From 8ee3420f0fa064fe8bd6476492cc928f1833f90e Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sun, 20 Feb 2022 23:43:02 -0500
Subject: [PATCH 001/130] tests: fix req.acceptsEncodings tests

---
 test/req.acceptsEncodings.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/req.acceptsEncodings.js b/test/req.acceptsEncodings.js
index c36934290a..9f8973cdfb 100644
--- a/test/req.acceptsEncodings.js
+++ b/test/req.acceptsEncodings.js
@@ -10,8 +10,8 @@ describe('req', function(){
 
       app.get('/', function (req, res) {
         res.send({
-          gzip: req.acceptsEncoding('gzip'),
-          deflate: req.acceptsEncoding('deflate')
+          gzip: req.acceptsEncodings('gzip'),
+          deflate: req.acceptsEncodings('deflate')
         })
       })
 
@@ -26,7 +26,7 @@ describe('req', function(){
 
       app.get('/', function (req, res) {
         res.send({
-          bogus: req.acceptsEncoding('bogus')
+          bogus: req.acceptsEncodings('bogus')
         })
       })
 

From d8ed591117295f528c59d0f0367064ffde96d427 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sun, 20 Feb 2022 23:49:42 -0500
Subject: [PATCH 002/130] tests: fix req.acceptsLanguage tests

---
 test/req.acceptsLanguage.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/test/req.acceptsLanguage.js b/test/req.acceptsLanguage.js
index 816be244eb..39bd73c483 100644
--- a/test/req.acceptsLanguage.js
+++ b/test/req.acceptsLanguage.js
@@ -10,8 +10,8 @@ describe('req', function(){
 
       app.get('/', function (req, res) {
         res.send({
-          'en-us': req.acceptsLanguages('en-us'),
-          en: req.acceptsLanguages('en')
+          'en-us': req.acceptsLanguage('en-us'),
+          en: req.acceptsLanguage('en')
         })
       })
 
@@ -26,7 +26,7 @@ describe('req', function(){
 
       app.get('/', function (req, res) {
         res.send({
-          es: req.acceptsLanguages('es')
+          es: req.acceptsLanguage('es')
         })
       })
 
@@ -42,9 +42,9 @@ describe('req', function(){
 
         app.get('/', function (req, res) {
           res.send({
-            en: req.acceptsLanguages('en'),
-            es: req.acceptsLanguages('es'),
-            jp: req.acceptsLanguages('jp')
+            en: req.acceptsLanguage('en'),
+            es: req.acceptsLanguage('es'),
+            jp: req.acceptsLanguage('jp')
           })
         })
 

From 7df0c840e07d17a2268a2ab18e6db7656b203b78 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 21 Feb 2022 19:07:26 -0500
Subject: [PATCH 003/130] tests: fix up app.locals tests

---
 test/app.locals.js | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/test/app.locals.js b/test/app.locals.js
index 88f83c9483..657b4b75c7 100644
--- a/test/app.locals.js
+++ b/test/app.locals.js
@@ -2,28 +2,24 @@
 
 var assert = require('assert')
 var express = require('../')
-var should = require('should')
 
 describe('app', function(){
-  describe('.locals(obj)', function(){
-    it('should merge locals', function(){
-      var app = express();
-      should(Object.keys(app.locals)).eql(['settings'])
-      app.locals.user = 'tobi';
-      app.locals.age = 2;
-      should(Object.keys(app.locals)).eql(['settings', 'user', 'age'])
-      assert.strictEqual(app.locals.user, 'tobi')
-      assert.strictEqual(app.locals.age, 2)
+  describe('.locals', function () {
+    it('should default object', function () {
+      var app = express()
+      assert.ok(app.locals)
+      assert.strictEqual(typeof app.locals, 'object')
     })
-  })
 
-  describe('.locals.settings', function(){
-    it('should expose app settings', function(){
-      var app = express();
-      app.set('title', 'House of Manny');
-      var obj = app.locals.settings;
-      should(obj).have.property('env', 'test')
-      should(obj).have.property('title', 'House of Manny')
+    describe('.settings', function () {
+      it('should contain app settings ', function () {
+        var app = express()
+        app.set('title', 'Express')
+        assert.ok(app.locals.settings)
+        assert.strictEqual(typeof app.locals.settings, 'object')
+        assert.strictEqual(app.locals.settings, app.settings)
+        assert.strictEqual(app.locals.settings.title, 'Express')
+      })
     })
   })
 })

From 9967ffbdc2b90fd651e2a687fabc0d53a1065f82 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 21 Feb 2022 19:23:25 -0500
Subject: [PATCH 004/130] tests: update res.append to verify separate header
 lines

---
 test/res.append.js | 71 ++++++++++++++++++++++++++--------------------
 1 file changed, 41 insertions(+), 30 deletions(-)

diff --git a/test/res.append.js b/test/res.append.js
index 5b12e35b69..8f72598bf5 100644
--- a/test/res.append.js
+++ b/test/res.append.js
@@ -1,31 +1,29 @@
 'use strict'
 
+var assert = require('assert')
 var express = require('..')
 var request = require('supertest')
-var should = require('should')
 
 describe('res', function () {
-  // note about these tests: "Link" and "X-*" are chosen because
-  // the common node.js versions white list which _incoming_
-  // headers can appear multiple times; there is no such white list
-  // for outgoing, though
   describe('.append(field, val)', function () {
     it('should append multiple headers', function (done) {
       var app = express()
 
       app.use(function (req, res, next) {
-        res.append('Link', '<http://localhost/>')
+        res.append('Set-Cookie', 'foo=bar')
         next()
       })
 
       app.use(function (req, res) {
-        res.append('Link', '<http://localhost:80/>')
+        res.append('Set-Cookie', 'fizz=buzz')
         res.end()
       })
 
       request(app)
-      .get('/')
-      .expect('Link', '<http://localhost/>, <http://localhost:80/>', done)
+        .get('/')
+        .expect(200)
+        .expect(shouldHaveHeaderValues('Set-Cookie', ['foo=bar', 'fizz=buzz']))
+        .end(done)
     })
 
     it('should accept array of values', function (done) {
@@ -37,51 +35,54 @@ describe('res', function () {
       })
 
       request(app)
-      .get('/')
-      .expect(function (res) {
-        should(res.headers['set-cookie']).eql(['foo=bar', 'fizz=buzz'])
-      })
-      .expect(200, done)
+        .get('/')
+        .expect(200)
+        .expect(shouldHaveHeaderValues('Set-Cookie', ['foo=bar', 'fizz=buzz']))
+        .end(done)
     })
 
     it('should get reset by res.set(field, val)', function (done) {
       var app = express()
 
       app.use(function (req, res, next) {
-        res.append('Link', '<http://localhost/>')
-        res.append('Link', '<http://localhost:80/>')
+        res.append('Set-Cookie', 'foo=bar')
+        res.append('Set-Cookie', 'fizz=buzz')
         next()
       })
 
       app.use(function (req, res) {
-        res.set('Link', '<http://127.0.0.1/>')
+        res.set('Set-Cookie', 'pet=tobi')
         res.end()
       });
 
       request(app)
-      .get('/')
-      .expect('Link', '<http://127.0.0.1/>', done)
+        .get('/')
+        .expect(200)
+        .expect(shouldHaveHeaderValues('Set-Cookie', ['pet=tobi']))
+        .end(done)
     })
 
     it('should work with res.set(field, val) first', function (done) {
       var app = express()
 
       app.use(function (req, res, next) {
-        res.set('Link', '<http://localhost/>')
+        res.set('Set-Cookie', 'foo=bar')
         next()
       })
 
       app.use(function(req, res){
-        res.append('Link', '<http://localhost:80/>')
+        res.append('Set-Cookie', 'fizz=buzz')
         res.end()
       })
 
       request(app)
-      .get('/')
-      .expect('Link', '<http://localhost/>, <http://localhost:80/>', done)
+        .get('/')
+        .expect(200)
+        .expect(shouldHaveHeaderValues('Set-Cookie', ['foo=bar', 'fizz=buzz']))
+        .end(done)
     })
 
-    it('should work with cookies', function (done) {
+    it('should work together with res.cookie', function (done) {
       var app = express()
 
       app.use(function (req, res, next) {
@@ -90,16 +91,26 @@ describe('res', function () {
       })
 
       app.use(function (req, res) {
-        res.append('Set-Cookie', 'bar=baz')
+        res.append('Set-Cookie', 'fizz=buzz')
         res.end()
       })
 
       request(app)
-      .get('/')
-      .expect(function (res) {
-        should(res.headers['set-cookie']).eql(['foo=bar; Path=/', 'bar=baz'])
-      })
-      .expect(200, done)
+        .get('/')
+        .expect(200)
+        .expect(shouldHaveHeaderValues('Set-Cookie', ['foo=bar; Path=/', 'fizz=buzz']))
+        .end(done)
     })
   })
 })
+
+function shouldHaveHeaderValues (key, values) {
+  return function (res) {
+    var headers = res.headers[key.toLowerCase()]
+    assert.ok(headers, 'should have header "' + key + '"')
+    assert.strictEqual(headers.length, values.length, 'should have ' + values.length + ' occurances of "' + key + '"')
+    for (var i = 0; i < values.length; i++) {
+      assert.strictEqual(headers[i], values[i])
+    }
+  }
+}

From bc5ca055094bb48dedbb4a4c828dbe5b2d450616 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 21 Feb 2022 19:54:52 -0500
Subject: [PATCH 005/130] tests: remove usage of should

