs
+* bread

examples/downloads/index.js

@@ -1,27 +1,32 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../../');
-var path = require('path');
+var path = require('node:path');
+
 var app = module.exports = express();
 
+// path to where the files are stored on disk
+var FILES_DIR = path.join(__dirname, 'files')
+
 app.get('/', function(req, res){
-  res.send('<ul>'
-    + '<li>Download <a href="/files/amazing.txt">amazing.txt</a>.</li>'
-    + '<li>Download <a href="/files/missing.txt">missing.txt</a>.</li>'
-    + '<li>Download <a href="/files/CCTV大赛上海分赛区.txt">CCTV大赛上海分赛区.txt</a>.</li>'
-    + '</ul>');
+  res.send('<ul>' +
+    '<li>Download <a href="/files/notes/groceries.txt">notes/groceries.txt</a>.</li>' +
+    '<li>Download <a href="/files/amazing.txt">amazing.txt</a>.</li>' +
+    '<li>Download <a href="/files/missing.txt">missing.txt</a>.</li>' +
+    '<li>Download <a href="/files/CCTV大赛上海分赛区.txt">CCTV大赛上海分赛区.txt</a>.</li>' +
+    '</ul>')
 });
 
 // /files/* is accessed via req.params[0]
 // but here we name it :file
-app.get('/files/:file(*)', function(req, res, next){
-  var filePath = path.join(__dirname, 'files', req.params.file);
-
-  res.download(filePath, function (err) {
+app.get('/files/*file', function (req, res, next) {
+  res.download(req.params.file.join('/'), { root: FILES_DIR }, function (err) {
     if (!err) return; // file sent
-    if (err && err.status !== 404) return next(err); // non-404 error
+    if (err.status !== 404) return next(err); // non-404 error
     // file for download not found
     res.statusCode = 404;
     res.send('Cant find that file, sorry!');

examples/ejs/index.js

@@ -1,9 +1,11 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../../');
-var path = require('path');
+var path = require('node:path');
 
 var app = module.exports = express();
 

examples/ejs/public/stylesheets/style.css

@@ -1,4 +1,4 @@
 body {
   padding: 50px 80px;
-  font: 14px "Helvetica Nueue", "Lucida Grande", Arial, sans-serif;
+  font: 14px "Helvetica Neue", "Lucida Grande", Arial, sans-serif;
 }

examples/ejs/views/header.html

@@ -2,6 +2,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
   <title><%= title %></title>
   <link rel="stylesheet" href="/stylesheets/style.css">
 </head>

examples/ejs/views/users.html

@@ -1,4 +1,4 @@
-<% include header.html %>
+<%- include('header.html') -%>
 
 <h1>Users</h1>
 <ul id="users">
@@ -7,4 +7,4 @@
   <% }) %>
 </ul>
 
-<% include footer.html %>
+<%- include('footer.html') -%>

examples/error-pages/index.js

@@ -1,12 +1,14 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../../');
-var path = require('path');
+var path = require('node:path');
 var app = module.exports = express();
 var logger = require('morgan');
-var silent = 'test' == process.env.NODE_ENV;
+var silent = process.env.NODE_ENV === 'test'
 
 // general config
 app.set('views', path.join(__dirname, 'views'));
@@ -19,7 +21,7 @@ app.enable('verbose errors');
 
 // disable them in production
 // use $ NODE_ENV=production node examples/error-pages
-if ('production' == app.settings.env) app.disable('verbose errors');
+if (app.settings.env === 'production') app.disable('verbose errors')
 
 silent || app.use(logger('dev'));
 

examples/error-pages/views/404.ejs

@@ -1,3 +1,3 @@
-<% include error_header %>
+<%- include('error_header') -%>
 <h2>Cannot find <%= url %></h2>
-<% include footer %>
+<%- include('footer') -%>

examples/error-pages/views/500.ejs

@@ -1,8 +1,8 @@
-<% include error_header %>
+<%- include('error_header') -%>
 <h2>Error: <%= error.message %></h2>
 <% if (settings['verbose errors']) { %>
   <pre><%= error.stack %></pre>
 <% } else { %>
   <p>An error occurred!</p>
 <% } %>
-<% include footer %>
+<%- include('footer') -%>

examples/error-pages/views/error_header.ejs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Error</title>
 </head>
 

examples/error-pages/views/index.ejs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Custom Pages Example</title>
 </head>
 

examples/error/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -5,7 +7,7 @@
 var express = require('../../');
 var logger = require('morgan');
 var app = module.exports = express();
-var test = app.get('env') == 'test';
+var test = app.get('env') === 'test'
 
 if (!test) app.use(logger('dev'));
 
@@ -24,7 +26,7 @@ function error(err, req, res, next) {
   res.send('Internal Server Error');
 }
 
-app.get('/', function(req, res){
+app.get('/', function () {
   // Caught and passed down to the errorHandler middleware
   throw new Error('something broke!');
 });

examples/hello-world/index.js

@@ -1,6 +1,8 @@
+'use strict'
+
 var express = require('../../');
 
