test: include edge case tests for res.type() (#7037 )

docs: fix README security policy link (#7029 )
fix: bump qs minimum to ^6.14.2 for CVE-2026-2391 (#7057 )
2026-02-26 18:57:43 +00:00 · 2026-02-23 10:58:26 +01:00 · 2026-02-21 22:15:11 -05:00 · 2026-02-21 22:11:08 -05:00 · 2026-02-14 12:25:36 -05:00 · 2026-02-10 00:10:13 +01:00
190 changed files with 9438 additions and 2455 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,4 +1,4 @@
-# http://editorconfig.org
+# https://editorconfig.org
 root = true

 [*]
--- a/.eslintrc
+++ b/.eslintrc
@@ -1,8 +0,0 @@
-{
-  "rules": {
-    "eol-last": "error",
-    "indent": ["error", 2, { "SwitchCase": 1 }],
-    "no-trailing-spaces": "error",
-    "no-unused-vars": ["error", { "vars": "all", "args": "none", "ignoreRestSiblings": true }]
-  }
-}
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -0,0 +1,14 @@
+root: true
+env:
+  es2022: true
+  node: true
+rules:
+  eol-last: error
+  eqeqeq: [error, allow-null]
+  indent: [error, 2, { MemberExpression: "off", SwitchCase: 1 }]
+  no-trailing-spaces: error
+  no-unused-vars: [error, { vars: all, args: none, ignoreRestSiblings: true }]
+  no-restricted-globals:
+    - error
+    - name: Buffer
+      message: Use `import { Buffer } from "node:buffer"` instead of the global Buffer.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: monthly
+      time: "23:00"
+      timezone: Europe/London
+    open-pull-requests-limit: 10
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,117 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+      - '4.x'
+      - '5.x'
+      - '5.0'
+    paths-ignore:
+      - '*.md'
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+# Cancel in progress workflows
+# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run
+concurrency:
+  group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: 'lts/*'
+
+      - name: Install dependencies
+        run: npm install --ignore-scripts --include=dev
+
+      - name: Run lint
+        run: npm run lint
+
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        node-version: [18, 19, 20, 21, 22, 23, 24, 25]
+        # Node.js release schedule: https://nodejs.org/en/about/releases/
+
+    name: Node.js ${{ matrix.node-version }} - ${{matrix.os}}
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Configure npm loglevel
+        run: |
+          npm config set loglevel error
+        shell: bash
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Output Node and NPM versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "NPM version: $(npm -v)"
+
+      - name: Run tests
+        shell: bash
+        run: npm run test-ci
+
+      - name: Upload code coverage
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }}
+          path: ./coverage/lcov.info
+          retention-days: 1
+
+  coverage:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install lcov
+        shell: bash
+        run: sudo apt-get -y install lcov
+
+      - name: Collect coverage reports
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          path: ./coverage
+          pattern: coverage-node-*
+
+      - name: Merge coverage reports
+        shell: bash
+        run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info
+
+      - name: Upload coverage report
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
+        with:
+          file: ./lcov.info
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,74 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "0 0 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript, actions]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
+        with:
+          languages: ${{ matrix.language }}
+          config: |
+            paths-ignore:
+              - test
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      # - name: Autobuild
+      #   uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
--- a/.github/workflows/legacy.yml
+++ b/.github/workflows/legacy.yml
@@ -0,0 +1,101 @@
+name: legacy
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+      - '4.x'
+      - '5.x'
+      - '5.0'
+    paths-ignore:
+      - '*.md'
+  pull_request:
+    paths-ignore:
+      - '*.md'
+  workflow_dispatch:
+  
+permissions:
+  contents: read
+
+# Cancel in progress workflows
+# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run
+concurrency:
+  group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        node-version: [16, 17]
+        # Node.js release schedule: https://nodejs.org/en/about/releases/
+
+    name: Node.js ${{ matrix.node-version }} - ${{matrix.os}}
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Configure npm loglevel
+        run: |
+          npm config set loglevel error
+        shell: bash
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Output Node and NPM versions
+        run: |
+          echo "Node.js version: $(node -v)"
+          echo "NPM version: $(npm -v)"
+
+      - name: Run tests
+        shell: bash
+        run: npm run test-ci
+
+      - name: Upload code coverage
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }}
+          path: ./coverage/lcov.info
+          retention-days: 1
+
+  coverage:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install lcov
+        shell: bash
+        run: sudo apt-get -y install lcov
+
+      - name: Collect coverage reports
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          path: ./coverage
+          pattern: coverage-node-*
+
+      - name: Merge coverage reports
+        shell: bash
+        run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info
+
+      - name: Upload coverage report
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
+        with:
+          file: ./lcov.info
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '16 21 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
+        with:
+          sarif_file: results.sarif
--- a/.gitignore
+++ b/.gitignore
@@ -1,26 +1,20 @@
-# OS X
-.DS_Store*
-Icon?
-._*
-
-# Windows
-Thumbs.db
-ehthumbs.db
-Desktop.ini
-
-# Linux
-.directory
-*~
-
-
 # npm
 node_modules
+package-lock.json
+npm-shrinkwrap.json
 *.log
 *.gz

+# Yarn
+yarn-error.log
+yarn.lock

 # Coveralls
+.nyc_output
 coverage

 # Benchmarking
 benchmarks/graphs
+
+# ignore additional files using core.excludesFile
+# https://git-scm.com/docs/gitignore
--- a/.npmrc
+++ b/.npmrc
@@ -0,0 +1 @@
+package-lock=false
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,33 +0,0 @@
-language: node_js
-node_js:
-  - "0.10"
-  - "0.12"
-  - "1.8"
-  - "2.5"
-  - "3.3"
-  - "4.8"
-  - "5.12"
-  - "6.11"
-  - "7.10"
-matrix:
-  include:
-    - node_js: "8"
-      env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
-  allow_failures:
-    # Allow the nightly installs to fail
-    - env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
-sudo: false
-cache:
-  directories:
-    - node_modules
-before_install:
-  # Remove all non-test dependencies
-  - "npm rm --save-dev connect-redis"
-
-  # Update Node.js modules
-  - "test ! -d node_modules || npm prune"
-  - "test ! -d node_modules || npm rebuild"
-script:
-  - "npm run test-ci"
-  - "npm run lint"
-after_script: "npm install coveralls@2.10.0 && cat ./coverage/lcov.info | coveralls"
--- a/Collaborator-Guide.md
+++ b/Collaborator-Guide.md
@@ -1,50 +0,0 @@
-
-## Website Issues
-
-Open issues for the expressjs.com website in https://github.com/expressjs/expressjs.com.
-
-## PRs and Code contributions
-
-* Tests must pass.
-* Follow the [JavaScript Standard Style](http://standardjs.com/) and `npm run lint`.
-* If you fix a bug, add a test.
-
-## Branches
-
-Use the `master` branch for bug fixes or minor work that is intended for the
-current release stream.
-
-Use the correspondingly named branch, e.g. `5.0`, for anything intended for
-a future release of Express.
-
-## Steps for contributing
-
-1. [Create an issue](https://github.com/expressjs/express/issues/new) for the
-   bug you want to fix or the feature that you want to add.
-2. Create your own [fork](https://github.com/expressjs/express) on github, then
-   checkout your fork.
-3. Write your code in your local copy. It's good practice to create a branch for
-   each new issue you work on, although not compulsory.
-4. To run the test suite, first install the dependencies by running `npm install`,
-   then run `npm test`.
-5. Ensure your code is linted by running `npm run lint` -- fix any issue you
-   see listed.
-6. If the tests pass, you can commit your changes to your fork and then create
-   a pull request from there. Make sure to reference your issue from the pull
-   request comments by including the issue number e.g. `#123`.
-
-## Issues which are questions
-
-We will typically close any vague issues or questions that are specific to some
-app you are writing. Please double check the docs and other references before
-being trigger happy with posting a question issue.
-
-Things that will help get your question issue looked at:
-
-* Full and runnable JS code.
-* Clear description of the problem or unexpected behavior.
-* Clear description of the expected result.
-* Steps you have taken to debug it yourself.
-
-If you post a question and do not outline the above items or make it easy for
-us to understand and reproduce your issue, it will be closed.
--- a/Contributing.md
+++ b/Contributing.md
@@ -1,85 +0,0 @@
-# Express.js Community Contributing Guide 1.0
-
-The goal of this document is to create a contribution process that:
-
-* Encourages new contributions.
-* Encourages contributors to remain involved.
-* Avoids unnecessary processes and bureaucracy whenever possible.
-* Creates a transparent decision making process that makes it clear how
-contributors can be involved in decision making.
-
-## Vocabulary
-
-* A **Contributor** is any individual creating or commenting on an issue or pull request.
-* A **Committer** is a subset of contributors who have been given write access to the repository.
-* A **TC (Technical Committee)** is a group of committers representing the required technical
-expertise to resolve rare disputes.
-
-# Logging Issues
-
-Log an issue for any question or problem you might have. When in doubt, log an issue, and
-any additional policies about what to include will be provided in the responses. The only
-exception is security dislosures which should be sent privately.
-
-Committers may direct you to another repository, ask for additional clarifications, and
-add appropriate metadata before the issue is addressed.
-
-Please be courteous and respectful. Every participant is expected to follow the
-project's Code of Conduct.
-
-# Contributions
-
-Any change to resources in this repository must be through pull requests. This applies to all changes
-to documentation, code, binary files, etc. Even long term committers and TC members must use
-pull requests.
-
-No pull request can be merged without being reviewed.
-
-For non-trivial contributions, pull requests should sit for at least 36 hours to ensure that
-contributors in other timezones have time to review. Consideration should also be given to
-weekends and other holiday periods to ensure active committers all have reasonable time to
-become involved in the discussion and review process if they wish.
-
-The default for each contribution is that it is accepted once no committer has an objection.
-During review committers may also request that a specific contributor who is most versed in a
-particular area gives a "LGTM" before the PR can be merged. There is no additional "sign off"
-process for contributions to land. Once all issues brought by committers are addressed it can
-be landed by any committer.
-
-In the case of an objection being raised in a pull request by another committer, all involved
-committers should seek to arrive at a consensus by way of addressing concerns being expressed
-by discussion, compromise on the proposed change, or withdrawal of the proposed change.
-
-If a contribution is controversial and committers cannot agree about how to get it to land
-or if it should land then it should be escalated to the TC. TC members should regularly
-discuss pending contributions in order to find a resolution. It is expected that only a
-small minority of issues be brought to the TC for resolution and that discussion and
-compromise among committers be the default resolution mechanism.
-
-# Becoming a Committer
-
-All contributors who land a non-trivial contribution should be on-boarded in a timely manner,
-and added as a committer, and be given write access to the repository.
-
-Committers are expected to follow this policy and continue to send pull requests, go through
-proper review, and have other committers merge their pull requests.
-
-# TC Process
-
-The TC uses a "consensus seeking" process for issues that are escalated to the TC.
-The group tries to find a resolution that has no open objections among TC members.
-If a consensus cannot be reached that has no objections then a majority wins vote
-is called. It is also expected that the majority of decisions made by the TC are via
-a consensus seeking process and that voting is only used as a last-resort.
-
-Resolution may involve returning the issue to committers with suggestions on how to
-move forward towards a consensus. It is not expected that a meeting of the TC
-will resolve all issues on its agenda during that meeting and may prefer to continue
-the discussion happening among the committers.
-
-Members can be added to the TC at any time. Any committer can nominate another committer
-to the TC and the TC uses its standard consensus seeking process to evaluate whether or
-not to add this new member. Members who do not participate consistently at the level of
-a majority of the other members are expected to resign.
-
-
--- a/History.md
+++ b/History.md
@@ -1,3 +1,167 @@
+# Unreleased Changes
+
+## 🚀 Improvements
+
+* Improve HTML structure in `res.redirect()` responses when HTML format is accepted by adding `<!DOCTYPE html>`, `<title>`, and `<body>` tags for better browser compatibility - by [@Bernice55231](https://github.com/Bernice55231) in [#5167](https://github.com/expressjs/express/pull/5167)
+
+* When calling `app.render` with options set to null, the locals object is handled correctly, preventing unexpected errors and making the method behave the same as when options is omitted or an empty object is passed - by [AkaHarshit](https://github.com/AkaHarshit) in [#6903](https://github.com/expressjs/express/pull/6903)
+
+    ```js
+    app.render('index', null, callback); // now works as expected
+    ```
+
+## ⚡ Performance
+
+* Avoid duplicate Content-Type header processing in `res.send()` when sending string responses without an explicit Content-Type header - by [@bjohansebas](https://github.com/bjohansebas) in [#6991](https://github.com/expressjs/express/pull/6991)
+
+5.2.1 / 2025-12-01
+=======================
+
+* Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+  * The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
+
+5.2.0 / 2025-12-01
+========================
+
+* Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+* deps: `body-parser@^2.2.1`
+* A deprecation warning was added when using `res.redirect` with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.
+
+5.1.0 / 2025-03-31
+========================
+
+* Add support for `Uint8Array` in `res.send()`
+* Add support for ETag option in `res.sendFile()`
+* Add support for multiple links with the same rel in `res.links()`
+* Add funding field to package.json
+* perf: use loop for acceptParams
+* refactor: prefix built-in node module imports
+* deps: remove `setprototypeof`
+* deps: remove `safe-buffer`
+* deps: remove `utils-merge`
+* deps: remove `methods`
+* deps: remove `depd`
+* deps: `debug@^4.4.0`
+* deps: `body-parser@^2.2.0`
+* deps: `router@^2.2.0`
+* deps: `content-type@^1.0.5`
+* deps: `finalhandler@^2.1.0`
+* deps: `qs@^6.14.0`
+* deps: `server-static@2.2.0`
+* deps: `type-is@2.0.1`
+
+5.0.1 / 2024-10-08
+==========
+
+* Update `cookie` semver lock to address [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764)
+
+5.0.0 / 2024-09-10
+=========================
+* remove:
+  - `path-is-absolute` dependency - use `path.isAbsolute` instead
+* breaking:
+  * `res.status()` accepts only integers, and input must be greater than 99 and less than 1000
+    * will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range
+    * will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs
+  * deps: send@1.0.0
+  * `res.redirect('back')` and `res.location('back')` is no longer a supported magic string, explicitly use `req.get('Referrer') || '/'`.
+* change:
+  - `res.clearCookie` will ignore user provided `maxAge` and `expires` options
+* deps: cookie-signature@^1.2.1
+* deps: debug@4.3.6
+* deps: merge-descriptors@^2.0.0
+* deps: serve-static@^2.1.0
+* deps: qs@6.13.0
+* deps: accepts@^2.0.0
+* deps: mime-types@^3.0.0
+  - `application/javascript` => `text/javascript`
+* deps: type-is@^2.0.0
+* deps: content-disposition@^1.0.0
+* deps: finalhandler@^2.0.0
+* deps: fresh@^2.0.0
+* deps: body-parser@^2.0.1
+* deps: send@^1.1.0
+
+5.0.0-beta.3 / 2024-03-25
+=========================
+
+This incorporates all changes after 4.19.1 up to 4.19.2.
+
+5.0.0-beta.2 / 2024-03-20
+=========================
+
+This incorporates all changes after 4.17.2 up to 4.19.1.
+
+5.0.0-beta.1 / 2022-02-14
+=========================
+
+This is the first Express 5.0 beta release, based off 4.17.2 and includes
+changes from 5.0.0-alpha.8.
+
+  * change:
+    - Default "query parser" setting to `'simple'`
+    - Requires Node.js 4+
+    - Use `mime-types` for file to content type mapping
+  * deps: array-flatten@3.0.0
+  * deps: body-parser@2.0.0-beta.1
+    - `req.body` is no longer always initialized to `{}`
+    - `urlencoded` parser now defaults `extended` to `false`
+    - Use `on-finished` to determine when body read
+  * deps: router@2.0.0-beta.1
+    - Add new `?`, `*`, and `+` parameter modifiers
+    - Internalize private `router.process_params` method
+    - Matching group expressions are only RegExp syntax
+    - Named matching groups no longer available by position in `req.params`
+    - Regular expressions can only be used in a matching group
+    - Remove `debug` dependency
+    - Special `*` path segment behavior removed
+    - deps: array-flatten@3.0.0
+    - deps: parseurl@~1.3.3
+    - deps: path-to-regexp@3.2.0
+    - deps: setprototypeof@1.2.0
+  * deps: send@1.0.0-beta.1
+    - Change `dotfiles` option default to `'ignore'`
+    - Remove `hidden` option; use `dotfiles` option instead
+    - Use `mime-types` for file to content type mapping
+    - deps: debug@3.1.0
+  * deps: serve-static@2.0.0-beta.1
+    - Change `dotfiles` option default to `'ignore'`
+    - Remove `hidden` option; use `dotfiles` option instead
+    - Use `mime-types` for file to content type mapping
+    - Remove `express.static.mime` export; use `mime-types` package instead
+    - deps: send@1.0.0-beta.1
+
+5.0.0-alpha.8 / 2020-03-25
+==========================
+
+This is the eighth Express 5.0 alpha release, based off 4.17.1 and includes
+changes from 5.0.0-alpha.7.
+
+5.0.0-alpha.7 / 2018-10-26
+==========================
+
+This is the seventh Express 5.0 alpha release, based off 4.16.4 and includes
+changes from 5.0.0-alpha.6.
+
+The major change with this alpha is the basic support for returned, rejected
+Promises in the router.
+
+  * remove:
+    - `path-to-regexp` dependency
+  * deps: debug@3.1.0
+    - Add `DEBUG_HIDE_DATE` environment variable
+    - Change timer to per-namespace instead of global
+    - Change non-TTY date format
+    - Remove `DEBUG_FD` environment variable support
+    - Support 256 namespace colors
+  * deps: router@2.0.0-alpha.1
+    - Add basic support for returned, rejected Promises
+    - Fix JSDoc for `Router` constructor
+    - deps: debug@3.1.0
+    - deps: parseurl@~1.3.2
+    - deps: setprototypeof@1.1.0
+    - deps: utils-merge@1.0.1
+
 5.0.0-alpha.6 / 2017-09-24
 ==========================