---
 package.json         |  1 -
 test/Route.js        | 34 +++++++++++++++++-----------------
 test/exports.js      | 21 ++++++++++-----------
 test/mocha.opts      |  2 --
 test/res.sendFile.js | 23 ++++++++++-------------
 test/utils.js        | 12 +++++++++---
 6 files changed, 46 insertions(+), 47 deletions(-)
 delete mode 100644 test/mocha.opts

diff --git a/package.json b/package.json
index 2fb6ebaab0..61e91899e6 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,6 @@
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
     "resolve-path": "1.4.0",
-    "should": "13.2.3",
     "supertest": "6.2.2",
     "vhost": "~3.0.2"
   },
diff --git a/test/Route.js b/test/Route.js
index 005b4634e9..8e7ddbdbcc 100644
--- a/test/Route.js
+++ b/test/Route.js
@@ -1,7 +1,7 @@
 'use strict'
 
 var after = require('after');
-var should = require('should');
+var assert = require('assert')
 var express = require('../')
   , Route = express.Route
   , methods = require('methods')
@@ -25,7 +25,7 @@ describe('Route', function(){
 
       route.dispatch(req, {}, function (err) {
         if (err) return done(err);
-        should(req.called).be.ok()
+        assert.ok(req.called)
         done();
       });
     })
@@ -35,7 +35,7 @@ describe('Route', function(){
       var route = new Route('/foo');
       var cb = after(methods.length, function (err) {
         if (err) return done(err);
-        count.should.equal(methods.length);
+        assert.strictEqual(count, methods.length)
         done();
       });
 
@@ -66,7 +66,7 @@ describe('Route', function(){
 
       route.dispatch(req, {}, function (err) {
         if (err) return done(err);
-        req.count.should.equal(2);
+        assert.strictEqual(req.count, 2)
         done();
       });
     })
@@ -84,7 +84,7 @@ describe('Route', function(){
 
       route.dispatch(req, {}, function (err) {
         if (err) return done(err);
-        should(req.called).be.ok()
+        assert.ok(req.called)
         done();
       });
     })
@@ -104,7 +104,7 @@ describe('Route', function(){
 
       route.dispatch(req, {}, function (err) {
         if (err) return done(err);
-        should(req.called).be.true()
+        assert.ok(req.called)
         done();
       });
     })
@@ -130,7 +130,7 @@ describe('Route', function(){
 
       route.dispatch(req, {}, function (err) {
         if (err) return done(err);
-        req.order.should.equal('abc');
+        assert.strictEqual(req.order, 'abc')
         done();
       });
     })
@@ -156,9 +156,9 @@ describe('Route', function(){
       });
 
       route.dispatch(req, {}, function (err) {
-        should(err).be.ok()
-        should(err.message).equal('foobar');
-        req.order.should.equal('a');
+        assert.ok(err)
+        assert.strictEqual(err.message, 'foobar')
+        assert.strictEqual(req.order, 'a')
         done();
       });
     })
@@ -182,9 +182,9 @@ describe('Route', function(){
       });
 
       route.dispatch(req, {}, function (err) {
-        should(err).be.ok()
-        should(err.message).equal('foobar');
-        req.order.should.equal('a');
+        assert.ok(err)
+        assert.strictEqual(err.message, 'foobar')
+        assert.strictEqual(req.order, 'a')
         done();
       });
     });
@@ -208,7 +208,7 @@ describe('Route', function(){
 
       route.dispatch(req, {}, function (err) {
         if (err) return done(err);
-        should(req.message).equal('oops');
+        assert.strictEqual(req.message, 'oops')
         done();
       });
     });
@@ -222,8 +222,8 @@ describe('Route', function(){
       });
 
       route.dispatch(req, {}, function(err){
-        should(err).be.ok()
-        err.message.should.equal('boom!');
+        assert.ok(err)
+        assert.strictEqual(err.message, 'boom!')
         done();
       });
     });
@@ -234,7 +234,7 @@ describe('Route', function(){
 
       route.all(function(err, req, res, next){
         // this should not execute
-        true.should.be.false()
+        throw new Error('should not be called')
       });
 
       route.dispatch(req, {}, done);
diff --git a/test/exports.js b/test/exports.js
index 98d7936594..5ab0f885ce 100644
--- a/test/exports.js
+++ b/test/exports.js
@@ -3,11 +3,10 @@
 var assert = require('assert')
 var express = require('../');
 var request = require('supertest');
-var should = require('should');
 
 describe('exports', function(){
   it('should expose Router', function(){
-    express.Router.should.be.a.Function()
+    assert.strictEqual(typeof express.Router, 'function')
   })
 
   it('should expose json middleware', function () {
@@ -36,20 +35,23 @@ describe('exports', function(){
   })
 
   it('should expose the application prototype', function(){
-    express.application.set.should.be.a.Function()
+    assert.strictEqual(typeof express.application, 'object')
+    assert.strictEqual(typeof express.application.set, 'function')
   })
 
   it('should expose the request prototype', function(){
-    express.request.accepts.should.be.a.Function()
+    assert.strictEqual(typeof express.request, 'object')
+    assert.strictEqual(typeof express.request.accepts, 'function')
   })
 
   it('should expose the response prototype', function(){
-    express.response.send.should.be.a.Function()
+    assert.strictEqual(typeof express.response, 'object')
+    assert.strictEqual(typeof express.response.send, 'function')
   })
 
   it('should permit modifying the .application prototype', function(){
     express.application.foo = function(){ return 'bar'; };
-    express().foo().should.equal('bar');
+    assert.strictEqual(express().foo(), 'bar')
   })
 
   it('should permit modifying the .request prototype', function(done){
@@ -79,10 +81,7 @@ describe('exports', function(){
   })
 
   it('should throw on old middlewares', function(){
-    var error;
-    try { express.bodyParser; } catch (e) { error = e; }
-    should(error).have.property('message');
-    error.message.should.containEql('middleware');
-    error.message.should.containEql('bodyParser');
+    assert.throws(function () { express.bodyParser() }, /Error:.*middleware.*bodyParser/)
+    assert.throws(function () { express.limit() }, /Error:.*middleware.*limit/)
   })
 })
diff --git a/test/mocha.opts b/test/mocha.opts
deleted file mode 100644
index 1e065ec52d..0000000000
--- a/test/mocha.opts
+++ /dev/null
@@ -1,2 +0,0 @@
---require should
---slow 20
diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index c7fc93a76d..c676fc41ee 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -7,7 +7,6 @@ var express = require('../')
   , assert = require('assert');
 var onFinished = require('on-finished');
 var path = require('path');
-var should = require('should');
 var fixtures = path.join(__dirname, 'fixtures');
 var utils = require('./support/utils');
 
@@ -359,15 +358,13 @@ describe('res', function(){
 
       app.use(function (req, res) {
         res.sendFile(path.resolve(fixtures, 'does-not-exist'), function (err) {
-          should(err).be.ok()
-          err.status.should.equal(404);
-          res.send('got it');
+          res.send(err ? 'got ' + err.status + ' error' : 'no error')
         });
       });
 
       request(app)
-      .get('/')
-      .expect(200, 'got it', done);
+        .get('/')
+        .expect(200, 'got 404 error', done)
     })
   })
 
@@ -539,7 +536,7 @@ describe('res', function(){
       app.use(function(req, res){
         res.sendfile('test/fixtures/user.html', function(err){
           assert(!res.headersSent);
-          req.socket.listeners('error').should.have.length(1); // node's original handler
+          assert.strictEqual(req.socket.listeners('error').length, 1) // node's original handler
           done();
         });
 
@@ -783,12 +780,12 @@ describe('res', function(){
         });
 
         request(app)
-        .get('/')
-        .end(function(err, res){
-          res.statusCode.should.equal(404);
-          calls.should.equal(1);
-          done();
-        });
+          .get('/')
+          .expect(404, function (err) {
+            if (err) return done(err)
+            assert.strictEqual(calls, 1)
+            done()
+          })
       })
 
       describe('with non-GET', function(){
diff --git a/test/utils.js b/test/utils.js
index f0cb3c3761..9a38ede656 100644
--- a/test/utils.js
+++ b/test/utils.js
@@ -2,7 +2,6 @@
 
 var assert = require('assert');
 var Buffer = require('safe-buffer').Buffer
-var should = require('should')
 var utils = require('../lib/utils');
 
 describe('utils.etag(body, encoding)', function(){
@@ -91,7 +90,14 @@ describe('utils.isAbsolute()', function(){
 describe('utils.flatten(arr)', function(){
   it('should flatten an array', function(){
     var arr = ['one', ['two', ['three', 'four'], 'five']];
-    should(utils.flatten(arr))
-      .eql(['one', 'two', 'three', 'four', 'five'])
+    var flat = utils.flatten(arr)
+
+    assert.strictEqual(flat.length, 5)
+    assert.strictEqual(flat[0], 'one')
+    assert.strictEqual(flat[1], 'two')
+    assert.strictEqual(flat[2], 'three')
+    assert.strictEqual(flat[3], 'four')
+    assert.strictEqual(flat[4], 'five')
+    assert.ok(flat.every(function (v) { return typeof v === 'string' }))
   })
 })

From 18f782bba97157ab2e0ab754b404388e524915fd Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 23 Feb 2022 00:18:36 -0500
Subject: [PATCH 006/130] tests: remove duplicate utils