-var app = express();
+var app = module.exports = express()
 
 app.get('/', function(req, res){
   res.send('Hello World');

examples/markdown/index.js

@@ -1,12 +1,14 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var escapeHtml = require('escape-html');
 var express = require('../..');
-var fs = require('fs');
+var fs = require('node:fs');
 var marked = require('marked');
-var path = require('path');
+var path = require('node:path');
 
 var app = module.exports = express();
 
@@ -24,7 +26,7 @@ app.engine('md', function(path, options, fn){
 
 app.set('views', path.join(__dirname, 'views'));
 
-// make it the default so we dont need .md
+// make it the default, so we don't need .md
 app.set('view engine', 'md');
 
 app.get('/', function(req, res){

examples/multi-router/controllers/api_v1.js

@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../..');
 
 var apiv1 = express.Router();

examples/multi-router/controllers/api_v2.js

@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../..');
 
 var apiv2 = express.Router();

examples/multi-router/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../..');
 
 var app = module.exports = express();
@@ -6,7 +8,7 @@ app.use('/api/v1', require('./controllers/api_v1'));
 app.use('/api/v2', require('./controllers/api_v2'));
 
 app.get('/', function(req, res) {
-  res.send('Hello form root route.');
+  res.send('Hello from root route.')
 });
 
 /* istanbul ignore next */

examples/multipart/index.js

@@ -1,60 +0,0 @@
-/**
- * Module dependencies.
- */
-
-var express = require('../..');
-var multiparty = require('multiparty');
-var format = require('util').format;
-
-var app = module.exports = express();
-
-app.get('/', function(req, res){
-  res.send('<form method="post" enctype="multipart/form-data">'
-    + '<p>Title: <input type="text" name="title" /></p>'
-    + '<p>Image: <input type="file" name="image" /></p>'
-    + '<p><input type="submit" value="Upload" /></p>'
-    + '</form>');
-});
-
-app.post('/', function(req, res, next){
-  // create a form to begin parsing
-  var form = new multiparty.Form();
-  var image;
-  var title;
-
-  form.on('error', next);
-  form.on('close', function(){
-    res.send(format('\nuploaded %s (%d Kb) as %s'
-      , image.filename
-      , image.size / 1024 | 0
-      , title));
-  });
-
-  // listen on field event for title
-  form.on('field', function(name, val){
-    if (name !== 'title') return;
-    title = val;
-  });
-
-  // listen on part event for image file
-  form.on('part', function(part){
-    if (!part.filename) return;
-    if (part.name !== 'image') return part.resume();
-    image = {};
-    image.filename = part.filename;
-    image.size = 0;
-    part.on('data', function(buf){
-      image.size += buf.length;
-    });
-  });
-
-
-  // parse the form
-  form.parse(req);
-});
-
-/* istanbul ignore next */
-if (!module.parent) {
-  app.listen(4000);
-  console.log('Express started on port 4000');
-}

examples/mvc/controllers/main/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 exports.index = function(req, res){
   res.redirect('/users');
 };

examples/mvc/controllers/pet/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */

examples/mvc/controllers/pet/views/edit.ejs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <link rel="stylesheet" href="/style.css">
 <title>Edit <%= pet.name %></title>
 </head>

examples/mvc/controllers/pet/views/show.ejs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <link rel="stylesheet" href="/style.css">
 <title><%= pet.name %></title>
 </head>

examples/mvc/controllers/user-pet/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */

examples/mvc/controllers/user/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */

examples/mvc/controllers/user/views/edit.hbs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
   <link rel="stylesheet" href="/style.css">
   <title>Edit {{user.name}}</title>
 </head>

examples/mvc/controllers/user/views/list.hbs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
   <link rel="stylesheet" href="/style.css">
   <title>Users</title>
 </head>

examples/mvc/controllers/user/views/show.hbs

@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
   <link rel="stylesheet" href="/style.css">
   <title>{{user.name}}</title>
 </head>

examples/mvc/db.js

@@ -1,3 +1,5 @@
+'use strict'
+
 // faux database
 
 var pets = exports.pets = [];

examples/mvc/index.js

@@ -1,12 +1,13 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
 var logger = require('morgan');
-var path = require('path');
+var path = require('node:path');
 var session = require('express-session');
-var bodyParser = require('body-parser');
 var methodOverride = require('method-override');
 
 var app = module.exports = express();
@@ -43,7 +44,7 @@ app.use(session({
 }));
 
 // parse request bodies (req.body)
-app.use(bodyParser.urlencoded({ extended: true }));
+app.use(express.urlencoded({ extended: true }))
 