@@ -88,6 +252,328 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
  * add:
    - `app.router` is a reference to the base router

+4.20.0 / 2024-09-10
+==========
+  * deps: serve-static@0.16.0
+    * Remove link renderization in html while redirecting
+  * deps: send@0.19.0
+    * Remove link renderization in html while redirecting
+  * deps: body-parser@0.6.0
+    * add `depth` option to customize the depth level in the parser
+    * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)
+  * Remove link renderization in html while using `res.redirect`
+  * deps: path-to-regexp@0.1.10
+    - Adds support for named matching groups in the routes using a regex
+    - Adds backtracking protection to parameters without regexes defined
+  * deps: encodeurl@~2.0.0
+    - Removes encoding of `\`, `|`, and `^` to align better with URL spec
+  * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie`
+    - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie
+
+4.19.2 / 2024-03-25
+==========
+
+  * Improved fix for open redirect allow list bypass
+
+4.19.1 / 2024-03-20
+==========
+
+  * Allow passing non-strings to res.location with new encoding handling checks
+
+4.19.0 / 2024-03-20
+==========
+
+  * Prevent open redirect allow list bypass due to encodeurl
+  * deps: cookie@0.6.0
+
+4.18.3 / 2024-02-29
+==========
+
+  * Fix routing requests without method
+  * deps: body-parser@1.20.2
+    - Fix strict json error message on Node.js 19+
+    - deps: content-type@~1.0.5
+    - deps: raw-body@2.5.2
+  * deps: cookie@0.6.0
+    - Add `partitioned` option
+
+4.18.2 / 2022-10-08
+===================
+
+  * Fix regression routing a large stack in a single route
+  * deps: body-parser@1.20.1
+    - deps: qs@6.11.0
+    - perf: remove unnecessary object clone
+  * deps: qs@6.11.0
+
+4.18.1 / 2022-04-29
+===================
+
+  * Fix hanging on large stack of sync routes
+
+4.18.0 / 2022-04-25
+===================
+
+  * Add "root" option to `res.download`
+  * Allow `options` without `filename` in `res.download`
+  * Deprecate string and non-integer arguments to `res.status`
+  * Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie`
+  * Fix handling very large stacks of sync middleware
+  * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
+  * Invoke `default` with same arguments as types in `res.format`
+  * Support proper 205 responses using `res.send`
+  * Use `http-errors` for `res.format` error
+  * deps: body-parser@1.20.0
+    - Fix error message for json parse whitespace in `strict`
+    - Fix internal error when inflated body exceeds limit
+    - Prevent loss of async hooks context
+    - Prevent hanging when request already read
+    - deps: depd@2.0.0
+    - deps: http-errors@2.0.0
+    - deps: on-finished@2.4.1
+    - deps: qs@6.10.3
+    - deps: raw-body@2.5.1
+  * deps: cookie@0.5.0
+    - Add `priority` option
+    - Fix `expires` option to reject invalid dates
+  * deps: depd@2.0.0
+    - Replace internal `eval` usage with `Function` constructor
+    - Use instance methods on `process` to check for listeners
+  * deps: finalhandler@1.2.0
+    - Remove set content headers that break response
+    - deps: on-finished@2.4.1
+    - deps: statuses@2.0.1
+  * deps: on-finished@2.4.1
+    - Prevent loss of async hooks context
+  * deps: qs@6.10.3
+  * deps: send@0.18.0
+    - Fix emitted 416 error missing headers property
+    - Limit the headers removed for 304 response
+    - deps: depd@2.0.0
+    - deps: destroy@1.2.0
+    - deps: http-errors@2.0.0
+    - deps: on-finished@2.4.1
+    - deps: statuses@2.0.1
+  * deps: serve-static@1.15.0
+    - deps: send@0.18.0
+  * deps: statuses@2.0.1
+    - Remove code 306
+    - Rename `425 Unordered Collection` to standard `425 Too Early`
+
+4.17.3 / 2022-02-16
+===================
+
+  * deps: accepts@~1.3.8
+    - deps: mime-types@~2.1.34
+    - deps: negotiator@0.6.3
+  * deps: body-parser@1.19.2
+    - deps: bytes@3.1.2
+    - deps: qs@6.9.7
+    - deps: raw-body@2.4.3
+  * deps: cookie@0.4.2
+  * deps: qs@6.9.7
+    * Fix handling of `__proto__` keys
+  * pref: remove unnecessary regexp for trust proxy
+
+4.17.2 / 2021-12-16
+===================
+
+  * Fix handling of `undefined` in `res.jsonp`
+  * Fix handling of `undefined` when `"json escape"` is enabled
+  * Fix incorrect middleware execution with unanchored `RegExp`s
+  * Fix `res.jsonp(obj, status)` deprecation message
+  * Fix typo in `res.is` JSDoc
+  * deps: body-parser@1.19.1
+    - deps: bytes@3.1.1
+    - deps: http-errors@1.8.1
+    - deps: qs@6.9.6
+    - deps: raw-body@2.4.2
+    - deps: safe-buffer@5.2.1
+    - deps: type-is@~1.6.18
+  * deps: content-disposition@0.5.4
+    - deps: safe-buffer@5.2.1
+  * deps: cookie@0.4.1
+    - Fix `maxAge` option to reject invalid values
+  * deps: proxy-addr@~2.0.7
+    - Use `req.socket` over deprecated `req.connection`
+    - deps: forwarded@0.2.0
+    - deps: ipaddr.js@1.9.1
+  * deps: qs@6.9.6
+  * deps: safe-buffer@5.2.1
+  * deps: send@0.17.2
+    - deps: http-errors@1.8.1
+    - deps: ms@2.1.3
+    - pref: ignore empty http tokens
+  * deps: serve-static@1.14.2
+    - deps: send@0.17.2
+  * deps: setprototypeof@1.2.0
+
+4.17.1 / 2019-05-25
+===================
+
+  * Revert "Improve error message for `null`/`undefined` to `res.status`"
+
+4.17.0 / 2019-05-16
+===================
+
+  * Add `express.raw` to parse bodies into `Buffer`
+  * Add `express.text` to parse bodies into string
+  * Improve error message for non-strings to `res.sendFile`
+  * Improve error message for `null`/`undefined` to `res.status`
+  * Support multiple hosts in `X-Forwarded-Host`
+  * deps: accepts@~1.3.7
+  * deps: body-parser@1.19.0
+    - Add encoding MIK
+    - Add petabyte (`pb`) support
+    - Fix parsing array brackets after index
+    - deps: bytes@3.1.0
+    - deps: http-errors@1.7.2
+    - deps: iconv-lite@0.4.24
+    - deps: qs@6.7.0
+    - deps: raw-body@2.4.0
+    - deps: type-is@~1.6.17
+  * deps: content-disposition@0.5.3
+  * deps: cookie@0.4.0
+    - Add `SameSite=None` support
+  * deps: finalhandler@~1.1.2
+    - Set stricter `Content-Security-Policy` header
+    - deps: parseurl@~1.3.3
+    - deps: statuses@~1.5.0
+  * deps: parseurl@~1.3.3
+  * deps: proxy-addr@~2.0.5
+    - deps: ipaddr.js@1.9.0
+  * deps: qs@6.7.0
+    - Fix parsing array brackets after index
+  * deps: range-parser@~1.2.1
+  * deps: send@0.17.1
+    - Set stricter CSP header in redirect & error responses
+    - deps: http-errors@~1.7.2
+    - deps: mime@1.6.0
+    - deps: ms@2.1.1
+    - deps: range-parser@~1.2.1
+    - deps: statuses@~1.5.0
+    - perf: remove redundant `path.normalize` call
+  * deps: serve-static@1.14.1
+    - Set stricter CSP header in redirect response
+    - deps: parseurl@~1.3.3
+    - deps: send@0.17.1
+  * deps: setprototypeof@1.1.1
+  * deps: statuses@~1.5.0
+    - Add `103 Early Hints`
+  * deps: type-is@~1.6.18
+    - deps: mime-types@~2.1.24
+    - perf: prevent internal `throw` on invalid type
+
+4.16.4 / 2018-10-10
+===================
+
+  * Fix issue where `"Request aborted"` may be logged in `res.sendfile`
+  * Fix JSDoc for `Router` constructor
+  * deps: body-parser@1.18.3
+    - Fix deprecation warnings on Node.js 10+
+    - Fix stack trace for strict json parse error
+    - deps: depd@~1.1.2
+    - deps: http-errors@~1.6.3
+    - deps: iconv-lite@0.4.23
+    - deps: qs@6.5.2
+    - deps: raw-body@2.3.3
+    - deps: type-is@~1.6.16
+  * deps: proxy-addr@~2.0.4
+    - deps: ipaddr.js@1.8.0
+  * deps: qs@6.5.2
+  * deps: safe-buffer@5.1.2
+
+4.16.3 / 2018-03-12
+===================
+
+  * deps: accepts@~1.3.5
+    - deps: mime-types@~2.1.18
+  * deps: depd@~1.1.2
+    - perf: remove argument reassignment
+  * deps: encodeurl@~1.0.2
+    - Fix encoding `%` as last character
+  * deps: finalhandler@1.1.1
+    - Fix 404 output for bad / missing pathnames
+    - deps: encodeurl@~1.0.2
+    - deps: statuses@~1.4.0
+  * deps: proxy-addr@~2.0.3
+    - deps: ipaddr.js@1.6.0
+  * deps: send@0.16.2
+    - Fix incorrect end tag in default error & redirects
+    - deps: depd@~1.1.2
+    - deps: encodeurl@~1.0.2
+    - deps: statuses@~1.4.0
+  * deps: serve-static@1.13.2
+    - Fix incorrect end tag in redirects
+    - deps: encodeurl@~1.0.2
+    - deps: send@0.16.2
+  * deps: statuses@~1.4.0
+  * deps: type-is@~1.6.16
+    - deps: mime-types@~2.1.18
+
+4.16.2 / 2017-10-09
+===================
+
+  * Fix `TypeError` in `res.send` when given `Buffer` and `ETag` header set
+  * perf: skip parsing of entire `X-Forwarded-Proto` header
+
+4.16.1 / 2017-09-29
+===================
+
+  * deps: send@0.16.1
+  * deps: serve-static@1.13.1
+    - Fix regression when `root` is incorrectly set to a file
+    - deps: send@0.16.1
+
+4.16.0 / 2017-09-28
+===================
+
+  * Add `"json escape"` setting for `res.json` and `res.jsonp`
+  * Add `express.json` and `express.urlencoded` to parse bodies
+  * Add `options` argument to `res.download`
+  * Improve error message when autoloading invalid view engine
+  * Improve error messages when non-function provided as middleware
+  * Skip `Buffer` encoding when not generating ETag for small response
+  * Use `safe-buffer` for improved Buffer API
+  * deps: accepts@~1.3.4
+    - deps: mime-types@~2.1.16
+  * deps: content-type@~1.0.4
+    - perf: remove argument reassignment
+    - perf: skip parameter parsing when no parameters
+  * deps: etag@~1.8.1
+    - perf: replace regular expression with substring
+  * deps: finalhandler@1.1.0
+    - Use `res.headersSent` when available
+  * deps: parseurl@~1.3.2
+    - perf: reduce overhead for full URLs
+    - perf: unroll the "fast-path" `RegExp`
+  * deps: proxy-addr@~2.0.2
+    - Fix trimming leading / trailing OWS in `X-Forwarded-For`
+    - deps: forwarded@~0.1.2
+    - deps: ipaddr.js@1.5.2
+    - perf: reduce overhead when no `X-Forwarded-For` header
+  * deps: qs@6.5.1
+    - Fix parsing & compacting very deep objects
+  * deps: send@0.16.0
+    - Add 70 new types for file extensions
+    - Add `immutable` option
+    - Fix missing `</html>` in default error & redirects
+    - Set charset as "UTF-8" for .js and .json
+    - Use instance methods on steam to check for listeners
+    - deps: mime@1.4.1
+    - perf: improve path validation speed
+  * deps: serve-static@1.13.0
+    - Add 70 new types for file extensions
+    - Add `immutable` option
+    - Set charset as "UTF-8" for .js and .json
+    - deps: send@0.16.0
+  * deps: setprototypeof@1.1.0
+  * deps: utils-merge@1.0.1
+  * deps: vary@~1.1.2
+    - perf: improve header token parsing speed
+  * perf: re-use options object when generating ETags
+  * perf: remove dead `.charset` set in `res.jsonp`
+
 4.15.5 / 2017-09-24
 ===================

@@ -274,7 +760,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
    - Fix including type extensions in parameters in `Accept` parsing
    - Fix parsing `Accept` parameters with quoted equals
    - Fix parsing `Accept` parameters with quoted semicolons
-    - Many performance improvments
+    - Many performance improvements
    - deps: mime-types@~2.1.11
    - deps: negotiator@0.6.1
  * deps: content-type@~1.0.2
@@ -289,7 +775,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
    - perf: enable strict mode
    - perf: hoist regular expression
    - perf: use for loop in parse
-    - perf: use string concatination for serialization
+    - perf: use string concatenation for serialization
  * deps: finalhandler@0.5.0
    - Change invalid or non-numeric status code to 500
    - Overwrite status message to match set status code
@@ -299,7 +785,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
  * deps: proxy-addr@~1.1.2
    - Fix accepting various invalid netmasks
    - Fix IPv6-mapped IPv4 validation edge cases
-    - IPv4 netmasks must be contingous
+    - IPv4 netmasks must be contiguous
    - IPv6 addresses cannot be used as a netmask
    - deps: ipaddr.js@1.1.1
  * deps: qs@6.2.0
@@ -1077,13 +1563,13 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
   - deps: negotiator@0.4.6
 * deps: debug@1.0.2
 * deps: send@0.4.3
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
   - Use `escape-html` for HTML escaping
   - deps: debug@1.0.2
   - deps: finished@1.2.2
   - deps: fresh@0.2.2
 * deps: serve-static@1.2.3
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
   - deps: send@0.4.3

 4.4.2 / 2014-06-09
@@ -1924,7 +2410,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
 * deps: connect@2.21.0
   - deprecate `connect(middleware)` -- use `app.use(middleware)` instead
   - deprecate `connect.createServer()` -- use `connect()` instead
-   - fix `res.setHeader()` patch to work with with get -> append -> set pattern
+   - fix `res.setHeader()` patch to work with get -> append -> set pattern
   - deps: compression@~1.0.8
   - deps: errorhandler@~1.1.1
   - deps: express-session@~1.5.0
@@ -1963,7 +2449,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
   - deps: serve-static@1.2.3
 * deps: debug@1.0.2
 * deps: send@0.4.3
-   - Do not throw un-catchable error on file open race condition
+   - Do not throw uncatchable error on file open race condition
   - Use `escape-html` for HTML escaping
   - deps: debug@1.0.2
   - deps: finished@1.2.2
@@ -3135,8 +3621,8 @@ Shaw]
  * Added node v0.1.97 compatibility
  * Added support for deleting cookies via Request#cookie('key', null)
  * Updated haml submodule
-  * Fixed not-found page, now using using charset utf-8
-  * Fixed show-exceptions page, now using using charset utf-8
+  * Fixed not-found page, now using charset utf-8
+  * Fixed show-exceptions page, now using charset utf-8
  * Fixed view support due to fs.readFile Buffers
  * Changed; mime.type() no longer accepts ".type" due to node extname() changes

@@ -3148,7 +3634,7 @@ Shaw]
  * Updated haml submodule
  * Changed ETag; removed inode, modified time only
  * Fixed LF to CRLF for setting multiple cookies
-  * Fixed cookie complation; values are now urlencoded
+  * Fixed cookie compilation; values are now urlencoded
  * Fixed cookies parsing; accepts quoted values and url escaped cookies

 0.11.0 / 2010-05-06
@@ -3171,7 +3657,7 @@ Shaw]
 ==================

  * Added charset support via Request#charset (automatically assigned to 'UTF-8' when respond()'s
-    encoding is set to 'utf8' or 'utf-8'.
+    encoding is set to 'utf8' or 'utf-8').
  * Added "encoding" option to Request#render(). Closes #299
  * Added "dump exceptions" setting, which is enabled by default.
  * Added simple ejs template engine support
@@ -3210,7 +3696,7 @@ Shaw]
  * Added [haml.js](http://github.com/visionmedia/haml.js) submodule; removed haml-js
  * Added callback function support to Request#halt() as 3rd/4th arg
  * Added preprocessing of route param wildcards using param(). Closes #251
-  * Added view partial support (with collections etc)
+  * Added view partial support (with collections etc.)
  * Fixed bug preventing falsey params (such as ?page=0). Closes #286
  * Fixed setting of multiple cookies. Closes #199
  * Changed; view naming convention is now NAME.TYPE.ENGINE (for example page.html.haml)
@@ -3343,7 +3829,7 @@ Shaw]

  * Added "plot" format option for Profiler (for gnuplot processing)
  * Added request number to Profiler plugin
-  * Fixed binary encoding for multi-part file uploads, was previously defaulting to UTF8
+  * Fixed binary encoding for multipart file uploads, was previously defaulting to UTF8
  * Fixed issue with routes not firing when not files are present. Closes #184
  * Fixed process.Promise -> events.Promise