---
 test/res.download.js | 36 ++++++++++--------------------------
 test/res.redirect.js | 33 +++++++++++++--------------------
 test/res.send.js     | 34 +++++++++-------------------------
 test/res.sendFile.js | 26 ++++++++------------------
 4 files changed, 40 insertions(+), 89 deletions(-)

diff --git a/test/res.download.js b/test/res.download.js
index ce0ee088ba..29a687a4fd 100644
--- a/test/res.download.js
+++ b/test/res.download.js
@@ -1,10 +1,10 @@
 'use strict'
 
 var after = require('after');
-var assert = require('assert');
 var Buffer = require('safe-buffer').Buffer
 var express = require('..');
 var request = require('supertest');
+var utils = require('./support/utils')
 
 describe('res', function(){
   describe('.download(path)', function(){
@@ -129,12 +129,12 @@ describe('res', function(){
       })
 
       request(app)
-      .get('/')
-      .expect(200)
-      .expect('Content-Disposition', 'attachment; filename="document"')
-      .expect('Cache-Control', 'public, max-age=14400')
-      .expect(shouldHaveBody(Buffer.from('tobi')))
-      .end(done)
+        .get('/')
+        .expect(200)
+        .expect('Content-Disposition', 'attachment; filename="document"')
+        .expect('Cache-Control', 'public, max-age=14400')
+        .expect(utils.shouldHaveBody(Buffer.from('tobi')))
+        .end(done)
     })
 
     describe('when options.headers contains Content-Disposition', function () {
@@ -207,25 +207,9 @@ describe('res', function(){
       });
 
       request(app)
-      .get('/')
-      .expect(shouldNotHaveHeader('Content-Disposition'))
-      .expect(200, 'failed', done);
+        .get('/')
+        .expect(utils.shouldNotHaveHeader('Content-Disposition'))
+        .expect(200, 'failed', done)
     })
   })
 })
-
-function shouldHaveBody (buf) {
-  return function (res) {
-    var body = !Buffer.isBuffer(res.body)
-      ? Buffer.from(res.text)
-      : res.body
-    assert.ok(body, 'response has body')
-    assert.strictEqual(body.toString('hex'), buf.toString('hex'))
-  }
-}
-
-function shouldNotHaveHeader(header) {
-  return function (res) {
-    assert.ok(!(header.toLowerCase() in res.headers), 'should not have header ' + header);
-  };
-}
diff --git a/test/res.redirect.js b/test/res.redirect.js
index be7c773bee..5ffc7e48f1 100644
--- a/test/res.redirect.js
+++ b/test/res.redirect.js
@@ -1,6 +1,5 @@
 'use strict'
 
-var assert = require('assert')
 var express = require('..');
 var request = require('supertest');
 var utils = require('./support/utils');
@@ -86,11 +85,11 @@ describe('res', function(){
       });
 
       request(app)
-      .head('/')
-      .expect(302)
-      .expect('Location', 'http://google.com')
-      .expect(shouldNotHaveBody())
-      .end(done)
+        .head('/')
+        .expect(302)
+        .expect('Location', 'http://google.com')
+        .expect(utils.shouldNotHaveBody())
+        .end(done)
     })
   })
 
@@ -199,20 +198,14 @@ describe('res', function(){
       });
 
       request(app)
-      .get('/')
-      .set('Accept', 'application/octet-stream')
-      .expect(302)
-      .expect('location', 'http://google.com')
-      .expect('content-length', '0')
-      .expect(utils.shouldNotHaveHeader('Content-Type'))
-      .expect(shouldNotHaveBody())
-      .end(done)
+        .get('/')
+        .set('Accept', 'application/octet-stream')
+        .expect(302)
+        .expect('location', 'http://google.com')
+        .expect('content-length', '0')
+        .expect(utils.shouldNotHaveHeader('Content-Type'))
+        .expect(utils.shouldNotHaveBody())
+        .end(done)
     })
   })
 })
-
-function shouldNotHaveBody () {
-  return function (res) {
-    assert.ok(res.text === '' || res.text === undefined)
-  }
-}
diff --git a/test/res.send.js b/test/res.send.js
index 8f849f8069..6ba5542288 100644
--- a/test/res.send.js
+++ b/test/res.send.js
@@ -188,11 +188,11 @@ describe('res', function(){
       });
 
       request(app)
-      .get('/')
-      .expect(200)
-      .expect('Content-Type', 'application/octet-stream')
-      .expect(shouldHaveBody(Buffer.from('hello')))
-      .end(done)
+        .get('/')
+        .expect(200)
+        .expect('Content-Type', 'application/octet-stream')
+        .expect(utils.shouldHaveBody(Buffer.from('hello')))
+        .end(done)
     })
 
     it('should set ETag', function (done) {
@@ -259,10 +259,10 @@ describe('res', function(){
       });
 
       request(app)
-      .head('/')
-      .expect(200)
-      .expect(shouldNotHaveBody())
-      .end(done)
+        .head('/')
+        .expect(200)
+        .expect(utils.shouldNotHaveBody())
+        .end(done)
     })
   })
 
@@ -578,19 +578,3 @@ describe('res', function(){
     })
   })
 })
-
-function shouldHaveBody (buf) {
-  return function (res) {
-    var body = !Buffer.isBuffer(res.body)
-      ? Buffer.from(res.text)
-      : res.body
-    assert.ok(body, 'response has body')
-    assert.strictEqual(body.toString('hex'), buf.toString('hex'))
-  }
-}
-
-function shouldNotHaveBody () {
-  return function (res) {
-    assert.ok(res.text === '' || res.text === undefined)
-  }
-}
diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index c676fc41ee..538d6b9d34 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -165,10 +165,10 @@ describe('res', function(){
         var app = createApp(path.resolve(__dirname, 'fixtures/.name'), { dotfiles: 'allow' });
 
         request(app)
-        .get('/')
-        .expect(200)
-        .expect(shouldHaveBody(Buffer.from('tobi')))
-        .end(done)
+          .get('/')
+          .expect(200)
+          .expect(utils.shouldHaveBody(Buffer.from('tobi')))
+          .end(done)
       });
     });
 
@@ -570,10 +570,10 @@ describe('res', function(){
       });
 
       request(app)
-      .get('/')
-      .expect(200)
-      .expect(shouldHaveBody(Buffer.from('tobi')))
-      .end(done)
+        .get('/')
+        .expect(200)
+        .expect(utils.shouldHaveBody(Buffer.from('tobi')))
+        .end(done)
     })
 
     it('should accept headers option', function(done){
@@ -828,13 +828,3 @@ function createApp(path, options, fn) {
 
   return app;
 }
-
-function shouldHaveBody (buf) {
-  return function (res) {
-    var body = !Buffer.isBuffer(res.body)
-      ? Buffer.from(res.text)
-      : res.body
-    assert.ok(body, 'response has body')
-    assert.strictEqual(body.toString('hex'), buf.toString('hex'))
-  }
-}

From 8da8f79c44cefd96f0a194904288658abce13d9d Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 23 Feb 2022 00:20:34 -0500
Subject: [PATCH 007/130] tests: fix callback in res.download test

---
 test/res.download.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/res.download.js b/test/res.download.js
index 29a687a4fd..1322b0a31f 100644
--- a/test/res.download.js
+++ b/test/res.download.js
@@ -107,7 +107,7 @@ describe('res', function(){
       var options = {}
 
       app.use(function (req, res) {
-        res.download('test/fixtures/user.html', 'document', options, done)
+        res.download('test/fixtures/user.html', 'document', options, cb)
       })
 
       request(app)

From cf9f662655ec8e2b90c5e5d561e0daa083908aa0 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 24 Feb 2022 00:17:01 -0500
Subject: [PATCH 008/130] tests: fix position of res.sendfile(path, options)
 test

---
 test/res.sendFile.js | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index 538d6b9d34..67981fa127 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -803,19 +803,19 @@ describe('res', function(){
       })
     })
   })
-})
 
-describe('.sendfile(path, options)', function () {
-  it('should pass options to send module', function (done) {
-    var app = express()
+  describe('.sendfile(path, options)', function () {
+    it('should pass options to send module', function (done) {
+      var app = express()
 
-    app.use(function (req, res) {
-      res.sendfile(path.resolve(fixtures, 'name.txt'), { start: 0, end: 1 })
-    })
+      app.use(function (req, res) {
+        res.sendfile(path.resolve(fixtures, 'name.txt'), { start: 0, end: 1 })
+      })
 
-    request(app)
-      .get('/')
-      .expect(200, 'to', done)
+      request(app)
+        .get('/')
+        .expect(200, 'to', done)
+    })
   })
 })
 

From d0e166c3c6eaf80871b7f38839ea90e048452844 Mon Sep 17 00:00:00 2001
From: apeltop <sunshine@ptokos.com>
Date: Mon, 28 Feb 2022 16:38:06 +0900
Subject: [PATCH 009/130] docs: fix typo in private api jsdoc

closes #4843
---
 lib/response.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/response.js b/lib/response.js
index ba02008522..ccf8d91b2c 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -1113,7 +1113,7 @@ function sendfile(res, file, options, callback) {
  * ability to escape characters that can trigger HTML sniffing.
  *
  * @param {*} value
- * @param {function} replaces
+ * @param {function} replacer
  * @param {number} spaces
  * @param {boolean} escape
  * @returns {string}

From ea66a9b81bdd95b83d0035d8cbb41e6eacc6ea5b Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 28 Feb 2022 21:15:08 -0500
Subject: [PATCH 010/130] docs: update link to github actions ci

---
 Readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Readme.md b/Readme.md
index b60d588c41..61c4d5219d 100644
--- a/Readme.md
+++ b/Readme.md
@@ -147,7 +147,7 @@ The current lead maintainer is [Douglas Christopher Wilson](https://github.com/d
   [MIT](LICENSE)
 
 [ci-image]: https://img.shields.io/github/workflow/status/expressjs/express/ci/master.svg?label=linux
-[ci-url]: https://github.com/expressjs/express/actions?query=workflow%3Aci
+[ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
 [npm-image]: https://img.shields.io/npm/v/express.svg
 [npm-url]: https://npmjs.org/package/express
 [downloads-image]: https://img.shields.io/npm/dm/express.svg