 // allow overriding methods in query (?_method=put)
 app.use(methodOverride('_method'));

examples/mvc/lib/boot.js

@@ -1,10 +1,12 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../../..');
-var fs = require('fs');
-var path = require('path');
+var fs = require('node:fs');
+var path = require('node:path');
 
 module.exports = function(parent, options){
   var dir = path.join(__dirname, '..', 'controllers');

examples/mvc/public/style.css

@@ -1,6 +1,6 @@
 body {
   padding: 50px;
-  font: 16px "Helvetica Neue", Helvetica, Arial;
+  font: 16px "Helvetica Neue", Helvetica, Arial, sans-serif;
 }
 a {
   color: #107aff;

examples/mvc/views/404.ejs

@@ -2,6 +2,7 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title>Not Found</title>
     <link rel="stylesheet" href="/style.css">
   </head>

examples/mvc/views/5xx.ejs

@@ -2,6 +2,7 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title>Internal Server Error</title>
     <link rel="stylesheet" href="/style.css">
   </head>

examples/online/index.js

@@ -1,3 +1,4 @@
+'use strict'
 
 // install redis first:
 // https://redis.io/

examples/params/index.js

@@ -1,28 +1,23 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
+var createError = require('http-errors')
 var express = require('../../');
 var app = module.exports = express();
 
 // Faux database
 
 var users = [
-    { name: 'tj' }
+  { name: 'tj' }
   , { name: 'tobi' }
   , { name: 'loki' }
   , { name: 'jane' }
   , { name: 'bandit' }
 ];
 
-// Create HTTP error
-
-function createError(status, message) {
-  var err = new Error(message);
-  err.status = status;
-  return err;
-}
-
 // Convert :to and :from to integers
 
 app.param(['to', 'from'], function(req, res, next, num, name){
@@ -37,7 +32,8 @@ app.param(['to', 'from'], function(req, res, next, num, name){
 // Load user by id
 
 app.param('user', function(req, res, next, id){
-  if (req.user = users[id]) {
+  req.user = users[id]
+  if (req.user) {
     next();
   } else {
     next(createError(404, 'failed to find user'));
@@ -56,7 +52,7 @@ app.get('/', function(req, res){
  * GET :user.
  */
 
-app.get('/user/:user', function(req, res, next){
+app.get('/user/:user', function (req, res) {
   res.send('user ' + req.user.name);
 });
 
@@ -64,7 +60,7 @@ app.get('/user/:user', function(req, res, next){
  * GET users :from - :to.
  */
 
-app.get('/users/:from-:to', function(req, res, next){
+app.get('/users/:from-:to', function (req, res) {
   var from = req.params.from;
   var to = req.params.to;
   var names = users.map(function(user){ return user.name; });

examples/resource/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -10,7 +12,7 @@ var app = module.exports = express();
 
 app.resource = function(path, obj) {
   this.get(path, obj.index);
-  this.get(path + '/:a..:b.:format?', function(req, res){
+  this.get(path + '/:a..:b{.:format}', function(req, res){
     var a = parseInt(req.params.a, 10);
     var b = parseInt(req.params.b, 10);
     var format = req.params.format;
@@ -26,7 +28,7 @@ app.resource = function(path, obj) {
 // Fake records
 
 var users = [
-    { name: 'tj' }
+  { name: 'tj' }
   , { name: 'ciaran' }
   , { name: 'aaron' }
   , { name: 'guillermo' }

examples/route-map/index.js

@@ -1,10 +1,13 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
+var escapeHtml = require('escape-html')
 var express = require('../../lib/express');
 
-var verbose = process.env.NODE_ENV != 'test';
+var verbose = process.env.NODE_ENV !== 'test'
 
 var app = module.exports = express();
 
@@ -31,7 +34,7 @@ var users = {
   },
 
   get: function(req, res){
-    res.send('user ' + req.params.uid);
+    res.send('user ' +  escapeHtml(req.params.uid))
   },
 
   delete: function(req, res){
@@ -41,11 +44,11 @@ var users = {
 
 var pets = {
   list: function(req, res){
-    res.send('user ' + req.params.uid + '\'s pets');
+    res.send('user ' + escapeHtml(req.params.uid) + '\'s pets')
   },
 
   delete: function(req, res){
-    res.send('delete ' + req.params.uid + '\'s pet ' + req.params.pid);
+    res.send('delete ' + escapeHtml(req.params.uid) + '\'s pet ' + escapeHtml(req.params.pid))
   }
 };
 

examples/route-middleware/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -15,7 +17,7 @@ var app = express();
 