@@ -3389,7 +3875,7 @@ Shaw]
  * Updated sample chat app to show messages on load
  * Updated libxmljs parseString -> parseHtmlString
  * Fixed `make init` to work with older versions of git
-  * Fixed specs can now run independent specs for those who cant build deps. Closes #127
+  * Fixed specs can now run independent specs for those who can't build deps. Closes #127
  * Fixed issues introduced by the node url module changes. Closes 126.
  * Fixed two assertions failing due to Collection#keys() returning strings
  * Fixed faulty Collection#toArray() spec due to keys() returning strings
--- a/Readme-Guide.md
+++ b/Readme-Guide.md
@@ -1,125 +0,0 @@
-# README guidelines
-
-Every module in the expressjs, pillarjs, and jshttp organizations should have
-a README file named `README.md`. The purpose of the README is to:
-
- Explain the purpose of the module and how to use it.
- Act as a landing page (both on GitHub and npmjs.com) for the module to help
-  people find it via search. Middleware module READMEs are also incorporated
-  into https://expressjs.com/en/resources/middleware.html.
- Encourage community contributions and participation.
-
-Use the [README template](https://github.com/expressjs/express/wiki/README-template)
-to quickly create a new README file.
-
-## Top-level items
-
-**Badges** (optional): At the very top (with no subheading), include any
-applicable badges, such as npm version/downloads, build status, test coverage,
-and so on. Badges should resolve properly (not display a broken image).
-
-Possible badges include:
- npm version: `[![NPM Version][npm-image]][npm-url]`
- npm downloads: `[![NPM Downloads][downloads-image]][downloads-url]`
- Build status: `[![Build Status][travis-image]][travis-url]`
- Test coverage: `[![Test Coverage][coveralls-image]][coveralls-url]`
- Tips: `[![Gratipay][gratipay-image]][gratipay-url]`
-
-**Summary**: Following badges, provide a one- or two-sentence description of
-what the module does. This should be the same as the npmjs.org blurb (which
-comes from the description property of `package.json`). Since npm doesn't
-handle markdown for the blurb, avoid using markdown in the summary sentence.
-
-**TOC** (Optional): For longer READMEs, provide a table of contents that has
-a relative link to each section. A tool such as
-[doctoc](https://www.npmjs.com/package/doctoc) makes it very easy to generate
-a TOC.
-
-## Overview
-
-Optionally, include a section of one or two paragraphs with more high-level
-information on what the module does, what problems it solves, why one would
-use it and how.  Don't just repeat what's in the summary.
-
-## Installation
-
-Required. This section is typically just:
-
-```sh
-$ npm install module-name
-```
-
-But include any other steps or requirements.
-
-NOTE: Use the `sh` code block to make the shell command display properly on
-the website.
-
-## Basic use
-
- Provide a general description of how to use the module with code sample.
-  Include any important caveats or restrictions.
- Explain the most common use cases.
- Optional: a simple "hello world" type example (where applicable). This
-  example is in addition to the more comprehensive [example section](#examples)
-  later.
-
-## API
-
-Provide complete API documentation.
-
-Formatting conventions: Each function is listed in a 3rd-level heading (`###`),
-like this:
-
-```
-### Function_name(arg, options [, optional_arg]  ... )
-```
-
-**Options objects**
-
-For arguments that are objects (for example, options object), describe the
-properties in a table, as follows. This matches the formatting used in the
-[Express API docs](https://expressjs.com/en/4x/api.html).
-
-|Property | Description | Type | Default|
-|----------|-----------|------------|-------------|
-|Name of the property in `monospace`. | Brief description | String, Number, Boolean, etc. | If applicable.|
-
-If all the properties are required (i.e. there are no defaults), then you
-can omit the default column.
-
-Instead of very lengthy descriptions, link out to subsequent paragraphs for
-more detailed explanation of specific cases (e.g. "When this property is set
-to 'foobar', xyz happens; see &lt;link to following section &gt;.)
-
-If there are options properties that are themselves options, use additional
-tables. See [`trust proxy` and `etag` properties](https://expressjs.com/en/4x/api.html#app.settings.table).
-
-## Examples
-
-Every README should have at least one example; ideally more.  For code samples,
-be sure to use the `js` code block, for proper display in the website, e.g.:
-
-```js
-var csurf = require('csurf')
-...
-```
-
-## Tests
-
-What tests are included.
-
-How to run them.
-
-The convention for running tests is `npm test`. All our projects should follow
-this convention.
-
-## Contributors
-
-Names of module "owners" (lead developers) and other developers who have
-contributed.
-
-## License
-
-Link to the license, with a short description of what it is, e.g. "MIT" or
-whatever. Ideally, avoid putting the license text directly in the README; link
-to it instead.
--- a/Readme.md
+++ b/Readme.md
@@ -1,30 +1,71 @@
-[![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](http://expressjs.com/)
+[![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](https://expressjs.com/)

-  Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
+**Fast, unopinionated, minimalist web framework for [Node.js](https://nodejs.org).**
+
+**This project has a [Code of Conduct].**
+
+## Table of contents
+
+- [Table of contents](#table-of-contents)
+- [Installation](#installation)
+- [Features](#features)
+- [Docs \& Community](#docs--community)
+- [Quick Start](#quick-start)
+- [Philosophy](#philosophy)
+- [Examples](#examples)
+- [Contributing](#contributing)
+  - [Security Issues](#security-issues)
+  - [Running Tests](#running-tests)
+- [Current project team members](#current-project-team-members)
+  - [TC (Technical Committee)](#tc-technical-committee)
+    - [TC emeriti members](#tc-emeriti-members)
+  - [Triagers](#triagers)
+    - [Emeritus Triagers](#emeritus-triagers)
+- [License](#license)
+
+
+[![NPM Version][npm-version-image]][npm-url]
+[![NPM Downloads][npm-downloads-image]][npm-downloads-url]
+[![Linux Build][github-actions-ci-image]][github-actions-ci-url]
+[![Test Coverage][coveralls-image]][coveralls-url]
+[![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]

-  [![NPM Version][npm-image]][npm-url]
-  [![NPM Downloads][downloads-image]][downloads-url]
-  [![Linux Build][travis-image]][travis-url]
-  [![Windows Build][appveyor-image]][appveyor-url]
-  [![Test Coverage][coveralls-image]][coveralls-url]

 ```js
-var express = require('express')
-var app = express()
+import express from 'express'

-app.get('/', function (req, res) {
+const app = express()
+
+app.get('/', (req, res) => {
  res.send('Hello World')
 })

-app.listen(3000)
+app.listen(3000, () => {
+  console.log('Server is running on http://localhost:3000')
+})
 ```

 ## Installation

+This is a [Node.js](https://nodejs.org/en/) module available through the
+[npm registry](https://www.npmjs.com/).
+
+Before installing, [download and install Node.js](https://nodejs.org/en/download/).
+Node.js 18 or higher is required.
+
+If this is a brand new project, make sure to create a `package.json` first with
+the [`npm init` command](https://docs.npmjs.com/creating-a-package-json-file).
+
+Installation is done using the
+[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):
+
 ```bash
-$ npm install express
+npm install express
 ```

+Follow [our installing guide](https://expressjs.com/en/starter/installing.html)
+for more information.
+
 ## Features

  * Robust routing
@@ -37,18 +78,11 @@ $ npm install express

 ## Docs & Community

-  * [Website and Documentation](http://expressjs.com/) - [[website repo](https://github.com/expressjs/expressjs.com)]
-  * [#express](https://webchat.freenode.net/?channels=express) on freenode IRC
+  * [Website and Documentation](https://expressjs.com/) - [[website repo](https://github.com/expressjs/expressjs.com)]
  * [GitHub Organization](https://github.com/expressjs) for Official Middleware & Modules
-  * Visit the [Wiki](https://github.com/expressjs/express/wiki)
-  * [Google Group](https://groups.google.com/group/express-js) for discussion
-  * [Gitter](https://gitter.im/expressjs/express) for support and discussion
+  * [Github Discussions](https://github.com/expressjs/discussions) for discussion on the development and usage of Express

-**PROTIP** Be sure to read [Migrating from 3.x to 4.x](https://github.com/expressjs/express/wiki/Migrating-from-3.x-to-4.x) as well as [New features in 4.x](https://github.com/expressjs/express/wiki/New-features-in-4.x).
-
-### Security Issues
-
-If you discover a security vulnerability in Express, please see [Security Policies and Procedures](Security.md).
+**PROTIP** Be sure to read the [migration guide to v5](https://expressjs.com/en/guide/migrating-5)

 ## Quick Start

@@ -57,85 +91,188 @@ If you discover a security vulnerability in Express, please see [Security Polici
  Install the executable. The executable's major version will match Express's:

 ```bash
-$ npm install -g express-generator@4
+npm install -g express-generator@4
 ```

  Create the app:

 ```bash
-$ express /tmp/foo && cd /tmp/foo
+express /tmp/foo && cd /tmp/foo
 ```

  Install dependencies:

 ```bash
-$ npm install
+npm install
 ```

  Start the server:

 ```bash
-$ npm start
+npm start
 ```

+  View the website at: http://localhost:3000
+
 ## Philosophy

  The Express philosophy is to provide small, robust tooling for HTTP servers, making
-  it a great solution for single page applications, web sites, hybrids, or public
+  it a great solution for single page applications, websites, hybrids, or public
  HTTP APIs.

  Express does not force you to use any specific ORM or template engine. With support for over
-  14 template engines via [Consolidate.js](https://github.com/tj/consolidate.js),
+  14 template engines via [@ladjs/consolidate](https://github.com/ladjs/consolidate),
  you can quickly craft your perfect framework.

 ## Examples

-  To view the examples, clone the Express repo and install the dependencies:
+  To view the examples, clone the Express repository:

 ```bash
-$ git clone git://github.com/expressjs/express.git --depth 1
-$ cd express
-$ npm install
+git clone https://github.com/expressjs/express.git --depth 1 && cd express
+```
+
+  Then install the dependencies:
+
+```bash
+npm install
 ```

  Then run whichever example you want:

 ```bash
-$ node examples/content-negotiation
+node examples/content-negotiation
 ```

-## Tests
+## Contributing

-  To run the test suite, first install the dependencies, then run `npm test`:
+The Express.js project welcomes all constructive contributions. Contributions take many forms,
+from code for bug fixes and enhancements, to additions and fixes to documentation, additional
+tests, triaging incoming pull requests and issues, and more!
+
+See the [Contributing Guide] for more technical details on contributing.
+
+### Security Issues
+
+If you discover a security vulnerability in Express, please see [Security Policies and Procedures](https://github.com/expressjs/express/security/policy).
+
+### Running Tests
+
+To run the test suite, first install the dependencies:

 ```bash
-$ npm install
-$ npm test
+npm install
 ```

-## People
+Then run `npm test`:

-The original author of Express is [TJ Holowaychuk](https://github.com/tj) [![TJ's Gratipay][gratipay-image-visionmedia]][gratipay-url-visionmedia]
+```bash
+npm test
+```

-The current lead maintainer is [Douglas Christopher Wilson](https://github.com/dougwilson) [![Doug's Gratipay][gratipay-image-dougwilson]][gratipay-url-dougwilson]
+## Current project team members
+
+For information about the governance of the express.js project, see [GOVERNANCE.md](https://github.com/expressjs/discussions/blob/HEAD/docs/GOVERNANCE.md).
+
+The original author of Express is [TJ Holowaychuk](https://github.com/tj)

 [List of all contributors](https://github.com/expressjs/express/graphs/contributors)

+### TC (Technical Committee)
+
+* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him)
+* [jonchurch](https://github.com/jonchurch) - **Jon Church**
+* [wesleytodd](https://github.com/wesleytodd) - **Wes Todd**
+* [LinusU](https://github.com/LinusU) - **Linus Unnebäck**
+* [blakeembrey](https://github.com/blakeembrey) - **Blake Embrey**
+* [sheplu](https://github.com/sheplu) - **Jean Burellier**
+* [crandmck](https://github.com/crandmck) - **Rand McKinney**
+* [ctcpip](https://github.com/ctcpip) - **Chris de Almeida**
+
+<details>
+<summary>TC emeriti members</summary>
+
+#### TC emeriti members
+
+  * [dougwilson](https://github.com/dougwilson) - **Douglas Wilson**
+  * [hacksparrow](https://github.com/hacksparrow) - **Hage Yaapa**
+  * [jonathanong](https://github.com/jonathanong) - **jongleberry**
+  * [niftylettuce](https://github.com/niftylettuce) - **niftylettuce**
+  * [troygoode](https://github.com/troygoode) - **Troy Goode**
+</details>
+
+
+### Triagers
+
+* [aravindvnair99](https://github.com/aravindvnair99) - **Aravind Nair**
+* [bjohansebas](https://github.com/bjohansebas) - **Sebastian Beltran**
+* [carpasse](https://github.com/carpasse) - **Carlos Serrano**
+* [CBID2](https://github.com/CBID2) - **Christine Belzie**
+* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him)
+* [IamLizu](https://github.com/IamLizu) - **S M Mahmudul Hasan** (he/him)
+* [Phillip9587](https://github.com/Phillip9587) - **Phillip Barta**
+* [efekrskl](https://github.com/efekrskl) - **Efe Karasakal**
+* [rxmarbles](https://github.com/rxmarbles) - **Rick Markins** (he/him)
+* [krzysdz](https://github.com/krzysdz)
+* [GroophyLifefor](https://github.com/GroophyLifefor) - **Murat Kirazkaya**
+
+<details>
+<summary>Triagers emeriti members</summary>
+
+#### Emeritus Triagers
+
+  * [AuggieH](https://github.com/AuggieH) - **Auggie Hudak**
+  * [G-Rath](https://github.com/G-Rath) - **Gareth Jones**
+  * [MohammadXroid](https://github.com/MohammadXroid) - **Mohammad Ayashi**
+  * [NawafSwe](https://github.com/NawafSwe) - **Nawaf Alsharqi**
+  * [NotMoni](https://github.com/NotMoni) - **Moni**
+  * [VigneshMurugan](https://github.com/VigneshMurugan) - **Vignesh Murugan**
+  * [davidmashe](https://github.com/davidmashe) - **David Ashe**
+  * [digitaIfabric](https://github.com/digitaIfabric) - **David**
+  * [e-l-i-s-e](https://github.com/e-l-i-s-e) - **Elise Bonner**
+  * [fed135](https://github.com/fed135) - **Frederic Charette**
+  * [firmanJS](https://github.com/firmanJS) - **Firman Abdul Hakim**
+  * [getspooky](https://github.com/getspooky) - **Yasser Ameur**
+  * [ghinks](https://github.com/ghinks) - **Glenn**
+  * [ghousemohamed](https://github.com/ghousemohamed) - **Ghouse Mohamed**
+  * [gireeshpunathil](https://github.com/gireeshpunathil) - **Gireesh Punathil**
+  * [jake32321](https://github.com/jake32321) - **Jake Reed**
+  * [jonchurch](https://github.com/jonchurch) - **Jon Church**
+  * [lekanikotun](https://github.com/lekanikotun) - **Troy Goode**
+  * [marsonya](https://github.com/marsonya) - **Lekan Ikotun**
+  * [mastermatt](https://github.com/mastermatt) - **Matt R. Wilson**
+  * [maxakuru](https://github.com/maxakuru) - **Max Edell**
+  * [mlrawlings](https://github.com/mlrawlings) - **Michael Rawlings**
+  * [rodion-arr](https://github.com/rodion-arr) - **Rodion Abdurakhimov**
+  * [sheplu](https://github.com/sheplu) - **Jean Burellier**
+  * [tarunyadav1](https://github.com/tarunyadav1) - **Tarun yadav**
+  * [tunniclm](https://github.com/tunniclm) - **Mike Tunnicliffe**
+  * [enyoghasim](https://github.com/enyoghasim) - **David Enyoghasim**
+  * [0ss](https://github.com/0ss) - **Salah**
+  * [import-brain](https://github.com/import-brain) - **Eric Cheng** (he/him)
+  * [dakshkhetan](https://github.com/dakshkhetan) - **Daksh Khetan** (he/him)
+  * [lucasraziel](https://github.com/lucasraziel) - **Lucas Soares Do Rego**
+  * [mertcanaltin](https://github.com/mertcanaltin) - **Mert Can Altin**
+  * [dpopp07](https://github.com/dpopp07) - **Dustin Popp**
+  * [Sushmeet](https://github.com/Sushmeet) - **Sushmeet Sunger**
+  * [3imed-jaberi](https://github.com/3imed-jaberi) - **Imed Jaberi**
+
+</details>
+
+
 ## License

  [MIT](LICENSE)