From 4ed35b42026e09bcdcd9da821f172c238fb36cb5 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 28 Feb 2022 21:23:49 -0500
Subject: [PATCH 011/130] docs: switch badges to badgen

---
 Readme.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/Readme.md b/Readme.md
index 61c4d5219d..51c0fb108e 100644
--- a/Readme.md
+++ b/Readme.md
@@ -2,9 +2,9 @@
 
   Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
 
-  [![NPM Version][npm-image]][npm-url]
-  [![NPM Downloads][downloads-image]][downloads-url]
-  [![Linux Build][ci-image]][ci-url]
+  [![NPM Version][npm-version-image]][npm-url]
+  [![NPM Downloads][npm-downloads-image]][npm-downloads-url]
+  [![Linux Build][github-actions-ci-image]][github-actions-ci-url]
   [![Windows Build][appveyor-image]][appveyor-url]
   [![Test Coverage][coveralls-image]][coveralls-url]
 
@@ -146,13 +146,13 @@ The current lead maintainer is [Douglas Christopher Wilson](https://github.com/d
 
   [MIT](LICENSE)
 
-[ci-image]: https://img.shields.io/github/workflow/status/expressjs/express/ci/master.svg?label=linux
-[ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
-[npm-image]: https://img.shields.io/npm/v/express.svg
-[npm-url]: https://npmjs.org/package/express
-[downloads-image]: https://img.shields.io/npm/dm/express.svg
-[downloads-url]: https://npmcharts.com/compare/express?minimal=true
-[appveyor-image]: https://img.shields.io/appveyor/ci/dougwilson/express/master.svg?label=windows
+[appveyor-image]: https://badgen.net/appveyor/ci/dougwilson/express/master?label=windows
 [appveyor-url]: https://ci.appveyor.com/project/dougwilson/express
-[coveralls-image]: https://img.shields.io/coveralls/expressjs/express/master.svg
+[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/express/master
 [coveralls-url]: https://coveralls.io/r/expressjs/express?branch=master
+[github-actions-ci-image]: https://badgen.net/github/checks/expressjs/express/master?label=linux
+[github-actions-ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
+[npm-downloads-image]: https://badgen.net/npm/dm/express
+[npm-downloads-url]: https://npmcharts.com/compare/express?minimal=true
+[npm-url]: https://npmjs.org/package/express
+[npm-version-image]: https://badgen.net/npm/v/express

From 07aa91f7cbfc3bc2443b292488ab8e3aafb92605 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 28 Feb 2022 21:52:57 -0500
Subject: [PATCH 012/130] docs: consolidate contributing in readme

---
 Readme.md | 47 ++++++++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 21 deletions(-)

diff --git a/Readme.md b/Readme.md
index 51c0fb108e..b0a7950e8a 100644
--- a/Readme.md
+++ b/Readme.md
@@ -4,9 +4,6 @@
 
   [![NPM Version][npm-version-image]][npm-url]
   [![NPM Downloads][npm-downloads-image]][npm-downloads-url]
-  [![Linux Build][github-actions-ci-image]][github-actions-ci-url]
-  [![Windows Build][appveyor-image]][appveyor-url]
-  [![Test Coverage][coveralls-image]][coveralls-url]
 
 ```js
 const express = require('express')
@@ -33,7 +30,7 @@ the [`npm init` command](https://docs.npmjs.com/creating-a-package-json-file).
 Installation is done using the
 [`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):
 
-```bash
+```console
 $ npm install express
 ```
 
@@ -61,35 +58,31 @@ for more information.
 
 **PROTIP** Be sure to read [Migrating from 3.x to 4.x](https://github.com/expressjs/express/wiki/Migrating-from-3.x-to-4.x) as well as [New features in 4.x](https://github.com/expressjs/express/wiki/New-features-in-4.x).
 
-### Security Issues
-
-If you discover a security vulnerability in Express, please see [Security Policies and Procedures](Security.md).
-
 ## Quick Start
 
   The quickest way to get started with express is to utilize the executable [`express(1)`](https://github.com/expressjs/generator) to generate an application as shown below:
 
   Install the executable. The executable's major version will match Express's:
 
-```bash
+```console
 $ npm install -g express-generator@4
 ```
 
   Create the app:
 
-```bash
+```console
 $ express /tmp/foo && cd /tmp/foo
 ```
 
   Install dependencies:
 
-```bash
+```console
 $ npm install
 ```
 
   Start the server:
 
-```bash
+```console
 $ npm start
 ```
 
@@ -109,7 +102,7 @@ $ npm start
 
   To view the examples, clone the Express repo and install the dependencies:
 
-```bash
+```console
 $ git clone git://github.com/expressjs/express.git --depth 1
 $ cd express
 $ npm install
@@ -117,23 +110,35 @@ $ npm install
 
   Then run whichever example you want:
 
-```bash
+```console
 $ node examples/content-negotiation
 ```
 
-## Tests
+## Contributing
+
+  [![Linux Build][github-actions-ci-image]][github-actions-ci-url]
+  [![Windows Build][appveyor-image]][appveyor-url]
+  [![Test Coverage][coveralls-image]][coveralls-url]
+
+The Express.js project welcomes all constructive contributions. Contributions take many forms,
+from code for bug fixes and enhancements, to additions and fixes to documentation, additional
+tests, triaging incoming pull requests and issues, and more!
+
+See the [Contributing Guide](Contributing.md) for more technical details on contributing.
 
-  To run the test suite, first install the dependencies, then run `npm test`:
+### Security Issues
+
+If you discover a security vulnerability in Express, please see [Security Policies and Procedures](Security.md).
 
-```bash
+### Running Tests
+
+To run the test suite, first install the dependencies, then run `npm test`:
+
+```console
 $ npm install
 $ npm test
 ```
 
-## Contributing
-
-[Contributing Guide](Contributing.md)
-
 ## People
 
 The original author of Express is [TJ Holowaychuk](https://github.com/tj)

From e8594c35715a764afda8e56fd1b60cb2fe147f64 Mon Sep 17 00:00:00 2001
From: Steven <steven@ceriously.com>
Date: Thu, 9 Aug 2018 15:00:29 -0400
Subject: [PATCH 013/130] docs: add install size badge

closes #3710
---
 Readme.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Readme.md b/Readme.md
index b0a7950e8a..720bf38922 100644
--- a/Readme.md
+++ b/Readme.md
@@ -3,6 +3,7 @@
   Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
 