 // Dummy users
 var users = [
-    { id: 0, name: 'tj', email: 'tj@vision-media.ca', role: 'member' }
+  { id: 0, name: 'tj', email: 'tj@vision-media.ca', role: 'member' }
   , { id: 1, name: 'ciaran', email: 'ciaranj@gmail.com', role: 'member' }
   , { id: 2, name: 'aaron', email: 'aaron.heckmann+github@gmail.com', role: 'admin' }
 ];
@@ -34,7 +36,7 @@ function loadUser(req, res, next) {
 function andRestrictToSelf(req, res, next) {
   // If our authenticated user is the user we are viewing
   // then everything is fine :)
-  if (req.authenticatedUser.id == req.user.id) {
+  if (req.authenticatedUser.id === req.user.id) {
     next();
   } else {
     // You may want to implement specific exceptions
@@ -47,7 +49,7 @@ function andRestrictToSelf(req, res, next) {
 
 function andRestrictTo(role) {
   return function(req, res, next) {
-    if (req.authenticatedUser.role == role) {
+    if (req.authenticatedUser.role === role) {
       next();
     } else {
       next(new Error('Unauthorized'));

examples/route-separation/index.js

@@ -1,13 +1,14 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
-var path = require('path');
+var path = require('node:path');
 var app = express();
 var logger = require('morgan');
 var cookieParser = require('cookie-parser');
-var bodyParser = require('body-parser');
 var methodOverride = require('method-override');
 var site = require('./site');
 var post = require('./post');
@@ -27,7 +28,7 @@ if (!module.parent) {
 
 app.use(methodOverride('_method'));
 app.use(cookieParser());
-app.use(bodyParser.urlencoded({ extended: true }));
+app.use(express.urlencoded({ extended: true }))
 app.use(express.static(path.join(__dirname, 'public')));
 
 // General
@@ -37,7 +38,7 @@ app.get('/', site.index);
 // User
 
 app.get('/users', user.list);
-app.all('/user/:id/:op?', user.load);
+app.all('/user/:id{/:op}', user.load);
 app.get('/user/:id', user.view);
 app.get('/user/:id/view', user.view);
 app.get('/user/:id/edit', user.edit);

examples/route-separation/post.js

@@ -1,3 +1,5 @@
+'use strict'
+
 // Fake posts database
 
 var posts = [

examples/route-separation/site.js

@@ -1,3 +1,5 @@
+'use strict'
+
 exports.index = function(req, res){
   res.render('index', { title: 'Route Separation Example' });
 };

examples/route-separation/user.js

@@ -1,3 +1,5 @@
+'use strict'
+
 // Fake user database
 
 var users = [
@@ -41,5 +43,5 @@ exports.update = function(req, res){
   var user = req.body.user;
   req.user.name = user.name;
   req.user.email = user.email;
-  res.redirect('back');
+  res.redirect(req.get('Referrer') || '/');
 };

examples/route-separation/views/header.ejs

@@ -2,6 +2,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
   <title><%= title %></title>
   <link rel="stylesheet" href="/style.css">
 </head>

examples/route-separation/views/index.ejs

@@ -1,4 +1,4 @@
-<% include header %>
+<%- include('header') -%>
 
 <h1><%= title %></h1>
 
@@ -7,4 +7,4 @@
   <li>Visit the <a href="/posts">posts</a> page.</li>
 </ul>
 
-<% include footer %>
+<%- include('footer') -%>

examples/route-separation/views/posts/index.ejs

@@ -1,4 +1,4 @@
-<% include ../header %>
+<%- include('../header') -%>
 
 <h1>Posts</h1>
 
@@ -9,4 +9,4 @@
   <% }) %>
 </dl>
 
-<% include ../footer %>
+<%- include('../footer') -%>

examples/route-separation/views/users/edit.ejs

@@ -1,9 +1,9 @@
-<% include ../header %>
+<%- include('../header') -%>
 
 <h1>Editing <%= user.name %></h1>
 
 <div id="user">
-  <form action="?_method=put", method="post">
+  <form action="?_method=put" method="post">
     <p>
       Name:
       <input type="text" value="<%= user.name %>" name="user[name]" />
@@ -20,4 +20,4 @@
   </form>
 </div>
 
-<% include ../footer %>
+<%- include('../footer') -%>

examples/route-separation/views/users/index.ejs

@@ -1,4 +1,4 @@
-<% include ../header %>
+<%- include('../header') -%>
 
 <h1><%= title %></h1>
 
@@ -11,4 +11,4 @@
   <% }) %>
 </div>
 
-<% include ../footer %>
+<%- include('../footer') -%>

examples/route-separation/views/users/view.ejs

@@ -1,4 +1,4 @@
-<% include ../header %>
+<%- include('../header') -%>
 
 <h1><%= user.name %></h1>
 
@@ -6,4 +6,4 @@
   <p>Email: <%= user.email %></p>
 </div>
 
-<% include ../footer %>
+<%- include('../footer') -%>

examples/search/index.js

@@ -1,3 +1,4 @@
+'use strict'
 
 // install redis first:
 // https://redis.io/
@@ -11,7 +12,7 @@
  */
 
 var express = require('../..');
-var path = require('path');
+var path = require('node:path');
 var redis = require('redis');
 
 var db = redis.createClient();
@@ -34,10 +35,10 @@ db.sadd('cat', 'luna');
  * GET search for :query.
  */
 
-app.get('/search/:query?', function(req, res){
+app.get('/search/:query?', function(req, res, next){
   var query = req.params.query;
   db.smembers(query, function(err, vals){
-    if (err) return res.send(500);
+    if (err) return next(err);
     res.send(vals);
   });
 });

examples/search/public/client.js

@@ -1,3 +1,5 @@
+'use strict'
+
 var search = document.querySelector('[type=search]');
 var code = document.querySelector('pre');
 