-[npm-image]: https://img.shields.io/npm/v/express.svg
-[npm-url]: https://npmjs.org/package/express
-[downloads-image]: https://img.shields.io/npm/dm/express.svg
-[downloads-url]: https://npmjs.org/package/express
-[travis-image]: https://img.shields.io/travis/expressjs/express/master.svg?label=linux
-[travis-url]: https://travis-ci.org/expressjs/express
-[appveyor-image]: https://img.shields.io/appveyor/ci/dougwilson/express/master.svg?label=windows
-[appveyor-url]: https://ci.appveyor.com/project/dougwilson/express
-[coveralls-image]: https://img.shields.io/coveralls/expressjs/express/master.svg
+[coveralls-image]: https://img.shields.io/coverallsCoverage/github/expressjs/express?branch=master
 [coveralls-url]: https://coveralls.io/r/expressjs/express?branch=master
-[gratipay-image-visionmedia]: https://img.shields.io/gratipay/visionmedia.svg
-[gratipay-url-visionmedia]: https://gratipay.com/visionmedia/
-[gratipay-image-dougwilson]: https://img.shields.io/gratipay/dougwilson.svg
-[gratipay-url-dougwilson]: https://gratipay.com/dougwilson/
+[github-actions-ci-image]: https://img.shields.io/github/actions/workflow/status/expressjs/express/ci.yml?branch=master&label=ci
+[github-actions-ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
+[npm-downloads-image]: https://img.shields.io/npm/dm/express
+[npm-downloads-url]: https://npmcharts.com/compare/express?minimal=true
+[npm-url]: https://npmjs.org/package/express
+[npm-version-image]: https://img.shields.io/npm/v/express
+[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/express/badge
+[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/express
+[Code of Conduct]: https://github.com/expressjs/.github/blob/HEAD/CODE_OF_CONDUCT.md
+[Contributing Guide]: https://github.com/expressjs/.github/blob/HEAD/CONTRIBUTING.md
--- a/Release-Process.md
+++ b/Release-Process.md
@@ -1,186 +0,0 @@
-# Express Release Process
-
-This document contains the technical aspects of the Express release process. The
-intended audience is those who have been authorized by the Express Technical
-Committee (TC) to create, promote and sign official release builds for Express,
-as npm packages hosted on https://npmjs.com/package/express.
-
-## Who can make releases?
-
-Release authorization is given by the Express TC. Once authorized, an individual
-must have the following access permissions:
-
-### 1. Github release access
-
-The individual making the release will need to be a member of the
-expressjs/express team with Write permission level so they are able to tag the
-release commit and push changes to the expressjs/express repository
-(see Steps 4 and 5).
-
-### 2. npmjs.com release access
-
-The individual making the release will need to be made an owner on the
-`express` package on npmjs.com so they are able to publish the release
-(see Step 6).
-
-## How to publish a release
-
-Before publishing, the following preconditions should be met:
-
- A release proposal issue or tracking pull request (see "Proposal branch"
-  below) will exist documenting:
-  - the proposed changes
-  - the type of release: patch, minor or major
-  - the version number (according to semantic versioning - http://semver.org)
- The proposed changes should be complete.
-
-There are two main release flows: patch and non-patch.
-
-The patch flow is for making **patch releases**. As per semantic versioning,
-patch releases are for simple changes, eg: typo fixes, patch dependency updates,
-and simple/low-risk bug fixes. Every other type of change is made via the
-non-patch flow.
-
-### Branch terminology
-
-"Master branch"
-
- There is a branch in git used for the current major version of Express, named
-  `master`.
- This branch contains the completed commits for the next patch release of the
-  current major version.
- Releases for the current major version are published from this branch.
-
-"Version branch"
-
- For any given major version of Express (current, previous or next) there is
-  a branch in git for that release named `<major-version>.x` (eg: `4.x`).
- This branch points to the commit of the latest tag for the given major version.
-
-"Release branch"
-
- For any given major version of Express, there is a branch used for publishing
-  releases.
- For the current major version of Express, the release branch is the
-  "Master branch" named `master`.
- For all other major versions of Express, the release branch is the
-  "Version branch" named `<major-version>.x`.
-
-"Proposal branch"
-
- A branch in git representing a proposed new release of Express. This can be a
-  minor or major release, named `<major-version>.0` for a major release,
-  `<major-version>.<minor-version>` for a minor release.
- A tracking pull request should exist to document the proposed release,
-  targeted at the appropriate release branch. Prior to opening the tracking
-  pull request the content of the release may have be discussed in an issue.
- This branch contains the commits accepted so far that implement the proposal
-  in the tracking pull request.
-
-### Patch flow
-
-In the patch flow, simple changes are committed to the release branch which
-acts as an ever-present branch for the next patch release of the associated
-major version of Express.
-
-The release branch is usually kept in a state where it is ready to release.
-Releases are made when sufficient time or change has been made to warrant it.
-This is usually proposed and decided using a github issue.
-
-### Non-patch flow
-
-In the non-patch flow, changes are committed to a temporary proposal branch
-created specifically for that release proposal. The branch is based on the
-most recent release of the major version of Express that the release targets.
-
-Releases are made when all the changes on a proposal branch are complete and
-approved. This is done by merging the proposal branch into the release branch
-(using a fast-forward merge), tagging it with the new version number and
-publishing the release package to npmjs.com.
-
-### Flow
-
-Below is a detailed description of the steps to publish a release.
-
-#### Step 1. Check the release is ready to publish
-
-Check any relevant information to ensure the release is ready, eg: any
-milestone, label, issue or tracking pull request for the release. The release
-is ready when all proposed code, tests and documentation updates are complete
-(either merged, closed or re-targeted to another release).
-
-#### Step 2. (Non-patch flow only) Merge the proposal branch into the release branch
-
-In the patch flow: skip this step.
-
-In the non-patch flow:
-```sh
-$ git checkout <release-branch>
-$ git merge --ff-only <proposal-branch>
-```
-
-<release-branch> - see "Release branch" of "Branches" above.
-<proposal-branch> - see "Proposal branch" of "Non-patch flow" above.
-
-**NOTE:** You may need to rebase the proposal branch to allow a fast-forward
-          merge. Using a fast-forward merge keeps the history clean as it does
-          not introduce merge commits.
-
-### Step 3. Update the History.md and package.json to the new version number
-
-The changes so far for the release should already be documented under the
-"unreleased" section at the top of the History.md file, as per the usual
-development practice. Change "unreleased" to the new release version / date.
-Example diff fragment:
-
-```diff
-unreleased
-==========
-+4.13.3 / 2015-08-02
-+===================
-```
-
-The version property in the package.json should already contain the version of
-the previous release. Change it to the new release version.
-
-Commit these changes together under a single commit with the message set to
-the new release version (eg: `4.13.3`):
-
-```sh
-$ git checkout <release-branch>
-<..edit files..>
-$ git add History.md package.json
-$ git commit -m '<version-number>'
-```
-
-### Step 4. Identify and tag the release commit with the new release version
-
-Create a lightweight tag (rather than an annotated tag) named after the new
-release version (eg: `4.13.3`).
-
-```sh
-$ git tag <version-number>
-```
-
-### Step 5. Push the release branch changes and tag to github
-
-The branch and tag should be pushed directly to the main repository
-(https://github.com/expressjs/express).
-
-```sh
-$ git push origin <release-branch>
-$ git push origin <version-number>
-```
-
-### Step 6. Publish to npmjs.com
-
-Ensure your local working copy is completely clean (no extra or changed files).
-You can use `git status` for this purpose.
-
-```sh
-$ npm login <npm-username>
-$ npm publish
-```
-
-**NOTE:** The version number to publish will be picked up automatically from
-          package.json.
--- a/Security.md
+++ b/Security.md
@@ -1,43 +0,0 @@
-# Security Policies and Procedures
-
-This document outlines security procedures and general policies for the Express
-project.
-
-  * [Reporting a Bug](#reporting-a-bug)
-  * [Disclosure Policy](#disclosure-policy)
-  * [Comments on this Policy](#comments-on-this-policy)
-
-## Reporting a Bug
-
-The Express team and community take all security bugs in Express seriously.
-Thank you for improving the security of Express. We appreciate your efforts and
-responsible disclosure and will make every effort to acknowledge your
-contributions.
-
-Report security bugs by emailing the lead maintainer in the Readme.md file.
-
-The lead maintainer will acknowledge your email within 48 hours, and will send a
-more detailed response within 48 hours indicating the next steps in handling
-your report. After the initial reply to your report, the security team will
-endeavor to keep you informed of the progress towards a fix and full
-announcement, and may ask for additional information or guidance.
-
-Report security bugs in third-party modules to the person or team maintaining
-the module. You can also report a vulnerability through the
-[Node Security Project](https://nodesecurity.io/report).
-
-## Disclosure Policy
-
-When the security team receives a security bug report, they will assign it to a
-primary handler. This person will coordinate the fix and release process,
-involving the following steps:
-
-  * Confirm the problem and determine the affected versions.
-  * Audit code to find any potential similar problems.
-  * Prepare fixes for all releases still under maintenance. These fixes will be
-    released as fast as possible to npm.
-
-## Comments on this Policy
-
-If you have suggestions on how this process could be improved please submit a
-pull request.
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,26 +0,0 @@
-environment:
-  matrix:
-    - nodejs_version: "0.10"
-    - nodejs_version: "0.12"
-    - nodejs_version: "1.8"
-    - nodejs_version: "2.5"
-    - nodejs_version: "3.3"
-    - nodejs_version: "4.8"
-    - nodejs_version: "5.12"
-    - nodejs_version: "6.11"
-    - nodejs_version: "7.10"
-cache:
-  - node_modules
-install:
-  - ps: Install-Product node $env:nodejs_version
-  - npm rm --save-dev connect-redis
-  - if exist node_modules npm prune
-  - if exist node_modules npm rebuild
-  - npm install
-build: off
-test_script:
-  - node --version
-  - npm --version
-  - npm run test-ci
-  - npm run lint
-version: "{build}"
--- a/benchmarks/Makefile
+++ b/benchmarks/Makefile
@@ -1,13 +0,0 @@
-
-all:
-	@./run 1 middleware
-	@./run 5 middleware
-	@./run 10 middleware
-	@./run 15 middleware
-	@./run 20 middleware
-	@./run 30 middleware
-	@./run 50 middleware
-	@./run 100 middleware
-	@echo
-
-.PHONY: all
--- a/benchmarks/middleware.js
+++ b/benchmarks/middleware.js
@@ -1,22 +0,0 @@
-
-var express = require('..');
-var app = express();
-
-// number of middleware
-
-var n = parseInt(process.env.MW || '1', 10);
-console.log('  %s middleware', n);
-
-while (n--) {
-  app.use(function(req, res, next){
-    next();
-  });
-}
-
-var body = new Buffer('Hello World');
-
-app.use(function(req, res, next){
-  res.send(body);
-});
-
-app.listen(3333);
--- a/benchmarks/run
+++ b/benchmarks/run
@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-echo
-MW=$1 node $2 &
-pid=$!
-
-sleep 2
-
-wrk 'http://localhost:3333/?foo[bar]=baz' \
-  -d 3 \
-  -c 50 \
-  -t 8 \
-  | grep 'Requests/sec' \
-  | awk '{ print "  " $2 }'
-
-kill $pid
--- a/examples/README.md
+++ b/examples/README.md
@@ -0,0 +1,29 @@
+# Express examples
+
+This page contains list of examples using Express.
+
+- [auth](./auth) - Authentication with login and password
+- [content-negotiation](./content-negotiation) - HTTP content negotiation
+- [cookie-sessions](./cookie-sessions) - Working with cookie-based sessions
+- [cookies](./cookies) - Working with cookies
+- [downloads](./downloads) - Transferring files to client
+- [ejs](./ejs) - Working with Embedded JavaScript templating (ejs)
+- [error-pages](./error-pages) - Creating error pages
+- [error](./error) - Working with error middleware
+- [hello-world](./hello-world) - Simple request handler
+- [markdown](./markdown) - Markdown as template engine
+- [multi-router](./multi-router) - Working with multiple Express routers
+- [mvc](./mvc) - MVC-style controllers
+- [online](./online) - Tracking online user activity with `online` and `redis` packages
+- [params](./params) - Working with route parameters
+- [resource](./resource) - Multiple HTTP operations on the same resource
+- [route-map](./route-map) - Organizing routes using a map
+- [route-middleware](./route-middleware) - Working with route middleware
+- [route-separation](./route-separation) - Organizing routes per each resource
+- [search](./search) - Search API
+- [session](./session) - User sessions
+- [static-files](./static-files) - Serving static files
+- [vhost](./vhost) - Working with virtual hosts
+- [view-constructor](./view-constructor) - Rendering views dynamically
+- [view-locals](./view-locals) - Saving data in request object between middleware calls
+- [web-service](./web-service) - Simple API service
--- a/examples/auth/index.js
+++ b/examples/auth/index.js
@@ -1,11 +1,12 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../..');
-var bodyParser = require('body-parser');
 var hash = require('pbkdf2-password')()
-var path = require('path');
+var path = require('node:path');
 var session = require('express-session');

 var app = module.exports = express();
@@ -17,7 +18,7 @@ app.set('views', path.join(__dirname, 'views'));

 // middleware

-app.use(bodyParser.urlencoded({ extended: false }));
+app.use(express.urlencoded())
 app.use(session({
  resave: false, // don't save session if unmodified
  saveUninitialized: false, // don't create session until something stored
@@ -60,14 +61,14 @@ function authenticate(name, pass, fn) {
  if (!module.parent) console.log('authenticating %s:%s', name, pass);
  var user = users[name];
  // query the db for the given username
-  if (!user) return fn(new Error('cannot find user'));
+  if (!user) return fn(null, null)
  // apply the same algorithm to the POSTed password, applying
  // the hash against the pass / salt, if there is a match we
  // found the user
  hash({ password: pass, salt: user.salt }, function (err, pass, salt, hash) {
    if (err) return fn(err);
-    if (hash == user.hash) return fn(null, user);
-    fn(new Error('invalid password'));
+    if (hash === user.hash) return fn(null, user)
+    fn(null, null)
  });
 }

@@ -100,8 +101,10 @@ app.get('/login', function(req, res){
  res.render('login');
 });

-app.post('/login', function(req, res){
+app.post('/login', function (req, res, next) {
+  if (!req.body) return res.sendStatus(400)
  authenticate(req.body.username, req.body.password, function(err, user){
+    if (err) return next(err)
    if (user) {
      // Regenerate session when signing in
      // to prevent fixation
@@ -113,7 +116,7 @@ app.post('/login', function(req, res){
        req.session.success = 'Authenticated as ' + user.name
          + ' click to <a href="/logout">logout</a>. '
          + ' You may now access <a href="/restricted">/restricted</a>.';
-        res.redirect('back');
+        res.redirect(req.get('Referrer') || '/');
      });
    } else {
      req.session.error = 'Authentication failed, please check your '
--- a/examples/auth/views/head.ejs
+++ b/examples/auth/views/head.ejs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title><%= title %></title>
    <style>
      body {
@@ -8,7 +10,7 @@
        font: 13px Helvetica, Arial, sans-serif;
      }
      .error {
-          color: red
+          color: red;
      }
      .success {
          color: green;
--- a/examples/auth/views/login.ejs
+++ b/examples/auth/views/login.ejs
@@ -1,22 +1,21 @@

-<% var title = 'Authentication Example' %>
-<% include head %>
+<%- include('head', { title: 'Authentication Example' }) -%>

 <h1>Login</h1>
 <%- message %>
 Try accessing <a href="/restricted">/restricted</a>, then authenticate with "tj" and "foobar".
 <form method="post" action="/login">
  <p>
-    <label>Username:</label>
-    <input type="text" name="username">
+    <label for="username">Username:</label>
+    <input type="text" name="username" id="username">
  </p>
  <p>
-    <label>Password:</label>
-    <input type="text" name="password">
+    <label for="password">Password:</label>
+    <input type="text" name="password" id="password">
  </p>
  <p>
    <input type="submit" value="Login">
  </p>
 </form>

-<% include foot %>
+<%- include('foot') -%>
--- a/examples/content-negotiation/db.js
+++ b/examples/content-negotiation/db.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var users = [];

 users.push({ name: 'Tobi' });
--- a/examples/content-negotiation/index.js
+++ b/examples/content-negotiation/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../');
 var app = module.exports = express();
 var users = require('./db');
--- a/examples/content-negotiation/users.js
+++ b/examples/content-negotiation/users.js
@@ -1,3 +1,4 @@
+'use strict'

 var users = require('./db');

--- a/examples/cookie-sessions/index.js
+++ b/examples/cookie-sessions/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
@@ -11,13 +13,10 @@ var app = module.exports = express();
 app.use(cookieSession({ secret: 'manny is cool' }));

 // do something with the session
-app.use(count);
-
-// custom middleware
-function count(req, res) {
+app.get('/', function (req, res) {
  req.session.count = (req.session.count || 0) + 1
  res.send('viewed ' + req.session.count + ' times\n')
-}
+})

 /* istanbul ignore next */
 if (!module.parent) {
--- a/examples/cookies/index.js
+++ b/examples/cookies/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
@@ -6,10 +8,9 @@ var express = require('../../');
 var app = module.exports = express();
 var logger = require('morgan');
 var cookieParser = require('cookie-parser');
-var bodyParser = require('body-parser');

 // custom log format
-if ('test' != process.env.NODE_ENV) app.use(logger(':method :url'));
+if (process.env.NODE_ENV !== 'test') app.use(logger(':method :url'))

 // parses request cookies, populating
 // req.cookies and req.signedCookies
@@ -18,7 +19,7 @@ if ('test' != process.env.NODE_ENV) app.use(logger(':method :url'));
 app.use(cookieParser('my secret here'));

 // parses x-www-form-urlencoded
-app.use(bodyParser.urlencoded({ extended: false }));
+app.use(express.urlencoded())

 app.get('/', function(req, res){
  if (req.cookies.remember) {
@@ -32,13 +33,17 @@ app.get('/', function(req, res){

 app.get('/forget', function(req, res){
  res.clearCookie('remember');
-  res.redirect('back');
+  res.redirect(req.get('Referrer') || '/');
 });

 app.post('/', function(req, res){
  var minute = 60000;
-  if (req.body.remember) res.cookie('remember', 1, { maxAge: minute });
-  res.redirect('back');
+
+  if (req.body && req.body.remember) {
+    res.cookie('remember', 1, { maxAge: minute })
+  }
+
+  res.redirect(req.get('Referrer') || '/');
 });

 /* istanbul ignore next */
--- a/examples/downloads/files/notes/groceries.txt
+++ b/examples/downloads/files/notes/groceries.txt
@@ -0,0 +1,3 @@
+* milk
+* eggs
+* bread
--- a/examples/downloads/index.js
+++ b/examples/downloads/index.js
@@ -1,27 +1,32 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../../');
-var path = require('path');
+var path = require('node:path');
+
 var app = module.exports = express();

+// path to where the files are stored on disk
+var FILES_DIR = path.join(__dirname, 'files')
+
 app.get('/', function(req, res){
-  res.send('<ul>'
-    + '<li>Download <a href="/files/amazing.txt">amazing.txt</a>.</li>'
-    + '<li>Download <a href="/files/missing.txt">missing.txt</a>.</li>'
-    + '<li>Download <a href="/files/CCTV大赛上海分赛区.txt">CCTV大赛上海分赛区.txt</a>.</li>'
-    + '</ul>');
+  res.send('<ul>' +
+    '<li>Download <a href="/files/notes/groceries.txt">notes/groceries.txt</a>.</li>' +
+    '<li>Download <a href="/files/amazing.txt">amazing.txt</a>.</li>' +
+    '<li>Download <a href="/files/missing.txt">missing.txt</a>.</li>' +
+    '<li>Download <a href="/files/CCTV大赛上海分赛区.txt">CCTV大赛上海分赛区.txt</a>.</li>' +
+    '</ul>')
 });

 // /files/* is accessed via req.params[0]
 // but here we name it :file
-app.get('/files/:file(*)', function(req, res, next){
-  var filePath = path.join(__dirname, 'files', req.params.file);
-
-  res.download(filePath, function (err) {
+app.get('/files/*file', function (req, res, next) {
+  res.download(req.params.file.join('/'), { root: FILES_DIR }, function (err) {
    if (!err) return; // file sent
-    if (err && err.status !== 404) return next(err); // non-404 error
+    if (err.status !== 404) return next(err); // non-404 error
    // file for download not found
    res.statusCode = 404;
    res.send('Cant find that file, sorry!');
--- a/examples/ejs/index.js
+++ b/examples/ejs/index.js
@@ -1,9 +1,11 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../../');
-var path = require('path');
+var path = require('node:path');

 var app = module.exports = express();