   [![NPM Version][npm-version-image]][npm-url]
+  [![NPM Install Size][npm-install-size-image]][npm-install-size-url]
   [![NPM Downloads][npm-downloads-image]][npm-downloads-url]
 
 ```js
@@ -159,5 +160,7 @@ The current lead maintainer is [Douglas Christopher Wilson](https://github.com/d
 [github-actions-ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
 [npm-downloads-image]: https://badgen.net/npm/dm/express
 [npm-downloads-url]: https://npmcharts.com/compare/express?minimal=true
+[npm-install-size-image]: https://badgen.net/packagephobia/install/express
+[npm-install-size-url]: https://packagephobia.com/result?p=express
 [npm-url]: https://npmjs.org/package/express
 [npm-version-image]: https://badgen.net/npm/v/express

From 291993d73c0c92c1ccce2dad264c86bdd1b4fe4b Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Tue, 1 Mar 2022 00:22:09 -0500
Subject: [PATCH 014/130] tests: expand res.sendFile options tests

---
 test/res.sendFile.js  | 712 ++++++++++++++++++++++++++++++++++--------
 test/support/utils.js |  14 +
 2 files changed, 596 insertions(+), 130 deletions(-)

diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index 67981fa127..e828c17e25 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -28,6 +28,14 @@ describe('res', function(){
       .expect(500, /TypeError: path must be a string to res.sendFile/, done)
     })
 
+    it('should error for non-absolute path', function (done) {
+      var app = createApp('name.txt')
+
+      request(app)
+        .get('/')
+        .expect(500, /TypeError: path must be absolute/, done)
+    })
+
     it('should transfer a file', function (done) {
       var app = createApp(path.resolve(fixtures, 'name.txt'));
 
@@ -90,6 +98,23 @@ describe('res', function(){
       .expect(404, done);
     });
 
+    it('should send cache-control by default', function (done) {
+      var app = createApp(path.resolve(__dirname, 'fixtures/name.txt'))
+
+      request(app)
+        .get('/')
+        .expect('Cache-Control', 'public, max-age=0')
+        .expect(200, done)
+    })
+
+    it('should not serve dotfiles by default', function (done) {
+      var app = createApp(path.resolve(__dirname, 'fixtures/.name'))
+
+      request(app)
+        .get('/')
+        .expect(404, done)
+    })
+
     it('should not override manual content-types', function (done) {
       var app = express();
 
@@ -131,136 +156,6 @@ describe('res', function(){
         server.close(cb)
       })
     })
-
-    describe('with "cacheControl" option', function () {
-      it('should enable cacheControl by default', function (done) {
-        var app = createApp(path.resolve(__dirname, 'fixtures/name.txt'))
-
-        request(app)
-        .get('/')
-        .expect('Cache-Control', 'public, max-age=0')
-        .expect(200, done)
-      })
-
-      it('should accept cacheControl option', function (done) {
-        var app = createApp(path.resolve(__dirname, 'fixtures/name.txt'), { cacheControl: false })
-
-        request(app)
-        .get('/')
-        .expect(utils.shouldNotHaveHeader('Cache-Control'))
-        .expect(200, done)
-      })
-    })
-
-    describe('with "dotfiles" option', function () {
-      it('should not serve dotfiles by default', function (done) {
-        var app = createApp(path.resolve(__dirname, 'fixtures/.name'));
-
-        request(app)
-        .get('/')
-        .expect(404, done);
-      });
-
-      it('should accept dotfiles option', function(done){
-        var app = createApp(path.resolve(__dirname, 'fixtures/.name'), { dotfiles: 'allow' });
-
-        request(app)
-          .get('/')
-          .expect(200)
-          .expect(utils.shouldHaveBody(Buffer.from('tobi')))
-          .end(done)
-      });
-    });
-
-    describe('with "headers" option', function () {
-      it('should accept headers option', function (done) {
-        var headers = {
-          'x-success': 'sent',
-          'x-other': 'done'
-        };
-        var app = createApp(path.resolve(__dirname, 'fixtures/name.txt'), { headers: headers });
-
-        request(app)
-        .get('/')
-        .expect('x-success', 'sent')
-        .expect('x-other', 'done')
-        .expect(200, done);
-      });
-
-      it('should ignore headers option on 404', function (done) {
-        var headers = { 'x-success': 'sent' };
-        var app = createApp(path.resolve(__dirname, 'fixtures/does-not-exist'), { headers: headers });
-
-        request(app)
-        .get('/')
-        .expect(utils.shouldNotHaveHeader('X-Success'))
-        .expect(404, done);
-      });
-    });
-
-    describe('with "immutable" option', function () {
-      it('should add immutable cache-control directive', function (done) {
-        var app = createApp(path.resolve(__dirname, 'fixtures/name.txt'), {
-          immutable: true,
-          maxAge: '4h'
-        })
-
-        request(app)
-        .get('/')
-        .expect('Cache-Control', 'public, max-age=14400, immutable')
-        .expect(200, done)
-      })
-    })
-
-    describe('with "maxAge" option', function () {
-      it('should set cache-control max-age from number', function (done) {
-        var app = createApp(path.resolve(__dirname, 'fixtures/name.txt'), {
-          maxAge: 14400000
-        })
-
-        request(app)
-        .get('/')
-        .expect('Cache-Control', 'public, max-age=14400')
-        .expect(200, done)
-      })
-
-      it('should set cache-control max-age from string', function (done) {
-        var app = createApp(path.resolve(__dirname, 'fixtures/name.txt'), {
-          maxAge: '4h'
-        })
-
-        request(app)
-        .get('/')
-        .expect('Cache-Control', 'public, max-age=14400')
-        .expect(200, done)
-      })
-    })
-
-    describe('with "root" option', function () {
-      it('should not transfer relative with without', function (done) {
-        var app = createApp('test/fixtures/name.txt');
-
-        request(app)
-        .get('/')
-        .expect(500, /must be absolute/, done);
-      })
-
-      it('should serve relative to "root"', function (done) {
-        var app = createApp('name.txt', {root: fixtures});
-
-        request(app)
-        .get('/')
-        .expect(200, 'tobi', done);
-      })
-
-      it('should disallow requesting out of "root"', function (done) {
-        var app = createApp('foo/../../user.html', {root: fixtures});
-
-        request(app)
-        .get('/')
-        .expect(403, done);
-      })
-    })
   })
 
   describe('.sendFile(path, fn)', function () {
@@ -374,6 +269,563 @@ describe('res', function(){
       .get('/')
       .expect(200, 'to', done)
     })
+
+    describe('with "acceptRanges" option', function () {
+      describe('when true', function () {
+        it('should advertise byte range accepted', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'nums.txt'), {
+              acceptRanges: true
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Accept-Ranges', 'bytes')
+            .expect('123456789')
+            .end(done)
+        })
+
+        it('should respond to range request', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'nums.txt'), {
+              acceptRanges: true
+            })
+          })
+
+          request(app)
+            .get('/')
+            .set('Range', 'bytes=0-4')
+            .expect(206, '12345', done)
+        })
+      })
+
+      describe('when false', function () {
+        it('should not advertise accept-ranges', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'nums.txt'), {
+              acceptRanges: false
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect(utils.shouldNotHaveHeader('Accept-Ranges'))
+            .end(done)
+        })
+
+        it('should not honor range requests', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'nums.txt'), {
+              acceptRanges: false
+            })
+          })
+
+          request(app)
+            .get('/')
+            .set('Range', 'bytes=0-4')
+            .expect(200, '123456789', done)
+        })
+      })
+    })
+
+    describe('with "cacheControl" option', function () {
+      describe('when true', function () {
+        it('should send cache-control header', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              cacheControl: true
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Cache-Control', 'public, max-age=0')
+            .end(done)
+        })
+      })
+
+      describe('when false', function () {
+        it('should not send cache-control header', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              cacheControl: false
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect(utils.shouldNotHaveHeader('Cache-Control'))
+            .end(done)
+        })
+      })
+    })
+
+    describe('with "dotfiles" option', function () {
+      describe('when "allow"', function () {
+        it('should allow dotfiles', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, '.name'), {
+              dotfiles: 'allow'
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect(utils.shouldHaveBody(Buffer.from('tobi')))
+            .end(done)
+        })
+      })
+
+      describe('when "deny"', function () {
+        it('should deny dotfiles', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, '.name'), {
+              dotfiles: 'deny'
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(403)
+            .expect(/Forbidden/)
+            .end(done)
+        })
+      })
+
+      describe('when "ignore"', function () {
+        it('should ignore dotfiles', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, '.name'), {
+              dotfiles: 'ignore'
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(404)
+            .expect(/Not Found/)
+            .end(done)
+        })
+      })
+    })
+
+    describe('with "headers" option', function () {
+      it('should set headers on response', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'user.html'), {
+            headers: {
+              'X-Foo': 'Bar',
+              'X-Bar': 'Foo'
+            }
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('X-Foo', 'Bar')
+          .expect('X-Bar', 'Foo')
+          .end(done)
+      })
+
+      it('should use last header when duplicated', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'user.html'), {
+            headers: {
+              'X-Foo': 'Bar',
+              'x-foo': 'bar'
+            }
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('X-Foo', 'bar')
+          .end(done)
+      })
+
+      it('should override Content-Type', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'user.html'), {
+            headers: {
+              'Content-Type': 'text/x-custom'
+            }
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Content-Type', 'text/x-custom')
+          .end(done)
+      })
+
+      it('should not set headers on 404', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'does-not-exist'), {
+            headers: {
+              'X-Foo': 'Bar'
+            }
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(404)
+          .expect(utils.shouldNotHaveHeader('X-Foo'))
+          .end(done)
+      })
+    })
+
+    describe('with "immutable" option', function () {
+      describe('when true', function () {
+        it('should send cache-control header with immutable', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              immutable: true
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Cache-Control', 'public, max-age=0, immutable')
