{"id":14417,"library":"alemmi","title":"Express.js Web Framework","description":"Express.js is a minimalist, unopinionated, and flexible Node.js web application framework, designed for building robust APIs and web applications. It provides a thin layer of fundamental web application features atop Node.js's built-in HTTP module, emphasizing speed and extensibility through its middleware-centric architecture. The current stable release is v5.2.1, with the v5 branch representing a major overhaul focused on simplifying the codebase and improving security. The v4.x branch (currently v4.22.1) is also actively maintained, primarily for security patches and critical bug fixes, serving projects that haven't yet migrated to v5. Its unopinionated nature contrasts with more prescriptive frameworks, offering maximum flexibility in project structure and choice of components, allowing developers to easily extend functionality for tasks like routing, parsing request bodies, handling sessions, and serving static files.","status":"active","version":"45.0.0","language":"javascript","source_language":"en","source_url":"https://github.com/expressjs/express","tags":["javascript","express","framework","sinatra","web","http","rest","restful","router"],"install":[{"cmd":"npm install alemmi","lang":"bash","label":"npm"},{"cmd":"yarn add alemmi","lang":"bash","label":"yarn"},{"cmd":"pnpm add alemmi","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The `express` module exports its primary application factory as a default export, which is the function used to create an application instance. Named imports for the `express` function itself are incorrect.","wrong":"import { express } from 'express';","symbol":"express","correct":"import express from 'express';"},{"note":"For TypeScript projects, these types are essential for correctly typing middleware and route handler parameters. Using `import type` is the recommended practice for importing only type definitions to prevent potential bundling issues or runtime errors in environments that don't fully support type-only imports as values.","wrong":"import { Request, Response, NextFunction } from 'express';","symbol":"Request, Response, NextFunction","correct":"import type { Request, Response, NextFunction } from 'express';"},{"note":"Built-in middleware functions like `json()` (for parsing JSON request bodies) and `static()` (for serving static files) are properties of the default `express` export. They should be accessed via the imported `express` object, not as top-level named imports.","wrong":"import { json } from 'express';","symbol":"express.json(), express.static()","correct":"import express from 'express'; const app = express(); app.use(express.json());"}],"quickstart":{"code":"import express, { Request, Response, NextFunction } from 'express';\n\nconst app = express();\nconst port = 3000;\n\n// Middleware to parse JSON bodies\napp.use(express.json());\n\n// A simple logger middleware\napp.use((req: Request, res: Response, next: NextFunction) => {\n  console.log(`${req.method} ${req.url} at ${new Date().toISOString()}`);\n  next();\n});\n\n// Define a GET route\napp.get('/', (req: Request, res: Response) => {\n  res.send('Hello from Express v5!');\n});\n\n// Define a POST route with a request body\napp.post('/data', (req: Request, res: Response) => {\n  if (req.body && typeof req.body === 'object' && 'message' in req.body) {\n    res.json({ received: req.body.message, status: 'success' });\n  } else {\n    res.status(400).json({ error: 'Message not found in request body.' });\n  }\n});\n\n// Error handling middleware (should be last)\napp.use((err: Error, req: Request, res: Response, next: NextFunction) => {\n  console.error(err.stack);\n  res.status(500).send('Something broke!');\n});\n\napp.listen(port, () => {\n  console.log(`Express server listening on http://localhost:${port}`);\n});","lang":"typescript","description":"This quickstart demonstrates a basic Express.js server using TypeScript and ES modules. It includes JSON body parsing middleware, a custom logging middleware, a GET route, a POST route handling JSON data, and a fundamental error handler, showcasing a typical setup for an Express application."},"warnings":[{"fix":"Review the official Express v5 release blog post (expressjs.com/2024/10/15/v5-release.html) and migration guides to understand specific changes and ensure your Node.js environment meets the new requirements before upgrading.","message":"Express v5.0.0 introduces significant breaking changes compared to v4.x, including dropped support for older Node.js versions, removal of some deprecated APIs, and simplifications to the codebase. Users migrating from Express 4.x should consult the official v5 release blog post and migration guide thoroughly before upgrading.