--- a/examples/ejs/public/stylesheets/style.css
+++ b/examples/ejs/public/stylesheets/style.css
@@ -1,4 +1,4 @@
 body {
  padding: 50px 80px;
-  font: 14px "Helvetica Nueue", "Lucida Grande", Arial, sans-serif;
+  font: 14px "Helvetica Neue", "Lucida Grande", Arial, sans-serif;
 }
--- a/examples/ejs/views/header.html
+++ b/examples/ejs/views/header.html
@@ -2,6 +2,7 @@
 <html lang="en">
 <head>
  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
  <title><%= title %></title>
  <link rel="stylesheet" href="/stylesheets/style.css">
 </head>
--- a/examples/ejs/views/users.html
+++ b/examples/ejs/views/users.html
@@ -1,4 +1,4 @@
-<% include header.html %>
+<%- include('header.html') -%>

 <h1>Users</h1>
 <ul id="users">
@@ -7,4 +7,4 @@
  <% }) %>
 </ul>

-<% include footer.html %>
+<%- include('footer.html') -%>
--- a/examples/error-pages/index.js
+++ b/examples/error-pages/index.js
@@ -1,12 +1,14 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../../');
-var path = require('path');
+var path = require('node:path');
 var app = module.exports = express();
 var logger = require('morgan');
-var silent = 'test' == process.env.NODE_ENV;
+var silent = process.env.NODE_ENV === 'test'

 // general config
 app.set('views', path.join(__dirname, 'views'));
@@ -19,7 +21,7 @@ app.enable('verbose errors');

 // disable them in production
 // use $ NODE_ENV=production node examples/error-pages
-if ('production' == app.settings.env) app.disable('verbose errors');
+if (app.settings.env === 'production') app.disable('verbose errors')

 silent || app.use(logger('dev'));

--- a/examples/error-pages/views/404.ejs
+++ b/examples/error-pages/views/404.ejs
@@ -1,3 +1,3 @@
-<% include error_header %>
+<%- include('error_header') -%>
 <h2>Cannot find <%= url %></h2>
-<% include footer %>
+<%- include('footer') -%>
--- a/examples/error-pages/views/500.ejs
+++ b/examples/error-pages/views/500.ejs
@@ -1,8 +1,8 @@
-<% include error_header %>
+<%- include('error_header') -%>
 <h2>Error: <%= error.message %></h2>
 <% if (settings['verbose errors']) { %>
  <pre><%= error.stack %></pre>
 <% } else { %>
  <p>An error occurred!</p>
 <% } %>
-<% include footer %>
+<%- include('footer') -%>
--- a/examples/error-pages/views/error_header.ejs
+++ b/examples/error-pages/views/error_header.ejs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Error</title>
 </head>

--- a/examples/error-pages/views/index.ejs
+++ b/examples/error-pages/views/index.ejs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Custom Pages Example</title>
 </head>

--- a/examples/error/index.js
+++ b/examples/error/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
@@ -5,7 +7,7 @@
 var express = require('../../');
 var logger = require('morgan');
 var app = module.exports = express();
-var test = app.get('env') == 'test';
+var test = app.get('env') === 'test'

 if (!test) app.use(logger('dev'));

@@ -24,7 +26,7 @@ function error(err, req, res, next) {
  res.send('Internal Server Error');
 }

-app.get('/', function(req, res){
+app.get('/', function () {
  // Caught and passed down to the errorHandler middleware
  throw new Error('something broke!');
 });
--- a/examples/hello-world/index.js
+++ b/examples/hello-world/index.js
@@ -1,6 +1,8 @@
+'use strict'
+
 var express = require('../../');

-var app = express();
+var app = module.exports = express()

 app.get('/', function(req, res){
  res.send('Hello World');
--- a/examples/markdown/index.js
+++ b/examples/markdown/index.js
@@ -1,12 +1,14 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var escapeHtml = require('escape-html');
 var express = require('../..');
-var fs = require('fs');
+var fs = require('node:fs');
 var marked = require('marked');
-var path = require('path');
+var path = require('node:path');

 var app = module.exports = express();

@@ -24,7 +26,7 @@ app.engine('md', function(path, options, fn){

 app.set('views', path.join(__dirname, 'views'));

-// make it the default so we dont need .md
+// make it the default, so we don't need .md
 app.set('view engine', 'md');

 app.get('/', function(req, res){
--- a/examples/multi-router/controllers/api_v1.js
+++ b/examples/multi-router/controllers/api_v1.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../..');

 var apiv1 = express.Router();
--- a/examples/multi-router/controllers/api_v2.js
+++ b/examples/multi-router/controllers/api_v2.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../../..');

 var apiv2 = express.Router();
--- a/examples/multi-router/index.js
+++ b/examples/multi-router/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var express = require('../..');

 var app = module.exports = express();
@@ -6,7 +8,7 @@ app.use('/api/v1', require('./controllers/api_v1'));
 app.use('/api/v2', require('./controllers/api_v2'));

 app.get('/', function(req, res) {
-  res.send('Hello form root route.');
+  res.send('Hello from root route.')
 });

 /* istanbul ignore next */
--- a/examples/multipart/index.js
+++ b/examples/multipart/index.js
@@ -1,60 +0,0 @@
-/**
- * Module dependencies.
- */
-
-var express = require('../..');
-var multiparty = require('multiparty');
-var format = require('util').format;
-
-var app = module.exports = express();
-
-app.get('/', function(req, res){
-  res.send('<form method="post" enctype="multipart/form-data">'
-    + '<p>Title: <input type="text" name="title" /></p>'
-    + '<p>Image: <input type="file" name="image" /></p>'
-    + '<p><input type="submit" value="Upload" /></p>'
-    + '</form>');
-});
-
-app.post('/', function(req, res, next){
-  // create a form to begin parsing
-  var form = new multiparty.Form();
-  var image;
-  var title;
-
-  form.on('error', next);
-  form.on('close', function(){
-    res.send(format('\nuploaded %s (%d Kb) as %s'
-      , image.filename
-      , image.size / 1024 | 0
-      , title));
-  });
-
-  // listen on field event for title
-  form.on('field', function(name, val){
-    if (name !== 'title') return;
-    title = val;
-  });
-
-  // listen on part event for image file
-  form.on('part', function(part){
-    if (!part.filename) return;
-    if (part.name !== 'image') return part.resume();
-    image = {};
-    image.filename = part.filename;
-    image.size = 0;
-    part.on('data', function(buf){
-      image.size += buf.length;
-    });
-  });
-
-
-  // parse the form
-  form.parse(req);
-});
-
-/* istanbul ignore next */
-if (!module.parent) {
-  app.listen(4000);
-  console.log('Express started on port 4000');
-}
--- a/examples/mvc/controllers/main/index.js
+++ b/examples/mvc/controllers/main/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 exports.index = function(req, res){
  res.redirect('/users');
 };
--- a/examples/mvc/controllers/pet/index.js
+++ b/examples/mvc/controllers/pet/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
--- a/examples/mvc/controllers/pet/views/edit.ejs
+++ b/examples/mvc/controllers/pet/views/edit.ejs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <link rel="stylesheet" href="/style.css">
 <title>Edit <%= pet.name %></title>
 </head>
--- a/examples/mvc/controllers/pet/views/show.ejs
+++ b/examples/mvc/controllers/pet/views/show.ejs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
 <link rel="stylesheet" href="/style.css">
 <title><%= pet.name %></title>
 </head>
--- a/examples/mvc/controllers/user-pet/index.js
+++ b/examples/mvc/controllers/user-pet/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
--- a/examples/mvc/controllers/user/index.js
+++ b/examples/mvc/controllers/user/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
--- a/examples/mvc/controllers/user/views/edit.hbs
+++ b/examples/mvc/controllers/user/views/edit.hbs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
  <link rel="stylesheet" href="/style.css">
  <title>Edit {{user.name}}</title>
 </head>
--- a/examples/mvc/controllers/user/views/list.hbs
+++ b/examples/mvc/controllers/user/views/list.hbs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
  <link rel="stylesheet" href="/style.css">
  <title>Users</title>
 </head>
--- a/examples/mvc/controllers/user/views/show.hbs
+++ b/examples/mvc/controllers/user/views/show.hbs
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
  <link rel="stylesheet" href="/style.css">
  <title>{{user.name}}</title>
 </head>
--- a/examples/mvc/db.js
+++ b/examples/mvc/db.js
@@ -1,3 +1,5 @@
+'use strict'
+
 // faux database

 var pets = exports.pets = [];
--- a/examples/mvc/index.js
+++ b/examples/mvc/index.js
@@ -1,12 +1,13 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../..');
 var logger = require('morgan');
-var path = require('path');
+var path = require('node:path');
 var session = require('express-session');
-var bodyParser = require('body-parser');
 var methodOverride = require('method-override');

 var app = module.exports = express();
@@ -43,7 +44,7 @@ app.use(session({
 }));

 // parse request bodies (req.body)
-app.use(bodyParser.urlencoded({ extended: true }));
+app.use(express.urlencoded({ extended: true }))

 // allow overriding methods in query (?_method=put)
 app.use(methodOverride('_method'));
--- a/examples/mvc/lib/boot.js
+++ b/examples/mvc/lib/boot.js
@@ -1,10 +1,12 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../../..');
-var fs = require('fs');
-var path = require('path');
+var fs = require('node:fs');
+var path = require('node:path');

 module.exports = function(parent, options){
  var dir = path.join(__dirname, '..', 'controllers');
--- a/examples/mvc/public/style.css
+++ b/examples/mvc/public/style.css
@@ -1,6 +1,6 @@
 body {
  padding: 50px;
-  font: 16px "Helvetica Neue", Helvetica, Arial;
+  font: 16px "Helvetica Neue", Helvetica, Arial, sans-serif;
 }
 a {
  color: #107aff;
--- a/examples/mvc/views/404.ejs
+++ b/examples/mvc/views/404.ejs
@@ -2,6 +2,7 @@
 <html>
  <head>
    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title>Not Found</title>
    <link rel="stylesheet" href="/style.css">
  </head>
--- a/examples/mvc/views/5xx.ejs
+++ b/examples/mvc/views/5xx.ejs
@@ -2,6 +2,7 @@
 <html>
  <head>
    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title>Internal Server Error</title>
    <link rel="stylesheet" href="/style.css">
  </head>
--- a/examples/online/index.js
+++ b/examples/online/index.js
@@ -1,3 +1,4 @@
+'use strict'

 // install redis first:
 // https://redis.io/
--- a/examples/params/index.js
+++ b/examples/params/index.js
@@ -1,28 +1,23 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

+var createError = require('http-errors')
 var express = require('../../');
 var app = module.exports = express();

 // Faux database

 var users = [
-    { name: 'tj' }
+  { name: 'tj' }
  , { name: 'tobi' }
  , { name: 'loki' }
  , { name: 'jane' }
  , { name: 'bandit' }
 ];

-// Create HTTP error
-
-function createError(status, message) {
-  var err = new Error(message);
-  err.status = status;
-  return err;
-}
-
 // Convert :to and :from to integers

 app.param(['to', 'from'], function(req, res, next, num, name){
@@ -37,7 +32,8 @@ app.param(['to', 'from'], function(req, res, next, num, name){
 // Load user by id

 app.param('user', function(req, res, next, id){
-  if (req.user = users[id]) {
+  req.user = users[id]
+  if (req.user) {
    next();
  } else {
    next(createError(404, 'failed to find user'));
@@ -56,7 +52,7 @@ app.get('/', function(req, res){
 * GET :user.
 */

-app.get('/user/:user', function(req, res, next){
+app.get('/user/:user', function (req, res) {
  res.send('user ' + req.user.name);
 });

@@ -64,7 +60,7 @@ app.get('/user/:user', function(req, res, next){
 * GET users :from - :to.
 */

-app.get('/users/:from-:to', function(req, res, next){
+app.get('/users/:from-:to', function (req, res) {
  var from = req.params.from;
  var to = req.params.to;
  var names = users.map(function(user){ return user.name; });
--- a/examples/resource/index.js
+++ b/examples/resource/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
@@ -10,7 +12,7 @@ var app = module.exports = express();

 app.resource = function(path, obj) {
  this.get(path, obj.index);
-  this.get(path + '/:a..:b.:format?', function(req, res){
+  this.get(path + '/:a..:b{.:format}', function(req, res){
    var a = parseInt(req.params.a, 10);
    var b = parseInt(req.params.b, 10);
    var format = req.params.format;
@@ -26,7 +28,7 @@ app.resource = function(path, obj) {
 // Fake records

 var users = [
-    { name: 'tj' }
+  { name: 'tj' }
  , { name: 'ciaran' }
  , { name: 'aaron' }
  , { name: 'guillermo' }
--- a/examples/route-map/index.js
+++ b/examples/route-map/index.js
@@ -1,10 +1,13 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

+var escapeHtml = require('escape-html')
 var express = require('../../lib/express');

-var verbose = process.env.NODE_ENV != 'test';
+var verbose = process.env.NODE_ENV !== 'test'

 var app = module.exports = express();

@@ -31,7 +34,7 @@ var users = {
  },

  get: function(req, res){
-    res.send('user ' + req.params.uid);
+    res.send('user ' +  escapeHtml(req.params.uid))
  },

  delete: function(req, res){
@@ -41,11 +44,11 @@ var users = {

 var pets = {
  list: function(req, res){
-    res.send('user ' + req.params.uid + '\'s pets');
+    res.send('user ' + escapeHtml(req.params.uid) + '\'s pets')
  },

  delete: function(req, res){
-    res.send('delete ' + req.params.uid + '\'s pet ' + req.params.pid);
+    res.send('delete ' + escapeHtml(req.params.uid) + '\'s pet ' + escapeHtml(req.params.pid))
  }
 };

--- a/examples/route-middleware/index.js
+++ b/examples/route-middleware/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
@@ -15,7 +17,7 @@ var app = express();

 // Dummy users
 var users = [
-    { id: 0, name: 'tj', email: 'tj@vision-media.ca', role: 'member' }
+  { id: 0, name: 'tj', email: 'tj@vision-media.ca', role: 'member' }
  , { id: 1, name: 'ciaran', email: 'ciaranj@gmail.com', role: 'member' }
  , { id: 2, name: 'aaron', email: 'aaron.heckmann+github@gmail.com', role: 'admin' }
 ];
@@ -34,7 +36,7 @@ function loadUser(req, res, next) {
 function andRestrictToSelf(req, res, next) {
  // If our authenticated user is the user we are viewing
  // then everything is fine :)
-  if (req.authenticatedUser.id == req.user.id) {
+  if (req.authenticatedUser.id === req.user.id) {
    next();
  } else {
    // You may want to implement specific exceptions
@@ -47,7 +49,7 @@ function andRestrictToSelf(req, res, next) {

 function andRestrictTo(role) {
  return function(req, res, next) {
-    if (req.authenticatedUser.role == role) {
+    if (req.authenticatedUser.role === role) {
      next();
    } else {
      next(new Error('Unauthorized'));
--- a/examples/route-separation/index.js
+++ b/examples/route-separation/index.js
@@ -1,13 +1,14 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../..');
-var path = require('path');
+var path = require('node:path');
 var app = express();
 var logger = require('morgan');
 var cookieParser = require('cookie-parser');
-var bodyParser = require('body-parser');
 var methodOverride = require('method-override');
 var site = require('./site');
 var post = require('./post');
@@ -27,7 +28,7 @@ if (!module.parent) {

 app.use(methodOverride('_method'));
 app.use(cookieParser());
-app.use(bodyParser.urlencoded({ extended: true }));
+app.use(express.urlencoded({ extended: true }))
 app.use(express.static(path.join(__dirname, 'public')));

 // General
@@ -37,7 +38,7 @@ app.get('/', site.index);
 // User

 app.get('/users', user.list);
-app.all('/user/:id/:op?', user.load);
+app.all('/user/:id{/:op}', user.load);
 app.get('/user/:id', user.view);
 app.get('/user/:id/view', user.view);
 app.get('/user/:id/edit', user.edit);
--- a/examples/route-separation/post.js
+++ b/examples/route-separation/post.js
@@ -1,3 +1,5 @@
+'use strict'
+
 // Fake posts database

 var posts = [
--- a/examples/route-separation/site.js
+++ b/examples/route-separation/site.js
@@ -1,3 +1,5 @@
+'use strict'
+
 exports.index = function(req, res){
  res.render('index', { title: 'Route Separation Example' });
 };
--- a/examples/route-separation/user.js
+++ b/examples/route-separation/user.js
@@ -1,3 +1,5 @@
+'use strict'
+
 // Fake user database

 var users = [
@@ -41,5 +43,5 @@ exports.update = function(req, res){
  var user = req.body.user;
  req.user.name = user.name;
  req.user.email = user.email;
-  res.redirect('back');
+  res.redirect(req.get('Referrer') || '/');
 };
--- a/examples/route-separation/views/header.ejs
+++ b/examples/route-separation/views/header.ejs
@@ -2,6 +2,7 @@
 <html lang="en">
 <head>
  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
  <title><%= title %></title>
  <link rel="stylesheet" href="/style.css">
 </head>
--- a/examples/route-separation/views/index.ejs
+++ b/examples/route-separation/views/index.ejs
@@ -1,4 +1,4 @@
-<% include header %>
+<%- include('header') -%>

 <h1><%= title %></h1>

@@ -7,4 +7,4 @@
  <li>Visit the <a href="/posts">posts</a> page.</li>
 </ul>

-<% include footer %>
+<%- include('footer') -%>
--- a/examples/route-separation/views/posts/index.ejs
+++ b/examples/route-separation/views/posts/index.ejs
@@ -1,4 +1,4 @@
-<% include ../header %>
+<%- include('../header') -%>

 <h1>Posts</h1>

@@ -9,4 +9,4 @@
  <% }) %>
 </dl>

-<% include ../footer %>
+<%- include('../footer') -%>
--- a/examples/route-separation/views/users/edit.ejs
+++ b/examples/route-separation/views/users/edit.ejs
@@ -1,9 +1,9 @@
-<% include ../header %>
+<%- include('../header') -%>