@@ -5,7 +7,7 @@ search.addEventListener('keyup', function(){
   var xhr = new XMLHttpRequest;
   xhr.open('GET', '/search/' + search.value, true);
   xhr.onreadystatechange = function(){
-    if (4 == xhr.readyState) {
+    if (xhr.readyState === 4) {
       code.textContent = xhr.responseText;
     }
   };

examples/search/public/index.html

@@ -2,8 +2,9 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
   <title>Search example</title>
-  <style type="text/css">
+  <style>
     body {
       font: 14px "Helvetica Neue", Helvetica;
       padding: 50px;
@@ -14,7 +15,7 @@
   <h2>Search</h2>
   <p>Try searching for "ferret" or "cat".</p>
   <input type="search" name="search" value="" />
-  <pre />
+  <pre></pre>
   <script src="/client.js" charset="utf-8"></script>
 </body>
 </html>

examples/session/index.js

@@ -1,3 +1,4 @@
+'use strict'
 
 // install redis first:
 // https://redis.io/

examples/session/redis.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */

examples/static-files/index.js

@@ -1,10 +1,12 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
 var logger = require('morgan');
-var path = require('path');
+var path = require('node:path');
 var app = express();
 
 // log requests

examples/static-files/public/js/app.js

@@ -1 +1 @@
-foo
+// foo

examples/vhost/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */

examples/view-constructor/github-view.js

@@ -1,9 +1,11 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
-var https = require('https');
-var path = require('path');
+var https = require('node:https');
+var path = require('node:path');
 var extname = path.extname;
 
 /**

examples/view-constructor/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */

examples/view-locals/index.js

@@ -1,9 +1,11 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
-var path = require('path');
+var path = require('node:path');
 var User = require('./user');
 var app = express();
 
@@ -13,7 +15,7 @@ app.set('view engine', 'ejs');
 // filter ferrets only
 
 function ferrets(user) {
-  return user.species == 'ferret';
+  return user.species === 'ferret'
 }
 
 // naive nesting approach,
@@ -59,7 +61,7 @@ function users(req, res, next) {
   })
 }
 
-app.get('/middleware', count, users, function(req, res, next){
+app.get('/middleware', count, users, function (req, res) {
   res.render('index', {
     title: 'Users',
     count: req.count,
@@ -97,7 +99,7 @@ function users2(req, res, next) {
   })
 }
 
-app.get('/middleware-locals', count2, users2, function(req, res, next){
+app.get('/middleware-locals', count2, users2, function (req, res) {
   // you can see now how we have much less
   // to pass to res.render(). If we have
   // several routes related to users this

examples/view-locals/user.js

@@ -1,3 +1,5 @@
+'use strict'
+
 module.exports = User;
 
 // faux model

examples/view-locals/views/index.ejs

@@ -2,6 +2,7 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title><%= title %></title>
     <style media="screen">
       body {

examples/web-service/index.js

@@ -1,3 +1,5 @@
+'use strict'
+
 /**
  * Module dependencies.
  */
@@ -8,7 +10,7 @@ var app = module.exports = express();
 
 // create an error with .status. we
 // can then use the property in our
-// custom error handler (Connect repects this prop as well)
+// custom error handler (Connect respects this prop as well)
 
 function error(status, msg) {
   var err = new Error(msg);
@@ -32,7 +34,7 @@ app.use('/api', function(req, res, next){
   if (!key) return next(error(400, 'api key required'));
 
   // key is invalid
-  if (!~apiKeys.indexOf(key)) return next(error(401, 'invalid api key'));
+  if (apiKeys.indexOf(key) === -1) return next(error(401, 'invalid api key'))
 
   // all good, store req.key for route access
   req.key = key;
@@ -49,13 +51,13 @@ var apiKeys = ['foo', 'bar', 'baz'];
 // these two objects will serve as our faux database
 
 var repos = [
-    { name: 'express', url: 'http://github.com/expressjs/express' }
-  , { name: 'stylus', url: 'http://github.com/learnboost/stylus' }
-  , { name: 'cluster', url: 'http://github.com/learnboost/cluster' }
+  { name: 'express', url: 'https://github.com/expressjs/express' },
+  { name: 'stylus', url: 'https://github.com/learnboost/stylus' },
+  { name: 'cluster', url: 'https://github.com/learnboost/cluster' }
 ];
 
 var users = [
-    { name: 'tobi' }
+  { name: 'tobi' }
   , { name: 'loki' }
   , { name: 'jane' }
 ];
@@ -69,14 +71,17 @@ var userRepos = {
 // we now can assume the api key is valid,
 // and simply expose the data
 
-app.get('/api/users', function(req, res, next){
+// example: http://localhost:3000/api/users/?api-key=foo
+app.get('/api/users', function (req, res) {
   res.send(users);
 });
 