+            .end(done)
+        })
+      })
+
+      describe('when false', function () {
+        it('should not send cache-control header with immutable', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              immutable: false
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Cache-Control', 'public, max-age=0')
+            .end(done)
+        })
+      })
+    })
+
+    describe('with "lastModified" option', function () {
+      describe('when true', function () {
+        it('should send last-modified header', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              lastModified: true
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect(utils.shouldHaveHeader('Last-Modified'))
+            .end(done)
+        })
+
+        it('should conditionally respond with if-modified-since', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              lastModified: true
+            })
+          })
+
+          request(app)
+            .get('/')
+            .set('If-Modified-Since', (new Date(Date.now() + 99999).toUTCString()))
+            .expect(304, done)
+        })
+      })
+
+      describe('when false', function () {
+        it('should not have last-modified header', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              lastModified: false
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect(utils.shouldNotHaveHeader('Last-Modified'))
+            .end(done)
+        })
+
+        it('should not honor if-modified-since', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              lastModified: false
+            })
+          })
+
+          request(app)
+            .get('/')
+            .set('If-Modified-Since', (new Date(Date.now() + 99999).toUTCString()))
+            .expect(200)
+            .expect(utils.shouldNotHaveHeader('Last-Modified'))
+            .end(done)
+        })
+      })
+    })
+
+    describe('with "maxAge" option', function () {
+      it('should set cache-control max-age to milliseconds', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'user.html'), {
+            maxAge: 20000
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Cache-Control', 'public, max-age=20')
+          .end(done)
+      })
+
+      it('should cap cache-control max-age to 1 year', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'user.html'), {
+            maxAge: 99999999999
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Cache-Control', 'public, max-age=31536000')
+          .end(done)
+      })
+
+      it('should min cache-control max-age to 0', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'user.html'), {
+            maxAge: -20000
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Cache-Control', 'public, max-age=0')
+          .end(done)
+      })
+
+      it('should floor cache-control max-age', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'user.html'), {
+            maxAge: 21911.23
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Cache-Control', 'public, max-age=21')
+          .end(done)
+      })
+
+      describe('when cacheControl: false', function () {
+        it('shold not send cache-control', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              cacheControl: false,
+              maxAge: 20000
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect(utils.shouldNotHaveHeader('Cache-Control'))
+            .end(done)
+        })
+      })
+
+      describe('when string', function () {
+        it('should accept plain number as milliseconds', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              maxAge: '20000'
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Cache-Control', 'public, max-age=20')
+            .end(done)
+        })
+
+        it('should accept suffix "s" for seconds', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              maxAge: '20s'
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Cache-Control', 'public, max-age=20')
+            .end(done)
+        })
+
+        it('should accept suffix "m" for minutes', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              maxAge: '20m'
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Cache-Control', 'public, max-age=1200')
+            .end(done)
+        })
+
+        it('should accept suffix "d" for days', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.sendFile(path.resolve(fixtures, 'user.html'), {
+              maxAge: '20d'
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Cache-Control', 'public, max-age=1728000')
+            .end(done)
+        })
+      })
+    })
+
+    describe('with "root" option', function () {
+      it('should allow relative path', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile('name.txt', {
+            root: fixtures
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200, 'tobi', done)
+      })
+
+      it('should allow up within root', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile('fake/../name.txt', {
+            root: fixtures
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200, 'tobi', done)
+      })
+
+      it('should reject up outside root', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile('..' + path.sep + path.relative(path.dirname(fixtures), path.join(fixtures, 'name.txt')), {
+            root: fixtures
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(403, done)
+      })
+
+      it('should reject reading outside root', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.sendFile('../name.txt', {
+            root: fixtures
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(403, done)
+      })
+    })
   })
 
   describe('.sendfile(path, fn)', function(){
diff --git a/test/support/utils.js b/test/support/utils.js
index 579f042a0c..5b4062e0b2 100644
--- a/test/support/utils.js
+++ b/test/support/utils.js
@@ -13,6 +13,7 @@ var Buffer = require('safe-buffer').Buffer
  */
 
 exports.shouldHaveBody = shouldHaveBody
+exports.shouldHaveHeader = shouldHaveHeader
 exports.shouldNotHaveBody = shouldNotHaveBody
 exports.shouldNotHaveHeader = shouldNotHaveHeader;
 
@@ -33,6 +34,19 @@ function shouldHaveBody (buf) {
   }
 }
 
+/**
+ * Assert that a supertest response does have a header.
+ *
+ * @param {string} header Header name to check
+ * @returns {function}
+ */
+
+function shouldHaveHeader (header) {
+  return function (res) {
+    assert.ok((header.toLowerCase() in res.headers), 'should have header ' + header)
+  }
+}
+
 /**
  * Assert that a supertest response does not have a body.
  *

From 446046f886eb457c3d43f57c3f2fc97b698b317a Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Tue, 1 Mar 2022 00:27:48 -0500
Subject: [PATCH 015/130] build: mocha@9.2.1

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 61e91899e6..7992166629 100644
--- a/package.json
+++ b/package.json
@@ -70,7 +70,7 @@
     "hbs": "4.2.0",
     "marked": "0.7.0",
     "method-override": "3.0.0",
-    "mocha": "9.2.0",
+    "mocha": "9.2.1",
     "morgan": "1.10.0",
     "multiparty": "4.2.3",
     "nyc": "15.1.0",

From 490f1a1738449699c217e00ba56db378923fd6b5 Mon Sep 17 00:00:00 2001
From: Tobias Speicher <rootcommander@gmail.com>
Date: Thu, 17 Mar 2022 13:00:48 +0100
Subject: [PATCH 016/130] lint: remove deprecated String.prototype.substr

closes #4860
---
 lib/router/index.js | 16 ++++++++--------
 lib/view.js         |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/router/index.js b/lib/router/index.js
index fbe94acdb4..467d30458c 100644
--- a/lib/router/index.js
+++ b/lib/router/index.js
@@ -108,8 +108,8 @@ proto.param = function param(name, fn) {
   var ret;
 
   if (name[0] === ':') {
-    deprecate('router.param(' + JSON.stringify(name) + ', fn): Use router.param(' + JSON.stringify(name.substr(1)) + ', fn) instead');
-    name = name.substr(1);
+    deprecate('router.param(' + JSON.stringify(name) + ', fn): Use router.param(' + JSON.stringify(name.slice(1)) + ', fn) instead')
+    name = name.slice(1)
   }
 
   for (var i = 0; i < len; ++i) {
@@ -180,14 +180,14 @@ proto.handle = function handle(req, res, out) {
 
     // remove added slash
     if (slashAdded) {
-      req.url = req.url.substr(1);
+      req.url = req.url.slice(1)
       slashAdded = false;
     }
 
     // restore altered req.url
     if (removed.length !== 0) {
       req.baseUrl = parentUrl;
-      req.url = protohost + removed + req.url.substr(protohost.length);
+      req.url = protohost + removed + req.url.slice(protohost.length)
       removed = '';
     }
 
@@ -288,7 +288,7 @@ proto.handle = function handle(req, res, out) {
   function trim_prefix(layer, layerError, layerPath, path) {
     if (layerPath.length !== 0) {
       // Validate path is a prefix match
-      if (layerPath !== path.substr(0, layerPath.length)) {
+      if (layerPath !== path.slice(0, layerPath.length)) {
         next(layerError)
         return
       }
@@ -301,7 +301,7 @@ proto.handle = function handle(req, res, out) {
       // middleware (.use stuff) needs to have the path stripped
       debug('trim prefix (%s) from url %s', layerPath, req.url);
       removed = layerPath;
-      req.url = protohost + req.url.substr(protohost.length + removed.length);
+      req.url = protohost + req.url.slice(protohost.length + removed.length)
 
       // Ensure leading slash
       if (!protohost && req.url[0] !== '/') {
@@ -547,10 +547,10 @@ function getProtohost(url) {
   var pathLength = searchIndex !== -1
     ? searchIndex
     : url.length
-  var fqdnIndex = url.substr(0, pathLength).indexOf('://')
+  var fqdnIndex = url.slice(0, pathLength).indexOf('://')
 
   return fqdnIndex !== -1
-    ? url.substr(0, url.indexOf('/', 3 + fqdnIndex))
+    ? url.substring(0, url.indexOf('/', 3 + fqdnIndex))
     : undefined
 }
 
diff --git a/lib/view.js b/lib/view.js
index cf101caeab..c08ab4d8d5 100644
--- a/lib/view.js
+++ b/lib/view.js
@@ -74,7 +74,7 @@ function View(name, options) {
 
   if (!opts.engines[this.ext]) {
     // load engine
-    var mod = this.ext.substr(1)
+    var mod = this.ext.slice(1)
     debug('require "%s"', mod)
 
     // default engine export

From 2a7417dd84025b62c4207bf018ae8826dc0be629 Mon Sep 17 00:00:00 2001
From: Hashen <37979557+Hashen110@users.noreply.github.com>
Date: Sun, 20 Mar 2022 19:58:13 +0530
Subject: [PATCH 017/130] examples: fixup html

closes #4866
---
 examples/route-separation/views/users/edit.ejs | 2 +-
 examples/search/public/index.html              | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/route-separation/views/users/edit.ejs b/examples/route-separation/views/users/edit.ejs
index 0ca2df7652..6df78a953a 100644
--- a/examples/route-separation/views/users/edit.ejs
+++ b/examples/route-separation/views/users/edit.ejs
@@ -3,7 +3,7 @@
 <h1>Editing <%= user.name %></h1>
 
 <div id="user">
-  <form action="?_method=put", method="post">
+  <form action="?_method=put" method="post">
     <p>
       Name:
       <input type="text" value="<%= user.name %>" name="user[name]" />
diff --git a/examples/search/public/index.html b/examples/search/public/index.html
index f67063c502..7353644ba6 100644
--- a/examples/search/public/index.html
+++ b/examples/search/public/index.html
@@ -4,7 +4,7 @@
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width,initial-scale=1">
   <title>Search example</title>
-  <style type="text/css">
+  <style>
     body {
       font: 14px "Helvetica Neue", Helvetica;
       padding: 50px;
@@ -15,7 +15,7 @@