 <h1>Editing <%= user.name %></h1>

 <div id="user">
-  <form action="?_method=put", method="post">
+  <form action="?_method=put" method="post">
    <p>
      Name:
      <input type="text" value="<%= user.name %>" name="user[name]" />
@@ -20,4 +20,4 @@
  </form>
 </div>

-<% include ../footer %>
+<%- include('../footer') -%>
--- a/examples/route-separation/views/users/index.ejs
+++ b/examples/route-separation/views/users/index.ejs
@@ -1,4 +1,4 @@
-<% include ../header %>
+<%- include('../header') -%>

 <h1><%= title %></h1>

@@ -11,4 +11,4 @@
  <% }) %>
 </div>

-<% include ../footer %>
+<%- include('../footer') -%>
--- a/examples/route-separation/views/users/view.ejs
+++ b/examples/route-separation/views/users/view.ejs
@@ -1,4 +1,4 @@
-<% include ../header %>
+<%- include('../header') -%>

 <h1><%= user.name %></h1>

@@ -6,4 +6,4 @@
  <p>Email: <%= user.email %></p>
 </div>

-<% include ../footer %>
+<%- include('../footer') -%>
--- a/examples/search/index.js
+++ b/examples/search/index.js
@@ -1,3 +1,4 @@
+'use strict'

 // install redis first:
 // https://redis.io/
@@ -11,35 +12,51 @@
 */

 var express = require('../..');
-var path = require('path');
+var path = require('node:path');
 var redis = require('redis');

 var db = redis.createClient();
-
-// npm install redis
-
 var app = express();

 app.use(express.static(path.join(__dirname, 'public')));

-// populate search
+// npm install redis

-db.sadd('ferret', 'tobi');
-db.sadd('ferret', 'loki');
-db.sadd('ferret', 'jane');
-db.sadd('cat', 'manny');
-db.sadd('cat', 'luna');
+/**
+ * Redis Initialization
+ */
+
+async function initializeRedis() {
+  try {
+    // connect to Redis
+
+    await db.connect();
+
+    // populate search
+
+    await db.sAdd('ferret', 'tobi');
+    await db.sAdd('ferret', 'loki');
+    await db.sAdd('ferret', 'jane');
+    await db.sAdd('cat', 'manny');
+    await db.sAdd('cat', 'luna');
+  } catch (err) {
+    console.error('Error initializing Redis:', err);
+    process.exit(1);
+  }
+}

 /**
 * GET search for :query.
 */

-app.get('/search/:query?', function(req, res, next){
-  var query = req.params.query;
-  db.smembers(query, function(err, vals){
-    if (err) return next(err);
-    res.send(vals);
-  });
+app.get('/search/{:query}', function (req, res, next) {
+  var query = req.params.query || '';
+  db.sMembers(query)
+    .then((vals) => res.send(vals))
+    .catch((err) => {
+      console.error(`Redis error for query "${query}":`, err);
+      next(err);
+    });
 });

 /**
@@ -53,8 +70,14 @@ app.get('/client.js', function(req, res){
  res.sendFile(path.join(__dirname, 'client.js'));
 });

-/* istanbul ignore next */
-if (!module.parent) {
-  app.listen(3000);
-  console.log('Express started on port 3000');
-}
+/**
+ * Start the Server
+ */
+
+(async () => {
+  await initializeRedis();
+  if (!module.parent) {
+    app.listen(3000);
+    console.log('Express started on port 3000');
+  }
+})();
--- a/examples/search/public/client.js
+++ b/examples/search/public/client.js
@@ -1,3 +1,5 @@
+'use strict'
+
 var search = document.querySelector('[type=search]');
 var code = document.querySelector('pre');

@@ -5,7 +7,7 @@ search.addEventListener('keyup', function(){
  var xhr = new XMLHttpRequest;
  xhr.open('GET', '/search/' + search.value, true);
  xhr.onreadystatechange = function(){
-    if (4 == xhr.readyState) {
+    if (xhr.readyState === 4) {
      code.textContent = xhr.responseText;
    }
  };
--- a/examples/search/public/index.html
+++ b/examples/search/public/index.html
@@ -2,8 +2,9 @@
 <html lang="en">
 <head>
  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
  <title>Search example</title>
-  <style type="text/css">
+  <style>
    body {
      font: 14px "Helvetica Neue", Helvetica;
      padding: 50px;
@@ -14,7 +15,7 @@
  <h2>Search</h2>
  <p>Try searching for "ferret" or "cat".</p>
  <input type="search" name="search" value="" />
-  <pre />
+  <pre></pre>
  <script src="/client.js" charset="utf-8"></script>
 </body>
 </html>
--- a/examples/session/index.js
+++ b/examples/session/index.js
@@ -1,3 +1,4 @@
+'use strict'

 // install redis first:
 // https://redis.io/
--- a/examples/session/redis.js
+++ b/examples/session/redis.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
--- a/examples/static-files/index.js
+++ b/examples/static-files/index.js
@@ -1,10 +1,12 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../..');
 var logger = require('morgan');
-var path = require('path');
+var path = require('node:path');
 var app = express();

 // log requests
--- a/examples/static-files/public/js/app.js
+++ b/examples/static-files/public/js/app.js
@@ -1 +1 @@
-foo
+// foo
--- a/examples/vhost/index.js
+++ b/examples/vhost/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
--- a/examples/view-constructor/github-view.js
+++ b/examples/view-constructor/github-view.js
@@ -1,9 +1,11 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

-var https = require('https');
-var path = require('path');
+var https = require('node:https');
+var path = require('node:path');
 var extname = path.extname;

 /**
--- a/examples/view-constructor/index.js
+++ b/examples/view-constructor/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
--- a/examples/view-locals/index.js
+++ b/examples/view-locals/index.js
@@ -1,9 +1,11 @@
+'use strict'
+
 /**
 * Module dependencies.
 */

 var express = require('../..');
-var path = require('path');
+var path = require('node:path');
 var User = require('./user');
 var app = express();

@@ -13,7 +15,7 @@ app.set('view engine', 'ejs');
 // filter ferrets only

 function ferrets(user) {
-  return user.species == 'ferret';
+  return user.species === 'ferret'
 }

 // naive nesting approach,
@@ -59,7 +61,7 @@ function users(req, res, next) {
  })
 }

-app.get('/middleware', count, users, function(req, res, next){
+app.get('/middleware', count, users, function (req, res) {
  res.render('index', {
    title: 'Users',
    count: req.count,
@@ -97,7 +99,7 @@ function users2(req, res, next) {
  })
 }

-app.get('/middleware-locals', count2, users2, function(req, res, next){
+app.get('/middleware-locals', count2, users2, function (req, res) {
  // you can see now how we have much less
  // to pass to res.render(). If we have
  // several routes related to users this
--- a/examples/view-locals/user.js
+++ b/examples/view-locals/user.js
@@ -1,3 +1,5 @@
+'use strict'
+
 module.exports = User;

 // faux model
--- a/examples/view-locals/views/index.ejs
+++ b/examples/view-locals/views/index.ejs
@@ -2,6 +2,7 @@
 <html>
  <head>
    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title><%= title %></title>
    <style media="screen">
      body {
--- a/examples/web-service/index.js
+++ b/examples/web-service/index.js
@@ -1,3 +1,5 @@
+'use strict'
+
 /**
 * Module dependencies.
 */
@@ -8,7 +10,7 @@ var app = module.exports = express();

 // create an error with .status. we
 // can then use the property in our
-// custom error handler (Connect repects this prop as well)
+// custom error handler (Connect respects this prop as well)

 function error(status, msg) {
  var err = new Error(msg);
@@ -32,7 +34,7 @@ app.use('/api', function(req, res, next){
  if (!key) return next(error(400, 'api key required'));

  // key is invalid
-  if (!~apiKeys.indexOf(key)) return next(error(401, 'invalid api key'));
+  if (apiKeys.indexOf(key) === -1) return next(error(401, 'invalid api key'))

  // all good, store req.key for route access
  req.key = key;
@@ -49,13 +51,13 @@ var apiKeys = ['foo', 'bar', 'baz'];
 // these two objects will serve as our faux database

 var repos = [
-    { name: 'express', url: 'http://github.com/expressjs/express' }
-  , { name: 'stylus', url: 'http://github.com/learnboost/stylus' }
-  , { name: 'cluster', url: 'http://github.com/learnboost/cluster' }
+  { name: 'express', url: 'https://github.com/expressjs/express' },
+  { name: 'stylus', url: 'https://github.com/learnboost/stylus' },
+  { name: 'cluster', url: 'https://github.com/learnboost/cluster' }
 ];

 var users = [
-    { name: 'tobi' }
+  { name: 'tobi' }
  , { name: 'loki' }
  , { name: 'jane' }
 ];
@@ -69,14 +71,17 @@ var userRepos = {
 // we now can assume the api key is valid,
 // and simply expose the data

-app.get('/api/users', function(req, res, next){
+// example: http://localhost:3000/api/users/?api-key=foo
+app.get('/api/users', function (req, res) {
  res.send(users);
 });

-app.get('/api/repos', function(req, res, next){
+// example: http://localhost:3000/api/repos/?api-key=foo
+app.get('/api/repos', function (req, res) {
  res.send(repos);
 });

+// example: http://localhost:3000/api/user/tobi/repos/?api-key=foo
 app.get('/api/user/:name/repos', function(req, res, next){
  var name = req.params.name;
  var user = userRepos[name];
@@ -102,7 +107,7 @@ app.use(function(err, req, res, next){
 // invoke next() and do not respond.
 app.use(function(req, res){
  res.status(404);
-  res.send({ error: "Lame, can't find that" });
+  res.send({ error: "Sorry, can't find that" })
 });

 /* istanbul ignore next */
--- a/lib/application.js
+++ b/lib/application.js
@@ -14,19 +14,24 @@
 */

 var finalhandler = require('finalhandler');
-var methods = require('methods');
 var debug = require('debug')('express:application');
 var View = require('./view');
-var http = require('http');
+var http = require('node:http');
+var methods = require('./utils').methods;
 var compileETag = require('./utils').compileETag;
 var compileQueryParser = require('./utils').compileQueryParser;
 var compileTrust = require('./utils').compileTrust;
-var flatten = require('array-flatten');
-var merge = require('utils-merge');
-var resolve = require('path').resolve;
+var resolve = require('node:path').resolve;
+var once = require('once')
 var Router = require('router');
-var setPrototypeOf = require('setprototypeof')
+
+/**
+ * Module variables.
+ * @private
+ */
+
 var slice = Array.prototype.slice;
+var flatten = Array.prototype.flat;

 /**
 * Application prototype.
@@ -54,9 +59,9 @@ var trustProxyDefaultSymbol = '@@symbol:trust_proxy_default';
 app.init = function init() {
  var router = null;

-  this.cache = {};
-  this.engines = {};
-  this.settings = {};
+  this.cache = Object.create(null);
+  this.engines = Object.create(null);
+  this.settings = Object.create(null);

  this.defaultConfiguration();

@@ -89,7 +94,7 @@ app.defaultConfiguration = function defaultConfiguration() {
  this.enable('x-powered-by');
  this.set('etag', 'weak');
  this.set('env', env);
-  this.set('query parser', 'extended');
+  this.set('query parser', 'simple')
  this.set('subdomain offset', 2);
  this.set('trust proxy', false);

@@ -110,10 +115,10 @@ app.defaultConfiguration = function defaultConfiguration() {
    }

    // inherit protos
-    setPrototypeOf(this.request, parent.request)
-    setPrototypeOf(this.response, parent.response)
-    setPrototypeOf(this.engines, parent.engines)
-    setPrototypeOf(this.settings, parent.settings)
+    Object.setPrototypeOf(this.request, parent.request)
+    Object.setPrototypeOf(this.response, parent.response)
+    Object.setPrototypeOf(this.engines, parent.engines)
+    Object.setPrototypeOf(this.settings, parent.settings)
  });

  // setup locals
@@ -161,8 +166,8 @@ app.handle = function handle(req, res, callback) {
  res.req = req;

  // alter the prototypes
-  setPrototypeOf(req, this.request)
-  setPrototypeOf(res, this.response)
+  Object.setPrototypeOf(req, this.request)
+  Object.setPrototypeOf(res, this.response)

  // setup locals
  if (!res.locals) {
@@ -202,10 +207,10 @@ app.use = function use(fn) {
    }
  }

-  var fns = flatten(slice.call(arguments, offset));
+  var fns = flatten.call(slice.call(arguments, offset), Infinity);

  if (fns.length === 0) {
-    throw new TypeError('app.use() requires middleware functions');
+    throw new TypeError('app.use() requires a middleware function')
  }

  // get router
@@ -225,8 +230,8 @@ app.use = function use(fn) {
    router.use(path, function mounted_app(req, res, next) {
      var orig = req.app;
      fn.handle(req, res, function (err) {
-        setPrototypeOf(req, orig.request)
-        setPrototypeOf(res, orig.response)
+        Object.setPrototypeOf(req, orig.request)
+        Object.setPrototypeOf(res, orig.response)
        next(err);
      });
    });
@@ -272,7 +277,7 @@ app.route = function route(path) {
 * In this case EJS provides a `.renderFile()` method with
 * the same signature that Express expects: `(path, options, callback)`,
 * though note that it aliases this method as `ejs.__express` internally
- * so if you're using ".ejs" extensions you dont need to do anything.
+ * so if you're using ".ejs" extensions you don't need to do anything.
 *
 * Some template engines do not follow this convention, the
 * [Consolidate.js](https://github.com/tj/consolidate.js)
@@ -332,7 +337,7 @@ app.param = function param(name, fn) {
 * Assign `setting` to `val`, or return `setting`'s value.
 *
 *    app.set('foo', 'bar');
- *    app.get('foo');
+ *    app.set('foo');
 *    // => "bar"
 *
 * Mounted servers inherit their parent server's settings.
@@ -463,8 +468,8 @@ app.disable = function disable(setting) {
 * Delegate `.VERB(...)` calls to `router.VERB(...)`.
 */

-methods.forEach(function(method){
-  app[method] = function(path){
+methods.forEach(function (method) {
+  app[method] = function (path) {
    if (method === 'get' && arguments.length === 1) {
      // app.get(setting)
      return this.set(path);
@@ -518,8 +523,7 @@ app.render = function render(name, options, callback) {
  var cache = this.cache;
  var done = callback;
  var engines = this.engines;
-  var opts = options;
-  var renderOptions = {};
+  var opts = options || {};
  var view;

  // support callback function as second arg
@@ -528,16 +532,8 @@ app.render = function render(name, options, callback) {
    opts = {};
  }

-  // merge app.locals
-  merge(renderOptions, this.locals);
-
-  // merge options._locals
-  if (opts._locals) {
-    merge(renderOptions, opts._locals);
-  }
-
  // merge options
-  merge(renderOptions, opts);
+  var renderOptions = { ...this.locals, ...opts._locals, ...opts };

  // set .cache unless explicitly provided
  if (renderOptions.cache == null) {
@@ -587,8 +583,8 @@ app.render = function render(name, options, callback) {
 * and HTTPS server you may do so with the "http"
 * and "https" modules as shown here:
 *
- *    var http = require('http')
- *      , https = require('https')
+ *    var http = require('node:http')
+ *      , https = require('node:https')
 *      , express = require('express')
 *      , app = express();
 *
@@ -600,9 +596,14 @@ app.render = function render(name, options, callback) {
 */

 app.listen = function listen() {
-  var server = http.createServer(this);
-  return server.listen.apply(server, arguments);
-};
+  var server = http.createServer(this)
+  var args = slice.call(arguments)
+  if (typeof args[args.length - 1] === 'function') {
+    var done = args[args.length - 1] = once(args[args.length - 1])
+    server.once('error', done)
+  }
+  return server.listen.apply(server, args)
+}

 /**
 * Log error using console.error.
--- a/lib/express.js
+++ b/lib/express.js
@@ -12,7 +12,8 @@
 * Module dependencies.
 */

-var EventEmitter = require('events').EventEmitter;
+var bodyParser = require('body-parser')
+var EventEmitter = require('node:events').EventEmitter;
 var mixin = require('merge-descriptors');
 var proto = require('./application');
 var Router = require('router');
@@ -73,4 +74,8 @@ exports.Router = Router;
 * Expose middleware
 */

+exports.json = bodyParser.json
+exports.raw = bodyParser.raw
 exports.static = require('serve-static');
+exports.text = bodyParser.text
+exports.urlencoded = bodyParser.urlencoded
--- a/lib/request.js
+++ b/lib/request.js
@@ -14,9 +14,9 @@
 */

 var accepts = require('accepts');
-var isIP = require('net').isIP;
+var isIP = require('node:net').isIP;
 var typeis = require('type-is');
-var http = require('http');
+var http = require('node:http');
 var fresh = require('fresh');
 var parseRange = require('range-parser');
 var parse = require('parseurl');
@@ -83,16 +83,13 @@ req.header = function header(name) {
 };

 /**
- * To do: update docs.
- *
 * Check if the given `type(s)` is acceptable, returning
- * the best match when true, otherwise `undefined`, in which
+ * the best match when true, otherwise `false`, in which
 * case you should respond with 406 "Not Acceptable".
 *
 * The `type` value may be a single MIME type string
 * such as "application/json", an extension name
- * such as "json", a comma-delimited list such as "json, html, text/plain",
- * an argument list such as `"json", "html", "text/plain"`,
+ * such as "json", an argument list such as `"json", "html", "text/plain"`,
 * or an array `["json", "html", "text/plain"]`. When a list
 * or array is given, the _best_ match, if any is returned.
 *
@@ -107,7 +104,7 @@ req.header = function header(name) {
 *     // => "html"
 *     req.accepts('text/html');
 *     // => "text/html"
- *     req.accepts('json, text');
+ *     req.accepts('json', 'text');
 *     // => "json"
 *     req.accepts('application/json');
 *     // => "application/json"
@@ -115,12 +112,11 @@ req.header = function header(name) {
 *     // Accept: text/*, application/json
 *     req.accepts('image/png');
 *     req.accepts('png');
- *     // => undefined
+ *     // => false
 *
 *     // Accept: text/*;q=.5, application/json
 *     req.accepts(['html', 'json']);
 *     req.accepts('html', 'json');
- *     req.accepts('html, json');
 *     // => "json"
 *
 * @param {String|Array} type(s)
@@ -147,17 +143,34 @@ req.acceptsEncodings = function(){
 };