-app.get('/api/repos', function(req, res, next){
+// example: http://localhost:3000/api/repos/?api-key=foo
+app.get('/api/repos', function (req, res) {
   res.send(repos);
 });
 
+// example: http://localhost:3000/api/user/tobi/repos/?api-key=foo
 app.get('/api/user/:name/repos', function(req, res, next){
   var name = req.params.name;
   var user = userRepos[name];
@@ -102,7 +107,7 @@ app.use(function(err, req, res, next){
 // invoke next() and do not respond.
 app.use(function(req, res){
   res.status(404);
-  res.send({ error: "Lame, can't find that" });
+  res.send({ error: "Sorry, can't find that" })
 });
 
 /* istanbul ignore next */

lib/application.js

@@ -14,22 +14,24 @@
  */
 
 var finalhandler = require('finalhandler');
-var Router = require('./router');
-var methods = require('methods');
-var middleware = require('./middleware/init');
-var query = require('./middleware/query');
 var debug = require('debug')('express:application');
 var View = require('./view');
-var http = require('http');
+var http = require('node:http');
+var methods = require('./utils').methods;
 var compileETag = require('./utils').compileETag;
 var compileQueryParser = require('./utils').compileQueryParser;
 var compileTrust = require('./utils').compileTrust;
-var deprecate = require('depd')('express');
-var flatten = require('array-flatten');
-var merge = require('utils-merge');
-var resolve = require('path').resolve;
-var setPrototypeOf = require('setprototypeof')
+var resolve = require('node:path').resolve;
+var once = require('once')
+var Router = require('router');
+
+/**
+ * Module variables.
+ * @private
+ */
+
 var slice = Array.prototype.slice;
+var flatten = Array.prototype.flat;
 
 /**
  * Application prototype.
@@ -55,11 +57,29 @@ var trustProxyDefaultSymbol = '@@symbol:trust_proxy_default';
  */
 
 app.init = function init() {
-  this.cache = {};
-  this.engines = {};
-  this.settings = {};
+  var router = null;
+
+  this.cache = Object.create(null);
+  this.engines = Object.create(null);
+  this.settings = Object.create(null);
 
   this.defaultConfiguration();
+
+  // Setup getting to lazily add base router
+  Object.defineProperty(this, 'router', {
+    configurable: true,
+    enumerable: true,
+    get: function getrouter() {
+      if (router === null) {
+        router = new Router({
+          caseSensitive: this.enabled('case sensitive routing'),
+          strict: this.enabled('strict routing')
+        });
+      }
+
+      return router;
+    }
+  });
 };
 
 /**
@@ -74,7 +94,7 @@ app.defaultConfiguration = function defaultConfiguration() {
   this.enable('x-powered-by');
   this.set('etag', 'weak');
   this.set('env', env);
-  this.set('query parser', 'extended');
+  this.set('query parser', 'simple')
   this.set('subdomain offset', 2);
   this.set('trust proxy', false);
 
@@ -95,10 +115,10 @@ app.defaultConfiguration = function defaultConfiguration() {
     }
 
     // inherit protos
-    setPrototypeOf(this.request, parent.request)
-    setPrototypeOf(this.response, parent.response)
-    setPrototypeOf(this.engines, parent.engines)
-    setPrototypeOf(this.settings, parent.settings)
+    Object.setPrototypeOf(this.request, parent.request)
+    Object.setPrototypeOf(this.response, parent.response)
+    Object.setPrototypeOf(this.engines, parent.engines)
+    Object.setPrototypeOf(this.settings, parent.settings)
   });
 
   // setup locals
@@ -118,32 +138,6 @@ app.defaultConfiguration = function defaultConfiguration() {
   if (env === 'production') {
     this.enable('view cache');
   }
-
-  Object.defineProperty(this, 'router', {
-    get: function() {
-      throw new Error('\'app.router\' is deprecated!\nPlease see the 3.x to 4.x migration guide for details on how to update your app.');
-    }
-  });
-};
-
-/**
- * lazily adds the base router if it has not yet been added.
- *
- * We cannot add the base router in the defaultConfiguration because
- * it reads app settings which might be set after that has run.
- *
- * @private
- */
-app.lazyrouter = function lazyrouter() {
-  if (!this._router) {
-    this._router = new Router({
-      caseSensitive: this.enabled('case sensitive routing'),
-      strict: this.enabled('strict routing')
-    });
-
-    this._router.use(query(this.get('query parser fn')));
-    this._router.use(middleware.init(this));
-  }
 };
 
 /**
@@ -156,22 +150,31 @@ app.lazyrouter = function lazyrouter() {
  */
 
 app.handle = function handle(req, res, callback) {
-  var router = this._router;
-
   // final handler
   var done = callback || finalhandler(req, res, {
     env: this.get('env'),
     onerror: logerror.bind(this)
   });
 