   <h2>Search</h2>
   <p>Try searching for "ferret" or "cat".</p>
   <input type="search" name="search" value="" />
-  <pre />
+  <pre></pre>
   <script src="/client.js" charset="utf-8"></script>
 </body>
 </html>

From bf4c3ee00f3b95a329fc1dd4dd0cd17c74178121 Mon Sep 17 00:00:00 2001
From: Hashen <37979557+Hashen110@users.noreply.github.com>
Date: Sun, 20 Mar 2022 20:13:23 +0530
Subject: [PATCH 018/130] docs: fix incomplete JSDoc comment

closes #4867
---
 lib/utils.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/utils.js b/lib/utils.js
index 7797b06853..799a6a2b4e 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -120,6 +120,7 @@ exports.contentDisposition = deprecate.function(contentDisposition,
  * also includes `.originalIndex` for stable sorting
  *
  * @param {String} str
+ * @param {Number} index
  * @return {Object}
  * @api private
  */

From 947b6b7d57939d1a3b33ce008765f9aba3eb6f70 Mon Sep 17 00:00:00 2001
From: Hashen <37979557+Hashen110@users.noreply.github.com>
Date: Sun, 20 Mar 2022 21:08:08 +0530
Subject: [PATCH 019/130] lint: remove unnecessary continue statement in loop

closes #4868
---
 lib/router/index.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/router/index.js b/lib/router/index.js
index 467d30458c..791a600f86 100644
--- a/lib/router/index.js
+++ b/lib/router/index.js
@@ -251,7 +251,6 @@ proto.handle = function handle(req, res, out) {
       // don't even bother matching route
       if (!has_method && method !== 'HEAD') {
         match = false;
-        continue;
       }
     }
 

From eb4c930d5fb79e55c53b25d6e8a8a5cd15fc5554 Mon Sep 17 00:00:00 2001
From: Kris Kalavantavanich <kkalavantavanich@gmail.com>
Date: Sun, 5 Dec 2021 15:14:40 +0700
Subject: [PATCH 020/130] build: support Node.js 15.x

---
 .github/workflows/ci.yml | 4 ++++
 appveyor.yml             | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d6e1b168ec..8e60f419c6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,6 +27,7 @@ jobs:
         - Node.js 12.x
         - Node.js 13.x
         - Node.js 14.x
+        - Node.js 15.x
 
         include:
         - name: Node.js 0.10
@@ -90,6 +91,9 @@ jobs:
         - name: Node.js 14.x
           node-version: "14.19"
 
+        - name: Node.js 15.x
+          node-version: "15.14"
+
     steps:
     - uses: actions/checkout@v2
 
diff --git a/appveyor.yml b/appveyor.yml
index db54a3fdb0..fc867adee7 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -16,6 +16,7 @@ environment:
     - nodejs_version: "12.22"
     - nodejs_version: "13.14"
     - nodejs_version: "14.19"
+    - nodejs_version: "15.14"
 cache:
   - node_modules
 install:

From 8bf072039100cd264be920f06635fe77f083c751 Mon Sep 17 00:00:00 2001
From: Kris Kalavantavanich <kkalavantavanich@gmail.com>
Date: Sun, 5 Dec 2021 15:15:26 +0700
Subject: [PATCH 021/130] build: support Node.js 16.x

---
 .github/workflows/ci.yml | 4 ++++
 appveyor.yml             | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8e60f419c6..7b153d1b43 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,7 @@ jobs:
         - Node.js 13.x
         - Node.js 14.x
         - Node.js 15.x
+        - Node.js 16.x
 
         include:
         - name: Node.js 0.10
@@ -94,6 +95,9 @@ jobs:
         - name: Node.js 15.x
           node-version: "15.14"
 
+        - name: Node.js 16.x
+          node-version: "16.14"
+
     steps:
     - uses: actions/checkout@v2
 
diff --git a/appveyor.yml b/appveyor.yml
index fc867adee7..2a2507b411 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -17,6 +17,7 @@ environment:
     - nodejs_version: "13.14"
     - nodejs_version: "14.19"
     - nodejs_version: "15.14"
+    - nodejs_version: "16.14"
 cache:
   - node_modules
 install:

From 87279c08aa46d178fe6f2e235d2345f17d6b5a37 Mon Sep 17 00:00:00 2001
From: "Tito D. Kesumo Siregar" <tito.siregar@bukalapak.com>
Date: Thu, 20 May 2021 11:23:33 +0700
Subject: [PATCH 022/130] Support proper 205 responses using res.send

closes #4592
closes #4596
---
 History.md       |  5 +++++
 lib/response.js  |  7 +++++++
 test/res.send.js | 16 ++++++++++++++++
 3 files changed, 28 insertions(+)

diff --git a/History.md b/History.md
index 9f3f876512..fbe0126907 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Support proper 205 responses using `res.send`
+
 4.17.3 / 2022-02-16
 ===================
 
diff --git a/lib/response.js b/lib/response.js
index ccf8d91b2c..9cf3d52be5 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -213,6 +213,13 @@ res.send = function send(body) {
     chunk = '';
   }
 
+  // alter headers for 205
+  if (this.statusCode === 205) {
+    this.set('Content-Length', '0')
+    this.removeHeader('Transfer-Encoding')
+    chunk = ''
+  }
+
   if (req.method === 'HEAD') {
     // skip body for HEAD
     this.end();
diff --git a/test/res.send.js b/test/res.send.js
index 6ba5542288..c92568db6a 100644
--- a/test/res.send.js
+++ b/test/res.send.js
@@ -283,6 +283,22 @@ describe('res', function(){
     })
   })
 
+  describe('when .statusCode is 205', function () {
+    it('should strip Transfer-Encoding field and body, set Content-Length', function (done) {
+      var app = express()
+
+      app.use(function (req, res) {
+        res.status(205).set('Transfer-Encoding', 'chunked').send('foo')
+      })
+
+      request(app)
+        .get('/')
+        .expect(utils.shouldNotHaveHeader('Transfer-Encoding'))
+        .expect('Content-Length', '0')
+        .expect(205, '', done)
+    })
+  })
+
   describe('when .statusCode is 304', function(){
     it('should strip Content-* fields, Transfer-Encoding field, and body', function(done){
       var app = express();

From c17fe058613dc7dfb7779fbe68a9738a108fe408 Mon Sep 17 00:00:00 2001
From: Evan Hahn <me@evanhahn.com>
Date: Wed, 2 Feb 2022 19:13:54 -0600
Subject: [PATCH 023/130] Ignore Object.prototype values in settings through
 app.set/app.get

closes #4802
closes #4803
---
 History.md         |  1 +
 lib/application.js | 19 ++++++++++++++++++-
 test/config.js     | 44 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index fbe0126907..97345bb411 100644
--- a/History.md
+++ b/History.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Support proper 205 responses using `res.send`
 
 4.17.3 / 2022-02-16
diff --git a/lib/application.js b/lib/application.js
index e65ba58895..ebb30b51b3 100644
--- a/lib/application.js
+++ b/lib/application.js
@@ -29,6 +29,13 @@ var flatten = require('array-flatten');
 var merge = require('utils-merge');
 var resolve = require('path').resolve;
 var setPrototypeOf = require('setprototypeof')
+
+/**
+ * Module variables.
+ * @private
+ */
+
+var hasOwnProperty = Object.prototype.hasOwnProperty
 var slice = Array.prototype.slice;
 
 /**
@@ -352,7 +359,17 @@ app.param = function param(name, fn) {
 app.set = function set(setting, val) {
   if (arguments.length === 1) {
     // app.get(setting)
-    return this.settings[setting];
+    var settings = this.settings
+
+    while (settings && settings !== Object.prototype) {
+      if (hasOwnProperty.call(settings, setting)) {
+        return settings[setting]
+      }
+
+      settings = Object.getPrototypeOf(settings)
+    }
+
+    return undefined
   }
 
   debug('set "%s" to %o', setting, val);
diff --git a/test/config.js b/test/config.js
index 8386a4471c..b04367fdbf 100644
--- a/test/config.js
+++ b/test/config.js
@@ -11,6 +11,12 @@ describe('config', function () {
       assert.equal(app.get('foo'), 'bar');
     })
 
+    it('should set prototype values', function () {
+      var app = express()
+      app.set('hasOwnProperty', 42)
+      assert.strictEqual(app.get('hasOwnProperty'), 42)
+    })
+
     it('should return the app', function () {
       var app = express();
       assert.equal(app.set('foo', 'bar'), app);
@@ -21,6 +27,17 @@ describe('config', function () {
       assert.equal(app.set('foo', undefined), app);
     })
 
+    it('should return set value', function () {
+      var app = express()
+      app.set('foo', 'bar')
+      assert.strictEqual(app.set('foo'), 'bar')
+    })
+
+    it('should return undefined for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.set('hasOwnProperty'), undefined)
+    })
+
     describe('"etag"', function(){
       it('should throw on bad value', function(){
         var app = express();
@@ -51,6 +68,11 @@ describe('config', function () {
       assert.strictEqual(app.get('foo'), undefined);
     })
 
+    it('should return undefined for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.get('hasOwnProperty'), undefined)
+    })
+
     it('should otherwise return the value', function(){
       var app = express();
       app.set('foo', 'bar');
@@ -125,6 +147,12 @@ describe('config', function () {
       assert.equal(app.enable('tobi'), app);
       assert.strictEqual(app.get('tobi'), true);
     })
+
+    it('should set prototype values', function () {
+      var app = express()
+      app.enable('hasOwnProperty')
+      assert.strictEqual(app.get('hasOwnProperty'), true)
+    })
   })
 
   describe('.disable()', function(){
@@ -133,6 +161,12 @@ describe('config', function () {
       assert.equal(app.disable('tobi'), app);
       assert.strictEqual(app.get('tobi'), false);
     })
+
+    it('should set prototype values', function () {
+      var app = express()
+      app.disable('hasOwnProperty')
+      assert.strictEqual(app.get('hasOwnProperty'), false)
+    })
   })
 
   describe('.enabled()', function(){
@@ -146,6 +180,11 @@ describe('config', function () {
       app.set('foo', 'bar');
       assert.strictEqual(app.enabled('foo'), true);
     })
+
+    it('should default to false for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.enabled('hasOwnProperty'), false)
+    })
   })
 
   describe('.disabled()', function(){
@@ -159,5 +198,10 @@ describe('config', function () {
       app.set('foo', 'bar');
       assert.strictEqual(app.disabled('foo'), false);
     })
+
+    it('should default to true for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.disabled('hasOwnProperty'), true)
+    })
   })
 })

From 4847d0efa123fae8f12a2c1b88f7e1a87a5f145a Mon Sep 17 00:00:00 2001
From: Jon Church <me@jonchurch.com>
Date: Sat, 21 Mar 2020 05:04:16 -0400
Subject: [PATCH 024/130] Deprecate string and non-integer arguments to
 res.status

closes #4223
---
 History.md         |   1 +
 lib/response.js    |   3 +
 test/res.status.js | 205 ++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 197 insertions(+), 12 deletions(-)

diff --git a/History.md b/History.md
index 97345bb411..2e549136a5 100644
--- a/History.md
+++ b/History.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Deprecate string and non-integer arguments to `res.status`
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Support proper 205 responses using `res.send`
 
diff --git a/lib/response.js b/lib/response.js
index 9cf3d52be5..7a9564d262 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -64,6 +64,9 @@ var charsetRegExp = /;\s*charset\s*=/;
  */
 
 res.status = function status(code) {
+  if ((typeof code === 'string' || Math.floor(code) !== code) && code > 99 && code < 1000) {
+    deprecate('res.status(' + JSON.stringify(code) + '): use res.status(' + Math.floor(code) + ') instead')
+  }
   this.statusCode = code;
   return this;
 };
diff --git a/test/res.status.js b/test/res.status.js
index e0abc73c4c..1fe08344ea 100644
--- a/test/res.status.js
+++ b/test/res.status.js
@@ -1,21 +1,202 @@
 'use strict'
 
 var express = require('../')