 /**
- * Check if the given `charset`s are acceptable,
- * otherwise you should respond with 406 "Not Acceptable".
+ * Checks if the specified `charset`s are acceptable based on the request's `Accept-Charset` header.
+ * Returns the best matching charset or an array of acceptable charsets.
 *
- * @param {String} ...charset
- * @return {String|Array}
+ * The `charset` argument(s) can be:
+ * - A single charset string (e.g., "utf-8")
+ * - Multiple charset strings as arguments (e.g., `"utf-8", "iso-8859-1"`)
+ * - A comma-delimited list of charsets (e.g., `"utf-8, iso-8859-1"`)
+ *
+ * Examples:
+ *
+ *     // Accept-Charset: utf-8, iso-8859-1
+ *     req.acceptsCharsets('utf-8');
+ *     // => "utf-8"
+ *
+ *     req.acceptsCharsets('utf-8', 'iso-8859-1');
+ *     // => "utf-8"
+ *
+ *     req.acceptsCharsets('utf-8, utf-16');
+ *     // => "utf-8"
+ *
+ * @param {...String} charsets - The charset(s) to check against the `Accept-Charset` header.
+ * @return {String|Array} - The best matching charset, or an array of acceptable charsets.
 * @public
 */

-req.acceptsCharsets = function(){
-  var accept = accepts(this);
-  return accept.charsets.apply(accept, arguments);
+req.acceptsCharsets = function(...charsets) {
+  const accept = accepts(this);
+  return accept.charsets(...charsets);
 };

 /**
@@ -169,9 +182,8 @@ req.acceptsCharsets = function(){
 * @public
 */

-req.acceptsLanguages = function(){
-  var accept = accepts(this);
-  return accept.languages.apply(accept, arguments);
+req.acceptsLanguages = function(...languages) {
+  return accepts(this).languages(...languages);
 };

 /**
@@ -230,7 +242,7 @@ defineGetter(req, 'query', function query(){

 /**
 * Check if the incoming request contains the "Content-Type"
- * header field, and it contains the give mime `type`.
+ * header field, and it contains the given mime `type`.
 *
 * Examples:
 *
@@ -283,19 +295,23 @@ req.is = function is(types) {
 */

 defineGetter(req, 'protocol', function protocol(){
-  var proto = this.connection.encrypted
+  var proto = this.socket.encrypted
    ? 'https'
    : 'http';
  var trust = this.app.get('trust proxy fn');

-  if (!trust(this.connection.remoteAddress, 0)) {
+  if (!trust(this.socket.remoteAddress, 0)) {
    return proto;
  }

  // Note: X-Forwarded-Proto is normally only ever a
  //       single value, but this is to be safe.
-  proto = this.get('X-Forwarded-Proto') || proto;
-  return proto.split(/\s*,\s*/)[0];
+  var header = this.get('X-Forwarded-Proto') || proto
+  var index = header.indexOf(',')
+
+  return index !== -1
+    ? header.substring(0, index).trim()
+    : header.trim()
 });

 /**
@@ -403,8 +419,12 @@ defineGetter(req, 'host', function host(){
  var trust = this.app.get('trust proxy fn');
  var val = this.get('X-Forwarded-Host');

-  if (!val || !trust(this.connection.remoteAddress, 0)) {
+  if (!val || !trust(this.socket.remoteAddress, 0)) {
    val = this.get('Host');
+  } else if (val.indexOf(',') !== -1) {
+    // Note: X-Forwarded-Host is normally only ever a
+    //       single value, but this is to be safe.
+    val = val.substring(0, val.indexOf(',')).trimRight()
  }

  return val || undefined;
@@ -439,7 +459,7 @@ defineGetter(req, 'hostname', function hostname(){

 /**
 * Check if the request is fresh, aka
- * Last-Modified and/or the ETag
+ * Last-Modified or the ETag
 * still match.
 *
 * @return {Boolean}
--- a/lib/response.js
+++ b/lib/response.js
@@ -13,14 +13,16 @@
 */

 var contentDisposition = require('content-disposition');
+var createError = require('http-errors')
+var deprecate = require('depd')('express');
 var encodeUrl = require('encodeurl');
 var escapeHtml = require('escape-html');
-var http = require('http');
+var http = require('node:http');
 var onFinished = require('on-finished');
-var path = require('path');
-var pathIsAbsolute = require('path-is-absolute');
+var mime = require('mime-types')
+var path = require('node:path');
+var pathIsAbsolute = require('node:path').isAbsolute;
 var statuses = require('statuses')
-var merge = require('utils-merge');
 var sign = require('cookie-signature').sign;
 var normalizeType = require('./utils').normalizeType;
 var normalizeTypes = require('./utils').normalizeTypes;
@@ -28,9 +30,9 @@ var setCharset = require('./utils').setCharset;
 var cookie = require('cookie');
 var send = require('send');
 var extname = path.extname;
-var mime = send.mime;
 var resolve = path.resolve;
 var vary = require('vary');
+const { Buffer } = require('node:buffer');

 /**
 * Response prototype.
@@ -47,21 +49,28 @@ var res = Object.create(http.ServerResponse.prototype)
 module.exports = res

 /**
- * Module variables.
- * @private
- */
-
-var charsetRegExp = /;\s*charset\s*=/;
-
-/**
- * Set status `code`.
+ * Set the HTTP status code for the response.
 *
- * @param {Number} code
- * @return {ServerResponse}
+ * Expects an integer value between 100 and 999 inclusive.
+ * Throws an error if the provided status code is not an integer or if it's outside the allowable range.
+ *
+ * @param {number} code - The HTTP status code to set.
+ * @return {ServerResponse} - Returns itself for chaining methods.
+ * @throws {TypeError} If `code` is not an integer.
+ * @throws {RangeError} If `code` is outside the range 100 to 999.
 * @public
 */

 res.status = function status(code) {
+  // Check if the status code is not an integer
+  if (!Number.isInteger(code)) {
+    throw new TypeError(`Invalid status code: ${JSON.stringify(code)}. Status code must be an integer.`);
+  }
+  // Check if the status code is outside of Node's valid range
+  if (code < 100 || code > 999) {
+    throw new RangeError(`Invalid status code: ${JSON.stringify(code)}. Status code must be greater than 99 and less than 1000.`);
+  }
+
  this.statusCode = code;
  return this;
 };
@@ -73,7 +82,11 @@ res.status = function status(code) {
 *
 *    res.links({
 *      next: 'http://api.example.com/users?page=2',
- *      last: 'http://api.example.com/users?page=5'
+ *      last: 'http://api.example.com/users?page=5',
+ *      pages: [
+ *        'http://api.example.com/users?page=1',
+ *        'http://api.example.com/users?page=2'
+ *      ]
 *    });
 *
 * @param {Object} links
@@ -81,11 +94,18 @@ res.status = function status(code) {
 * @public
 */

-res.links = function(links){
+res.links = function(links) {
  var link = this.get('Link') || '';
  if (link) link += ', ';
-  return this.set('Link', link + Object.keys(links).map(function(rel){
-    return '<' + links[rel] + '>; rel="' + rel + '"';
+  return this.set('Link', link + Object.keys(links).map(function(rel) {
+    // Allow multiple links if links[rel] is an array
+    if (Array.isArray(links[rel])) {
+      return links[rel].map(function (singleLink) {
+        return `<${singleLink}>; rel="${rel}"`;
+      }).join(', ');
+    } else {
+      return `<${links[rel]}>; rel="${rel}"`;
+    }
  }).join(', '));
 };

@@ -94,7 +114,7 @@ res.links = function(links){
 *
 * Examples:
 *
- *     res.send(new Buffer('wahoo'));
+ *     res.send(Buffer.from('wahoo'));
 *     res.send({ some: 'json' });
 *     res.send('<p>some html</p>');
 *
@@ -105,9 +125,7 @@ res.links = function(links){
 res.send = function send(body) {
  var chunk = body;
  var encoding;
-  var len;
  var req = this.req;
-  var type;

  // settings
  var app = this.app;
@@ -115,7 +133,12 @@ res.send = function send(body) {
  switch (typeof chunk) {
    // string defaulting to html
    case 'string':
-      if (!this.get('Content-Type')) {
+      encoding = 'utf8';
+      const type = this.get('Content-Type');
+
+      if (typeof type === 'string') {
+        this.set('Content-Type', setCharset(type, 'utf-8'));
+      } else {
        this.type('html');
      }
      break;
@@ -124,7 +147,7 @@ res.send = function send(body) {
    case 'object':
      if (chunk === null) {
        chunk = '';
-      } else if (Buffer.isBuffer(chunk)) {
+      } else if (ArrayBuffer.isView(chunk)) {
        if (!this.get('Content-Type')) {
          this.type('bin');
        }
@@ -134,40 +157,39 @@ res.send = function send(body) {
      break;
  }

-  // write strings in utf-8
-  if (typeof chunk === 'string') {
-    encoding = 'utf8';
-    type = this.get('Content-Type');
-
-    // reflect this in content-type
-    if (typeof type === 'string') {
-      this.set('Content-Type', setCharset(type, 'utf-8'));
-    }
-  }
+  // determine if ETag should be generated
+  var etagFn = app.get('etag fn')
+  var generateETag = !this.get('ETag') && typeof etagFn === 'function'

  // populate Content-Length
+  var len
  if (chunk !== undefined) {
-    if (!Buffer.isBuffer(chunk)) {
-      // convert chunk to Buffer; saves later double conversions
-      chunk = new Buffer(chunk, encoding);
+    if (Buffer.isBuffer(chunk)) {
+      // get length of Buffer
+      len = chunk.length
+    } else if (!generateETag && chunk.length < 1000) {
+      // just calculate length when no ETag + small chunk
+      len = Buffer.byteLength(chunk, encoding)
+    } else {
+      // convert chunk to Buffer and calculate
+      chunk = Buffer.from(chunk, encoding)
      encoding = undefined;
+      len = chunk.length
    }

-    len = chunk.length;
    this.set('Content-Length', len);
  }

  // populate ETag
  var etag;
-  var generateETag = len !== undefined && app.get('etag fn');
-  if (typeof generateETag === 'function' && !this.get('ETag')) {
-    if ((etag = generateETag(chunk, encoding))) {
+  if (generateETag && len !== undefined) {
+    if ((etag = etagFn(chunk, encoding))) {
      this.set('ETag', etag);
    }
  }

  // freshness
-  if (req.fresh) this.statusCode = 304;
+  if (req.fresh) this.status(304);

  // strip irrelevant headers
  if (204 === this.statusCode || 304 === this.statusCode) {
@@ -177,6 +199,13 @@ res.send = function send(body) {
    chunk = '';
  }

+  // alter headers for 205
+  if (this.statusCode === 205) {
+    this.set('Content-Length', '0')
+    this.removeHeader('Transfer-Encoding')
+    chunk = ''
+  }
+
  if (req.method === 'HEAD') {
    // skip body for HEAD
    this.end();
@@ -203,9 +232,10 @@ res.send = function send(body) {
 res.json = function json(obj) {
  // settings
  var app = this.app;
+  var escape = app.get('json escape')
  var replacer = app.get('json replacer');
  var spaces = app.get('json spaces');
-  var body = stringify(obj, replacer, spaces);
+  var body = stringify(obj, replacer, spaces, escape)

  // content-type
  if (!this.get('Content-Type')) {
@@ -230,9 +260,10 @@ res.json = function json(obj) {
 res.jsonp = function jsonp(obj) {
  // settings
  var app = this.app;
+  var escape = app.get('json escape')
  var replacer = app.get('json replacer');
  var spaces = app.get('json spaces');
-  var body = stringify(obj, replacer, spaces);
+  var body = stringify(obj, replacer, spaces, escape)
  var callback = this.req.query[app.get('jsonp callback name')];

  // content-type
@@ -248,17 +279,21 @@ res.jsonp = function jsonp(obj) {

  // jsonp
  if (typeof callback === 'string' && callback.length !== 0) {
-    this.charset = 'utf-8';
    this.set('X-Content-Type-Options', 'nosniff');
    this.set('Content-Type', 'text/javascript');

    // restrict callback charset
    callback = callback.replace(/[^\[\]\w$.]/g, '');

-    // replace chars not allowed in JavaScript that are in JSON
-    body = body
-      .replace(/\u2028/g, '\\u2028')
-      .replace(/\u2029/g, '\\u2029');
+    if (body === undefined) {
+      // empty argument
+      body = ''
+    } else if (typeof body === 'string') {
+      // replace chars not allowed in JavaScript that are in JSON
+      body = body
+        .replace(/\u2028/g, '\\u2028')
+        .replace(/\u2029/g, '\\u2029')
+    }

    // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse"
    // the typeof check is just to reduce client error noise
@@ -284,9 +319,9 @@ res.jsonp = function jsonp(obj) {
 */

 res.sendStatus = function sendStatus(statusCode) {
-  var body = statuses[statusCode] || String(statusCode)
+  var body = statuses.message[statusCode] || String(statusCode)

-  this.statusCode = statusCode;
+  this.status(statusCode);
  this.type('txt');

  return this.send(body);
@@ -297,7 +332,7 @@ res.sendStatus = function sendStatus(statusCode) {
 *
 * Automatically sets the _Content-Type_ response header field.
 * The callback `callback(err)` is invoked when the transfer is complete
- * or when an error occurs. Be sure to check `res.sentHeader`
+ * or when an error occurs. Be sure to check `res.headersSent`
 * if you wish to attempt responding, as the header and some data
 * may have already been transferred.
 *
@@ -344,6 +379,10 @@ res.sendFile = function sendFile(path, options, callback) {
    throw new TypeError('path argument is required to res.sendFile');
  }

+  if (typeof path !== 'string') {
+    throw new TypeError('path must be a string to res.sendFile')
+  }
+
  // support function as second arg
  if (typeof options === 'function') {
    done = options;
@@ -356,6 +395,9 @@ res.sendFile = function sendFile(path, options, callback) {

  // create file stream
  var pathname = encodeURI(path);
+
+  // wire application etag option to send
+  opts.etag = this.app.enabled('etag');
  var file = send(req, pathname, opts);

  // transfer
@@ -376,21 +418,38 @@ res.sendFile = function sendFile(path, options, callback) {
 * Optionally providing an alternate attachment `filename`,
 * and optional callback `callback(err)`. The callback is invoked
 * when the data transfer is complete, or when an error has
- * ocurred. Be sure to check `res.headersSent` if you plan to respond.
+ * occurred. Be sure to check `res.headersSent` if you plan to respond.
+ *
+ * Optionally providing an `options` object to use with `res.sendFile()`.
+ * This function will set the `Content-Disposition` header, overriding
+ * any `Content-Disposition` header passed as header options in order
+ * to set the attachment and filename.
 *
 * This method uses `res.sendFile()`.
 *
 * @public
 */

-res.download = function download(path, filename, callback) {
+res.download = function download (path, filename, options, callback) {
  var done = callback;
  var name = filename;
+  var opts = options || null

-  // support function as second arg
+  // support function as second or third arg
  if (typeof filename === 'function') {
    done = filename;
    name = null;
+    opts = null
+  } else if (typeof options === 'function') {
+    done = options
+    opts = null
+  }
+
+  // support optional filename, where options may be in it's place
+  if (typeof filename === 'object' &&
+    (typeof options === 'function' || options === undefined)) {
+    name = null
+    opts = filename
  }

  // set Content-Disposition when file is sent
@@ -398,15 +457,35 @@ res.download = function download(path, filename, callback) {
    'Content-Disposition': contentDisposition(name || path)
  };

-  // Resolve the full path for sendFile
-  var fullPath = resolve(path);
+  // merge user-provided headers
+  if (opts && opts.headers) {
+    var keys = Object.keys(opts.headers)
+    for (var i = 0; i < keys.length; i++) {
+      var key = keys[i]
+      if (key.toLowerCase() !== 'content-disposition') {
+        headers[key] = opts.headers[key]
+      }
+    }
+  }

-  return this.sendFile(fullPath, { headers: headers }, done);
+  // merge user-provided options
+  opts = Object.create(opts)
+  opts.headers = headers
+
+  // Resolve the full path for sendFile
+  var fullPath = !opts.root
+    ? resolve(path)
+    : path
+
+  // send file
+  return this.sendFile(fullPath, opts, done)
 };

 /**
- * Set _Content-Type_ response header with `type` through `mime.lookup()`
+ * Set _Content-Type_ response header with `type` through `mime.contentType()`
 * when it does not contain "/", or set the Content-Type to `type` otherwise.
+ * When no mapping is found though `mime.contentType()`, the type is set to
+ * "application/octet-stream".
 *
 * Examples:
 *
@@ -424,7 +503,7 @@ res.download = function download(path, filename, callback) {
 res.contentType =
 res.type = function contentType(type) {
  var ct = type.indexOf('/') === -1
-    ? mime.lookup(type)
+    ? (mime.contentType(type) || 'application/octet-stream')
    : type;

  return this.set('Content-Type', ct);
@@ -454,7 +533,7 @@ res.type = function contentType(type) {
 *        res.send('<p>hey</p>');
 *      },
 *
- *      'appliation/json': function(){
+ *      'application/json': function () {
 *        res.send({ message: 'hey' });
 *      }
 *    });
@@ -491,9 +570,8 @@ res.format = function(obj){
  var req = this.req;
  var next = req.next;