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Upgrade immediately to `5.2.1` or `4.22.1` (or newer) to avoid the unintended query parser behavior introduced in the prior patch. No security vulnerability was ultimately confirmed for this specific issue.","message":"Reverted breaking change in query parser: Versions `5.2.0` and `4.22.0` included an erroneous breaking change related to the extended query parser. This change, initially linked to `CVE-2024-51999` (later rejected), caused unexpected behavior for some applications. The change was fully reverted in the subsequent patch releases (`5.2.1` and `4.22.1`).","severity":"breaking","affected_versions":"5.2.0, 4.22.0"},{"fix":"Upgrade to Express `5.0.1` or `4.21.1` (or newer) to incorporate the security fix for `CVE-2024-47764` and ensure proper cookie handling.","message":"A security vulnerability, `CVE-2024-47764`, affecting the `cookie` dependency used by Express, relates to improper handling of cookie parsing. This could potentially lead to denial-of-service or other unexpected behaviors. Patches were released in Express `v5.0.1` and `v4.21.1`.","severity":"security","affected_versions":"<5.0.1, <4.21.1"},{"fix":"Replace `res.redirect('back')` with a specific URL or implement custom logic to determine the previous URL from request headers (e.g., `req.get('Referrer')`) for explicit and predictable redirects.","message":"The magic string `\"back\"` used in `res.redirect('back')` is deprecated since `v4.21.0` (and consequently in v5.x). While still functional for backward compatibility, its use is discouraged in favor of explicit URLs or more robust redirect handling mechanisms.","severity":"deprecated","affected_versions":">=4.21.0"},{"fix":"Always define global or route-specific middleware functions before the route handlers they are intended to process. Ensure error-handling middleware is defined last in the middleware chain.","message":"Middleware order is critical in Express. Middleware functions are executed in the sequence they are defined. If a middleware like `express.json()` or `express.static()` is placed after a route handler that it's meant to affect, it will not be executed for that request, leading to unexpected behavior (e.g., `req.body` being undefined).","severity":"gotcha","affected_versions":"*"},{"fix":"Wrap `async` route handlers and middleware in a `try...catch` block and call `next(error)` in the catch block to pass errors to the Express error handler. Alternatively, use a package like `express-async-errors` to automatically wrap and handle promise rejections.","message":"Asynchronous errors (unhandled promise rejections) in middleware or route handlers are not caught by default by Express's built-in error handling mechanism. If an `async` function throws an error without explicitly calling `next(err)`, the Node.js process may crash with an `UnhandledPromiseRejectionWarning`.","severity":"gotcha","affected_versions":"*"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Ensure the argument passed to `app.use()` or `router.use()` is a valid function (e.g., `express.json()`, `myCustomMiddleware`) or an array of middleware functions.","cause":"Attempting to use an object, an incorrectly imported value, or a non-function as middleware in `app.use()` or `router.use()`.","error":"TypeError: app.use() requires a middleware function but got a Object"},{"fix":"Define a route handler using `app.get()`, `app.post()`, `app.put()`, etc., for the specific path and method. If serving static files, ensure `express.static()` middleware is correctly configured and placed before other routes.","cause":"No route handler has been defined for the specific HTTP method (GET) and path (`/some-undefined-route`) that the client is requesting. This often results in a 404 Not Found response.","error":"Cannot GET /some-undefined-route"},{"fix":"For `async` middleware/routes, wrap the code in a `try...catch` block and call `next(error)` in the catch. Alternatively, use a dedicated library like `express-async-errors` to automatically catch promise rejections and pass them to your error handlers.","cause":"An asynchronous operation (typically a Promise) within a route or middleware rejected, and this rejection was not caught. The error was not passed to Express's error-handling middleware.","error":"(node:12345) UnhandledPromiseRejectionWarning: Error: Something went wrong"}],"ecosystem":"npm"}