-  // no routes
-  if (!router) {
-    debug('no routes defined on app');
-    done();
-    return;
+  // set powered by header
+  if (this.enabled('x-powered-by')) {
+    res.setHeader('X-Powered-By', 'Express');
   }
 
-  router.handle(req, res, done);
+  // set circular references
+  req.res = res;
+  res.req = req;
+
+  // alter the prototypes
+  Object.setPrototypeOf(req, this.request)
+  Object.setPrototypeOf(res, this.response)
+
+  // setup locals
+  if (!res.locals) {
+    res.locals = Object.create(null);
+  }
+
+  this.router.handle(req, res, done);
 };
 
 /**
@@ -204,15 +207,14 @@ app.use = function use(fn) {
     }
   }
 
-  var fns = flatten(slice.call(arguments, offset));
+  var fns = flatten.call(slice.call(arguments, offset), Infinity);
 
   if (fns.length === 0) {
-    throw new TypeError('app.use() requires middleware functions');
+    throw new TypeError('app.use() requires a middleware function')
   }
 
-  // setup router
-  this.lazyrouter();
-  var router = this._router;
+  // get router
+  var router = this.router;
 
   fns.forEach(function (fn) {
     // non-express app
@@ -228,8 +230,8 @@ app.use = function use(fn) {
     router.use(path, function mounted_app(req, res, next) {
       var orig = req.app;
       fn.handle(req, res, function (err) {
-        setPrototypeOf(req, orig.request)
-        setPrototypeOf(res, orig.response)
+        Object.setPrototypeOf(req, orig.request)
+        Object.setPrototypeOf(res, orig.response)
         next(err);
       });
     });
@@ -252,8 +254,7 @@ app.use = function use(fn) {
  */
 
 app.route = function route(path) {
-  this.lazyrouter();
-  return this._router.route(path);
+  return this.router.route(path);
 };
 
 /**
@@ -276,7 +277,7 @@ app.route = function route(path) {
  * In this case EJS provides a `.renderFile()` method with
  * the same signature that Express expects: `(path, options, callback)`,
  * though note that it aliases this method as `ejs.__express` internally
- * so if you're using ".ejs" extensions you dont need to do anything.
+ * so if you're using ".ejs" extensions you don't need to do anything.
  *
  * Some template engines do not follow this convention, the
  * [Consolidate.js](https://github.com/tj/consolidate.js)
@@ -319,8 +320,6 @@ app.engine = function engine(ext, fn) {
  */
 
 app.param = function param(name, fn) {
-  this.lazyrouter();
-
   if (Array.isArray(name)) {
     for (var i = 0; i < name.length; i++) {
       this.param(name[i], fn);
@@ -329,7 +328,7 @@ app.param = function param(name, fn) {
     return this;
   }
 
-  this._router.param(name, fn);
+  this.router.param(name, fn);
 
   return this;
 };
@@ -338,7 +337,7 @@ app.param = function param(name, fn) {
  * Assign `setting` to `val`, or return `setting`'s value.
  *
  *    app.set('foo', 'bar');
- *    app.get('foo');
+ *    app.set('foo');
  *    // => "bar"
  *
  * Mounted servers inherit their parent server's settings.
@@ -469,16 +468,14 @@ app.disable = function disable(setting) {
  * Delegate `.VERB(...)` calls to `router.VERB(...)`.
  */
 
-methods.forEach(function(method){
-  app[method] = function(path){
+methods.forEach(function (method) {
+  app[method] = function (path) {
     if (method === 'get' && arguments.length === 1) {
       // app.get(setting)
       return this.set(path);
     }
 
-    this.lazyrouter();
-
-    var route = this._router.route(path);
+    var route = this.route(path);
     route[method].apply(route, slice.call(arguments, 1));
     return this;
   };
@@ -495,9 +492,7 @@ methods.forEach(function(method){
  */
 
 app.all = function all(path) {
-  this.lazyrouter();
-
-  var route = this._router.route(path);
+  var route = this.route(path);
   var args = slice.call(arguments, 1);
 
   for (var i = 0; i < methods.length; i++) {
@@ -507,10 +502,6 @@ app.all = function all(path) {
   return this;
 };
 
-// del -> delete alias
-
-app.del = deprecate.function(app.delete, 'app.del: Use app.delete instead');
-
 /**
  * Render the given view `name` name with `options`
  * and a callback accepting an error and the
@@ -533,7 +524,6 @@ app.render = function render(name, options, callback) {
   var done = callback;
   var engines = this.engines;
   var opts = options;
-  var renderOptions = {};
   var view;
 
   // support callback function as second arg
@@ -542,16 +532,8 @@ app.render = function render(name, options, callback) {
     opts = {};
   }
 
-  // merge app.locals
-  merge(renderOptions, this.locals);
-
-  // merge options._locals
-  if (opts._locals) {
-    merge(renderOptions, opts._locals);
-  }
-
   // merge options
-  merge(renderOptions, opts);
+  var renderOptions = { ...this.locals, ...opts._locals, ...opts };
 