-  var fn = obj.default;
-  if (fn) delete obj.default;
-  var keys = Object.keys(obj);
+  var keys = Object.keys(obj)
+    .filter(function (v) { return v !== 'default' })

  var key = keys.length > 0
    ? req.accepts(keys)
@@ -504,13 +582,12 @@ res.format = function(obj){
  if (key) {
    this.set('Content-Type', normalizeType(key).value);
    obj[key](req, this, next);
-  } else if (fn) {
-    fn();
+  } else if (obj.default) {
+    obj.default(req, this, next)
  } else {
-    var err = new Error('Not Acceptable');
-    err.status = err.statusCode = 406;
-    err.types = normalizeTypes(keys).map(function(o){ return o.value });
-    next(err);
+    next(createError(406, {
+      types: normalizeTypes(keys).map(function (o) { return o.value })
+    }))
  }

  return this;
@@ -557,7 +634,7 @@ res.append = function append(field, val) {
    // concat the new and prev vals
    value = Array.isArray(prev) ? prev.concat(val)
      : Array.isArray(val) ? [prev].concat(val)
-      : [prev, val];
+        : [prev, val]
  }

  return this.set(field, value);
@@ -575,6 +652,9 @@ res.append = function append(field, val) {
 *
 * Aliased as `res.header()`.
 *
+ * When the set header is "Content-Type", the type is expanded to include
+ * the charset if not present using `mime.contentType()`.
+ *
 * @param {String|Object} field
 * @param {String|Array} val
 * @return {ServerResponse} for chaining
@@ -593,10 +673,7 @@ res.header = function header(field, val) {
      if (Array.isArray(value)) {
        throw new TypeError('Content-Type cannot be set to an Array');
      }
-      if (!charsetRegExp.test(value)) {
-        var charset = mime.charsets.lookup(value.split(';')[0]);
-        if (charset) value += '; charset=' + charset.toLowerCase();
-      }
+      value = mime.contentType(value)
    }

    this.setHeader(field, value);
@@ -630,7 +707,10 @@ res.get = function(field){
 */

 res.clearCookie = function clearCookie(name, options) {
-  var opts = merge({ expires: new Date(1), path: '/' }, options);
+  // Force cookie expiration by setting expires to the past
+  const opts = { path: '/', ...options, expires: new Date(1)};
+  // ensure maxAge is not passed
+  delete opts.maxAge

  return this.cookie(name, '', opts);
 };
@@ -649,7 +729,7 @@ res.clearCookie = function clearCookie(name, options) {
 *    // "Remember Me" for 15 minutes
 *    res.cookie('rememberme', '1', { expires: new Date(Date.now() + 900000), httpOnly: true });
 *
- *    // save as above
+ *    // same as above
 *    res.cookie('rememberme', '1', { maxAge: 900000, httpOnly: true })
 *
 * @param {String} name
@@ -660,7 +740,7 @@ res.clearCookie = function clearCookie(name, options) {
 */

 res.cookie = function (name, value, options) {
-  var opts = merge({}, options);
+  var opts = { ...options };
  var secret = this.req.secret;
  var signed = opts.signed;

@@ -676,9 +756,13 @@ res.cookie = function (name, value, options) {
    val = 's:' + sign(val, secret);
  }

-  if ('maxAge' in opts) {
-    opts.expires = new Date(Date.now() + opts.maxAge);
-    opts.maxAge /= 1000;
+  if (opts.maxAge != null) {
+    var maxAge = opts.maxAge - 0
+
+    if (!isNaN(maxAge)) {
+      opts.expires = new Date(Date.now() + maxAge)
+      opts.maxAge = Math.floor(maxAge / 1000)
+    }
  }

  if (opts.path == null) {
@@ -708,25 +792,13 @@ res.cookie = function (name, value, options) {
 */

 res.location = function location(url) {
-  var loc = url;
-
-  // "back" is an alias for the referrer
-  if (url === 'back') {
-    loc = this.req.get('Referrer') || '/';
-  }
-
-  // set location
-  return this.set('Location', encodeUrl(loc));
+  return this.set('Location', encodeUrl(url));
 };

 /**
 * Redirect to the given `url` with optional response `status`
 * defaulting to 302.
 *
- * The resulting `url` is determined by `res.location()`, so
- * it will play nicely with mounted apps, relative paths,
- * `"back"` etc.
- *
 * Examples:
 *
 *    res.redirect('/foo/bar');
@@ -748,18 +820,31 @@ res.redirect = function redirect(url) {
    address = arguments[1]
  }

+  if (!address) {
+    deprecate('Provide a url argument');
+  }
+
+  if (typeof address !== 'string') {
+    deprecate('Url must be a string');
+  }
+
+  if (typeof status !== 'number') {
+    deprecate('Status must be a number');
+  }
+
  // Set location header
  address = this.location(address).get('Location');

  // Support text/{plain,html} by default
  this.format({
    text: function(){
-      body = statuses[status] + '. Redirecting to ' + address
+      body = statuses.message[status] + '. Redirecting to ' + address
    },

    html: function(){
      var u = escapeHtml(address);
-      body = '<p>' + statuses[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
+      body = '<!DOCTYPE html><head><title>' + statuses.message[status] + '</title></head>'
+       + '<body><p>' + statuses.message[status] + '. Redirecting to ' + u + '</p></body>'
    },

    default: function(){
@@ -768,7 +853,7 @@ res.redirect = function redirect(url) {
  });

  // Respond
-  this.statusCode = status;
+  this.status(status);
  this.set('Content-Length', Buffer.byteLength(body));

  if (this.req.method === 'HEAD') {
@@ -924,14 +1009,39 @@ function sendfile(res, file, options, callback) {
 }

 /**
- * Stringify JSON, like JSON.stringify, but v8 optimized.
+ * Stringify JSON, like JSON.stringify, but v8 optimized, with the
+ * ability to escape characters that can trigger HTML sniffing.
+ *
+ * @param {*} value
+ * @param {function} replacer
+ * @param {number} spaces
+ * @param {boolean} escape
+ * @returns {string}
 * @private
 */

-function stringify(value, replacer, spaces) {
+function stringify (value, replacer, spaces, escape) {
  // v8 checks arguments.length for optimizing simple call
  // https://bugs.chromium.org/p/v8/issues/detail?id=4730
-  return replacer || spaces
+  var json = replacer || spaces
    ? JSON.stringify(value, replacer, spaces)
    : JSON.stringify(value);
+
+  if (escape && typeof json === 'string') {
+    json = json.replace(/[<>&]/g, function (c) {
+      switch (c.charCodeAt(0)) {
+        case 0x3c:
+          return '\\u003c'
+        case 0x3e:
+          return '\\u003e'
+        case 0x26:
+          return '\\u0026'
+        /* istanbul ignore next: unreachable default */
+        default:
+          return c
+      }
+    })
+  }
+
+  return json
 }
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -12,12 +12,21 @@
 * @api private
 */

-var mime = require('send').mime;
+var { METHODS } = require('node:http');
 var contentType = require('content-type');
 var etag = require('etag');
+var mime = require('mime-types')
 var proxyaddr = require('proxy-addr');
 var qs = require('qs');
-var querystring = require('querystring');
+var querystring = require('node:querystring');
+const { Buffer } = require('node:buffer');
+
+
+/**
+ * A list of lowercased HTTP methods that are supported by Node.js.
+ * @api private
+ */
+exports.methods = METHODS.map((method) => method.toLowerCase());

 /**
 * Return strong ETag for `body`.
@@ -28,13 +37,7 @@ var querystring = require('querystring');
 * @api private
 */

-exports.etag = function (body, encoding) {
-  var buf = !Buffer.isBuffer(body)
-    ? new Buffer(body, encoding)
-    : body;
-
-  return etag(buf, {weak: false});
-};
+exports.etag = createETagGenerator({ weak: false })

 /**
 * Return weak ETag for `body`.
@@ -45,13 +48,7 @@ exports.etag = function (body, encoding) {
 * @api private
 */

-exports.wetag = function wetag(body, encoding){
-  var buf = !Buffer.isBuffer(body)
-    ? new Buffer(body, encoding)
-    : body;
-
-  return etag(buf, {weak: true});
-};
+exports.wetag = createETagGenerator({ weak: true })

 /**
 * Normalize the given `type`, for example "html" becomes "text/html".
@@ -64,7 +61,7 @@ exports.wetag = function wetag(body, encoding){
 exports.normalizeType = function(type){
  return ~type.indexOf('/')
    ? acceptParams(type)
-    : { value: mime.lookup(type), params: {} };
+    : { value: (mime.lookup(type) || 'application/octet-stream'), params: {} }
 };

 /**
@@ -75,37 +72,48 @@ exports.normalizeType = function(type){
 * @api private
 */

-exports.normalizeTypes = function(types){
-  var ret = [];
-
-  for (var i = 0; i < types.length; ++i) {
-    ret.push(exports.normalizeType(types[i]));
-  }
-
-  return ret;
+exports.normalizeTypes = function(types) {
+  return types.map(exports.normalizeType);
 };

+
 /**
 * Parse accept params `str` returning an
 * object with `.value`, `.quality` and `.params`.
- * also includes `.originalIndex` for stable sorting
 *
 * @param {String} str
 * @return {Object}
 * @api private
 */

-function acceptParams(str, index) {
-  var parts = str.split(/ *; */);
-  var ret = { value: parts[0], quality: 1, params: {}, originalIndex: index };
+function acceptParams (str) {
+  var length = str.length;
+  var colonIndex = str.indexOf(';');
+  var index = colonIndex === -1 ? length : colonIndex;
+  var ret = { value: str.slice(0, index).trim(), quality: 1, params: {} };

-  for (var i = 1; i < parts.length; ++i) {
-    var pms = parts[i].split(/ *= */);
-    if ('q' === pms[0]) {
-      ret.quality = parseFloat(pms[1]);
-    } else {
-      ret.params[pms[0]] = pms[1];
+  while (index < length) {
+    var splitIndex = str.indexOf('=', index);
+    if (splitIndex === -1) break;
+
+    var colonIndex = str.indexOf(';', index);
+    var endIndex = colonIndex === -1 ? length : colonIndex;
+
+    if (splitIndex > endIndex) {
+      index = str.lastIndexOf(';', splitIndex - 1) + 1;
+      continue;
    }
+
+    var key = str.slice(index, splitIndex).trim();
+    var value = str.slice(splitIndex + 1, endIndex).trim();
+
+    if (key === 'q') {
+      ret.quality = parseFloat(value);
+    } else {
+      ret.params[key] = value;
+    }
+
+    index = endIndex + 1;
  }

  return ret;
@@ -128,6 +136,7 @@ exports.compileETag = function(val) {

  switch (val) {
    case true:
+    case 'weak':
      fn = exports.wetag;
      break;
    case false:
@@ -135,9 +144,6 @@ exports.compileETag = function(val) {
    case 'strong':
      fn = exports.etag;
      break;
-    case 'weak':
-      fn = exports.wetag;
-      break;
    default:
      throw new TypeError('unknown value for etag function: ' + val);
  }
@@ -162,6 +168,7 @@ exports.compileQueryParser = function compileQueryParser(val) {

  switch (val) {
    case true:
+    case 'simple':
      fn = querystring.parse;
      break;
    case false:
@@ -169,9 +176,6 @@ exports.compileQueryParser = function compileQueryParser(val) {
    case 'extended':
      fn = parseExtendedQueryString;
      break;
-    case 'simple':
-      fn = querystring.parse;
-      break;
    default:
      throw new TypeError('unknown value for query parser function: ' + val);
  }
@@ -202,7 +206,8 @@ exports.compileTrust = function(val) {

  if (typeof val === 'string') {
    // Support comma-separated values
-    val = val.split(/ *, */);
+    val = val.split(',')
+      .map(function (v) { return v.trim() })
  }

  return proxyaddr.compile(val || []);
@@ -232,9 +237,29 @@ exports.setCharset = function setCharset(type, charset) {
  return contentType.format(parsed);
 };

+/**
+ * Create an ETag generator function, generating ETags with
+ * the given options.
+ *
+ * @param {object} options
+ * @return {function}
+ * @private
+ */
+
+function createETagGenerator (options) {
+  return function generateETag (body, encoding) {
+    var buf = !Buffer.isBuffer(body)
+      ? Buffer.from(body, encoding)
+      : body
+
+    return etag(buf, options)
+  }
+}
+
 /**
 * Parse an extended query string with qs.
 *
+ * @param {String} str
 * @return {Object}
 * @private
 */
--- a/lib/view.js
+++ b/lib/view.js
@@ -14,8 +14,8 @@
 */

 var debug = require('debug')('express:view');
-var path = require('path');
-var fs = require('fs');
+var path = require('node:path');
+var fs = require('node:fs');

 /**
 * Module variables.
@@ -74,9 +74,17 @@ function View(name, options) {

  if (!opts.engines[this.ext]) {
    // load engine
-    var mod = this.ext.substr(1)
+    var mod = this.ext.slice(1)
    debug('require "%s"', mod)
-    opts.engines[this.ext] = require(mod).__express
+
+    // default engine export
+    var fn = require(mod).__express
+
+    if (typeof fn !== 'function') {
+      throw new Error('Module "' + mod + '" does not provide a view engine.')
+    }
+
+    opts.engines[this.ext] = fn
  }

  // store loaded engine
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "express",
  "description": "Fast, unopinionated, minimalist web framework",
-  "version": "5.0.0-alpha.6",
+  "version": "5.2.1",
  "author": "TJ Holowaychuk <tj@vision-media.ca>",
  "contributors": [
    "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -14,12 +14,17 @@
  ],
  "license": "MIT",
  "repository": "expressjs/express",
-  "homepage": "http://expressjs.com/",
+  "homepage": "https://expressjs.com/",
+  "funding": {
+    "type": "opencollective",
+    "url": "https://opencollective.com/express"
+  },
  "keywords": [
    "express",
    "framework",
    "sinatra",
    "web",
+    "http",
    "rest",
    "restful",
    "router",
@@ -27,73 +32,68 @@
    "api"
  ],
  "dependencies": {
-    "accepts": "~1.3.3",
-    "array-flatten": "2.1.1",
-    "content-disposition": "0.5.2",
-    "content-type": "~1.0.2",
-    "cookie": "0.3.1",
-    "cookie-signature": "1.0.6",
-    "debug": "2.6.9",
-    "depd": "~1.1.1",
-    "encodeurl": "~1.0.1",
-    "escape-html": "~1.0.3",
-    "etag": "~1.8.0",
-    "finalhandler": "~1.0.6",
-    "fresh": "0.5.2",
-    "merge-descriptors": "1.0.1",
-    "methods": "~1.1.2",
-    "on-finished": "~2.3.0",
-    "parseurl": "~1.3.1",
-    "path-is-absolute": "1.0.1",
-    "path-to-regexp": "0.1.7",
-    "proxy-addr": "~1.1.5",
-    "qs": "6.5.0",
-    "range-parser": "~1.2.0",
-    "router": "~1.3.1",
-    "send": "0.15.6",
-    "serve-static": "1.12.6",
-    "setprototypeof": "1.0.3",
-    "statuses": "~1.3.1",
-    "type-is": "~1.6.15",
-    "utils-merge": "1.0.0",
-    "vary": "~1.1.1"
+    "accepts": "^2.0.0",
+    "body-parser": "^2.2.1",
+    "content-disposition": "^1.0.0",
+    "content-type": "^1.0.5",
+    "cookie": "^0.7.1",
+    "cookie-signature": "^1.2.1",
+    "debug": "^4.4.0",
+    "depd": "^2.0.0",
+    "encodeurl": "^2.0.0",
+    "escape-html": "^1.0.3",
+    "etag": "^1.8.1",
+    "finalhandler": "^2.1.0",
+    "fresh": "^2.0.0",
+    "http-errors": "^2.0.0",
+    "merge-descriptors": "^2.0.0",
+    "mime-types": "^3.0.0",
+    "on-finished": "^2.4.1",
+    "once": "^1.4.0",
+    "parseurl": "^1.3.3",
+    "proxy-addr": "^2.0.7",
+    "qs": "^6.14.2",
+    "range-parser": "^1.2.1",
+    "router": "^2.2.0",
+    "send": "^1.1.0",
+    "serve-static": "^2.2.0",
+    "statuses": "^2.0.1",
+    "type-is": "^2.0.1",
+    "vary": "^1.1.2"
  },
  "devDependencies": {
    "after": "0.8.2",
-    "body-parser": "1.18.1",
-    "cookie-parser": "~1.4.3",
-    "cookie-session": "1.3.1",
-    "ejs": "2.5.7",
-    "eslint": "2.13.1",
-    "express-session": "1.15.5",
-    "hbs": "4.0.1",
-    "istanbul": "0.4.5",
-    "marked": "0.3.6",
-    "method-override": "2.3.9",
-    "mocha": "3.5.3",
-    "morgan": "1.8.2",
-    "multiparty": "4.1.3",
+    "connect-redis": "^8.0.1",
+    "cookie-parser": "1.4.7",
+    "cookie-session": "2.1.1",
+    "ejs": "^3.1.10",
+    "eslint": "8.47.0",
+    "express-session": "^1.18.1",
+    "hbs": "4.2.0",
+    "marked": "^15.0.3",
+    "method-override": "3.0.0",
+    "mocha": "^10.7.3",
+    "morgan": "1.10.1",
+    "nyc": "^17.1.0",
    "pbkdf2-password": "1.2.1",
-    "should": "13.1.0",
-    "supertest": "1.2.0",
-    "connect-redis": "~2.4.1",
+    "supertest": "^6.3.0",
    "vhost": "~3.0.2"
  },
  "engines": {
-    "node": ">= 0.10.0"
+    "node": ">= 18"
  },
  "files": [
    "LICENSE",
-    "History.md",
    "Readme.md",
    "index.js",
    "lib/"
  ],
  "scripts": {
    "lint": "eslint .",
-    "test": "mocha --require test/support/env --reporter spec --bail --check-leaks test/ test/acceptance/",
-    "test-ci": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --require test/support/env --reporter spec --check-leaks test/ test/acceptance/",
-    "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --require test/support/env --reporter dot --check-leaks test/ test/acceptance/",
+    "lint:fix": "eslint . --fix",
+    "test": "mocha --require test/support/env --reporter spec --check-leaks test/ test/acceptance/",
+    "test-ci": "nyc --exclude examples --exclude test --exclude benchmarks --reporter=lcovonly --reporter=text npm test",
+    "test-cov": "nyc --exclude examples --exclude test --exclude benchmarks --reporter=html --reporter=text npm test",
    "test-tap": "mocha --require test/support/env --reporter tap --check-leaks test/ test/acceptance/"
  }
 }
--- a/Show More
+++ b/Show More