   // set .cache unless explicitly provided
   if (renderOptions.cache == null) {
@@ -601,8 +583,8 @@ app.render = function render(name, options, callback) {
  * and HTTPS server you may do so with the "http"
  * and "https" modules as shown here:
  *
- *    var http = require('http')
- *      , https = require('https')
+ *    var http = require('node:http')
+ *      , https = require('node:https')
  *      , express = require('express')
  *      , app = express();
  *
@@ -614,9 +596,14 @@ app.render = function render(name, options, callback) {
  */
 
 app.listen = function listen() {
-  var server = http.createServer(this);
-  return server.listen.apply(server, arguments);
-};
+  var server = http.createServer(this)
+  var args = Array.prototype.slice.call(arguments)
+  if (typeof args[args.length - 1] === 'function') {
+    var done = args[args.length - 1] = once(args[args.length - 1])
+    server.once('error', done)
+  }
+  return server.listen.apply(server, args)
+}
 
 /**
  * Log error using console.error.

lib/express.js

@@ -12,11 +12,11 @@
  * Module dependencies.
  */
 
-var EventEmitter = require('events').EventEmitter;
+var bodyParser = require('body-parser')
+var EventEmitter = require('node:events').EventEmitter;
 var mixin = require('merge-descriptors');
 var proto = require('./application');
-var Route = require('./router/route');
-var Router = require('./router');
+var Router = require('router');
 var req = require('./request');
 var res = require('./response');
 
@@ -67,45 +67,15 @@ exports.response = res;
  * Expose constructors.
  */
 
-exports.Route = Route;
+exports.Route = Router.Route;
 exports.Router = Router;
 
 /**
  * Expose middleware
  */
 
-exports.query = require('./middleware/query');
+exports.json = bodyParser.json
+exports.raw = bodyParser.raw
 exports.static = require('serve-static');
-
-/**
- * Replace removed middleware with an appropriate error message.
- */
-
-[
-  'json',
-  'urlencoded',
-  'bodyParser',
-  'compress',
-  'cookieSession',
-  'session',
-  'logger',
-  'cookieParser',
-  'favicon',
-  'responseTime',
-  'errorHandler',
-  'timeout',
-  'methodOverride',
-  'vhost',
-  'csrf',
-  'directory',
-  'limit',
-  'multipart',
-  'staticCache',
-].forEach(function (name) {
-  Object.defineProperty(exports, name, {
-    get: function () {
-      throw new Error('Most middleware (like ' + name + ') is no longer bundled with Express and must be installed separately. Please see https://github.com/senchalabs/connect#middleware.');
-    },
-    configurable: true
-  });
-});
+exports.text = bodyParser.text
+exports.urlencoded = bodyParser.urlencoded

lib/middleware/init.js

@@ -1,43 +0,0 @@
-/*!
- * express
- * Copyright(c) 2009-2013 TJ Holowaychuk
- * Copyright(c) 2013 Roman Shtylman
- * Copyright(c) 2014-2015 Douglas Christopher Wilson
- * MIT Licensed
- */
-
-'use strict';
-
-/**
- * Module dependencies.
- * @private
- */
-
-var setPrototypeOf = require('setprototypeof')
-
-/**
- * Initialization middleware, exposing the
- * request and response to each other, as well
- * as defaulting the X-Powered-By header field.
- *
- * @param {Function} app
- * @return {Function}
- * @api private
- */
-
-exports.init = function(app){
-  return function expressInit(req, res, next){
-    if (app.enabled('x-powered-by')) res.setHeader('X-Powered-By', 'Express');
-    req.res = res;
-    res.req = req;
-    req.next = next;
-
-    setPrototypeOf(req, app.request)
-    setPrototypeOf(res, app.response)
-
-    res.locals = res.locals || Object.create(null);
-
-    next();
-  };
-};
-

lib/middleware/query.js

@@ -1,47 +0,0 @@
-/*!
- * express
- * Copyright(c) 2009-2013 TJ Holowaychuk
- * Copyright(c) 2013 Roman Shtylman
- * Copyright(c) 2014-2015 Douglas Christopher Wilson
- * MIT Licensed
- */
-
-'use strict';
-
-/**
- * Module dependencies.
- */
-
-var merge = require('utils-merge')
-var parseUrl = require('parseurl');
-var qs = require('qs');
-
-/**
- * @param {Object} options
- * @return {Function}
- * @api public
- */
-
-module.exports = function query(options) {
-  var opts = merge({}, options)
-  var queryparse = qs.parse;
-
-  if (typeof options === 'function') {
-    queryparse = options;
-    opts = undefined;
-  }
-
-  if (opts !== undefined && opts.allowPrototypes === undefined) {
-    // back-compat for qs module
-    opts.allowPrototypes = true;
-  }
-
-  return function query(req, res, next){
-    if (!req.query) {
-      var val = parseUrl(req).query;
-      req.query = queryparse(val, opts);
-    }
-
-    next();
-  };
-};