-  , request = require('supertest');
+var request = require('supertest')
 
-describe('res', function(){
-  describe('.status(code)', function(){
-    it('should set the response .statusCode', function(done){
-      var app = express();
+var isIoJs = process.release
+  ? process.release.name === 'io.js'
+  : ['v1.', 'v2.', 'v3.'].indexOf(process.version.slice(0, 3)) !== -1
 
-      app.use(function(req, res){
-        res.status(201).end('Created');
-      });
+describe('res', function () {
+  describe('.status(code)', function () {
+    describe('when "code" is undefined', function () {
+      it('should raise error for invalid status code', function (done) {
+        var app = express()
 
-      request(app)
-      .get('/')
-      .expect('Created')
-      .expect(201, done);
+        app.use(function (req, res) {
+          res.status(undefined).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /Invalid status code/, function (err) {
+            if (isIoJs) {
+              done(err ? null : new Error('expected error'))
+            } else {
+              done(err)
+            }
+          })
+      })
+    })
+
+    describe('when "code" is null', function () {
+      it('should raise error for invalid status code', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(null).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /Invalid status code/, function (err) {
+            if (isIoJs) {
+              done(err ? null : new Error('expected error'))
+            } else {
+              done(err)
+            }
+          })
+      })
+    })
+
+    describe('when "code" is 201', function () {
+      it('should set the response status code to 201', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(201).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(201, done)
+      })
+    })
+
+    describe('when "code" is 302', function () {
+      it('should set the response status code to 302', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(302).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(302, done)
+      })
+    })
+
+    describe('when "code" is 403', function () {
+      it('should set the response status code to 403', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(403).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(403, done)
+      })
+    })
+
+    describe('when "code" is 501', function () {
+      it('should set the response status code to 501', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(501).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(501, done)
+      })
+    })
+
+    describe('when "code" is "410"', function () {
+      it('should set the response status code to 410', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status('410').end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(410, done)
+      })
+    })
+
+    describe('when "code" is 410.1', function () {
+      it('should set the response status code to 410', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(410.1).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(410, function (err) {
+            if (isIoJs) {
+              done(err ? null : new Error('expected error'))
+            } else {
+              done(err)
+            }
+          })
+      })
+    })
+
+    describe('when "code" is 1000', function () {
+      it('should raise error for invalid status code', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(1000).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /Invalid status code/, function (err) {
+            if (isIoJs) {
+              done(err ? null : new Error('expected error'))
+            } else {
+              done(err)
+            }
+          })
+      })
+    })
+
+    describe('when "code" is 99', function () {
+      it('should raise error for invalid status code', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(99).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /Invalid status code/, function (err) {
+            if (isIoJs) {
+              done(err ? null : new Error('expected error'))
+            } else {
+              done(err)
+            }
+          })
+      })
+    })
+
+    describe('when "code" is -401', function () {
+      it('should raise error for invalid status code', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.status(-401).end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /Invalid status code/, function (err) {
+            if (isIoJs) {
+              done(err ? null : new Error('expected error'))
+            } else {
+              done(err)
+            }
+          })
+      })
     })
   })
 })

From 0def9bb659557df1bd659411a1a6f2c5b8b9d893 Mon Sep 17 00:00:00 2001
From: Tommaso Tofacchi <tofacchitommaso@gmail.com>
Date: Fri, 11 Mar 2022 10:02:43 +0100
Subject: [PATCH 025/130] Add "root" option to res.download

fixes #4834
closes #4855
---
 History.md           |  1 +
 lib/response.js      |  4 ++-
 test/res.download.js | 74 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index 2e549136a5..d7a2e43c35 100644
--- a/History.md
+++ b/History.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Add "root" option to `res.download`
   * Deprecate string and non-integer arguments to `res.status`
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Support proper 205 responses using `res.send`
diff --git a/lib/response.js b/lib/response.js
index 7a9564d262..101311e0eb 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -582,7 +582,9 @@ res.download = function download (path, filename, options, callback) {
   opts.headers = headers
 
   // Resolve the full path for sendFile
-  var fullPath = resolve(path);
+  var fullPath = !opts.root
+    ? resolve(path)
+    : path
 
   // send file
   return this.sendFile(fullPath, opts, done)
diff --git a/test/res.download.js b/test/res.download.js
index 1322b0a31f..51380d4ba1 100644
--- a/test/res.download.js
+++ b/test/res.download.js
@@ -3,9 +3,12 @@
 var after = require('after');
 var Buffer = require('safe-buffer').Buffer
 var express = require('..');
+var path = require('path')
 var request = require('supertest');
 var utils = require('./support/utils')
 
+var FIXTURES_PATH = path.join(__dirname, 'fixtures')
+
 describe('res', function(){
   describe('.download(path)', function(){
     it('should transfer as an attachment', function(done){
@@ -178,6 +181,77 @@ describe('res', function(){
         .end(done)
       })
     })
+
+    describe('with "root" option', function () {
+      it('should allow relative path', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.download('name.txt', 'document', {
+            root: FIXTURES_PATH
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Content-Disposition', 'attachment; filename="document"')
+          .expect(utils.shouldHaveBody(Buffer.from('tobi')))
+          .end(done)
+      })
+
+      it('should allow up within root', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.download('fake/../name.txt', 'document', {
+            root: FIXTURES_PATH
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Content-Disposition', 'attachment; filename="document"')
+          .expect(utils.shouldHaveBody(Buffer.from('tobi')))
+          .end(done)
+      })
+
+      it('should reject up outside root', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          var p = '..' + path.sep +
+            path.relative(path.dirname(FIXTURES_PATH), path.join(FIXTURES_PATH, 'name.txt'))
+
+          res.download(p, 'document', {
+            root: FIXTURES_PATH
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(403)
+          .expect(utils.shouldNotHaveHeader('Content-Disposition'))
+          .end(done)
+      })
+
+      it('should reject reading outside root', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.download('../name.txt', 'document', {
+            root: FIXTURES_PATH
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(403)
+          .expect(utils.shouldNotHaveHeader('Content-Disposition'))
+          .end(done)
+      })
+    })
   })
 
   describe('on failure', function(){

From dd69eedd189eb55658ec435b821df13062cc5a8e Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 25 Mar 2022 01:43:45 -0400
Subject: [PATCH 026/130] deps: send@0.18.0

---
 History.md   | 8 ++++++++
 package.json | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index d7a2e43c35..c5242a99a4 100644
--- a/History.md
+++ b/History.md
@@ -5,6 +5,14 @@ unreleased
   * Deprecate string and non-integer arguments to `res.status`
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Support proper 205 responses using `res.send`
+  * deps: send@0.18.0
+    - Fix emitted 416 error missing headers property
+    - Limit the headers removed for 304 response
+    - deps: depd@2.0.0
+    - deps: destroy@1.2.0
+    - deps: http-errors@2.0.0
+    - deps: on-finished@2.4.1
+    - deps: statuses@2.0.1
 
 4.17.3 / 2022-02-16
 ===================
diff --git a/package.json b/package.json
index 7992166629..1400007435 100644
--- a/package.json
+++ b/package.json
@@ -51,7 +51,7 @@
     "qs": "6.9.7",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
-    "send": "0.17.2",
+    "send": "0.18.0",
     "serve-static": "1.14.2",
     "setprototypeof": "1.2.0",
     "statuses": "~1.5.0",

From c92420648e18f78d22db24e0ffec99155ec54a49 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 25 Mar 2022 01:44:51 -0400
Subject: [PATCH 027/130] deps: serve-static@1.15.0

---
 History.md   | 2 ++
 package.json | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index c5242a99a4..9e4f0d3a8e 100644
--- a/History.md
+++ b/History.md
@@ -13,6 +13,8 @@ unreleased
     - deps: http-errors@2.0.0
     - deps: on-finished@2.4.1
     - deps: statuses@2.0.1
+  * deps: serve-static@1.15.0
+    - deps: send@0.18.0
 
 4.17.3 / 2022-02-16
 ===================
diff --git a/package.json b/package.json
index 1400007435..c733bb2e50 100644
--- a/package.json
+++ b/package.json
@@ -52,7 +52,7 @@
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
     "send": "0.18.0",
-    "serve-static": "1.14.2",
+    "serve-static": "1.15.0",
     "setprototypeof": "1.2.0",
     "statuses": "~1.5.0",
     "type-is": "~1.6.18",

From f739b162d9cc9fcfc1f514c2441c69f9fcb4364d Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 25 Mar 2022 01:46:32 -0400
Subject: [PATCH 028/130] deps: finalhandler@1.2.0

---
 History.md   | 4 ++++
 package.json | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index 9e4f0d3a8e..03b7ba9c7d 100644
--- a/History.md
+++ b/History.md
@@ -5,6 +5,10 @@ unreleased
   * Deprecate string and non-integer arguments to `res.status`
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Support proper 205 responses using `res.send`
+  * deps: finalhandler@1.2.0
+    - Remove set content headers that break response
+    - deps: on-finished@2.4.1
+    - deps: statuses@2.0.1
   * deps: send@0.18.0
     - Fix emitted 416 error missing headers property
     - Limit the headers removed for 304 response
diff --git a/package.json b/package.json
index c733bb2e50..6de4bfff42 100644
--- a/package.json
+++ b/package.json
@@ -40,7 +40,7 @@
     "encodeurl": "~1.0.2",
     "escape-html": "~1.0.3",
     "etag": "~1.8.1",
-    "finalhandler": "~1.1.2",
+    "finalhandler": "1.2.0",
     "fresh": "0.5.2",
     "merge-descriptors": "1.0.1",
     "methods": "~1.1.2",

From 03dc3671874b214f67dacaca90f39a1c389f822e Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 25 Mar 2022 18:13:42 -0400
Subject: [PATCH 029/130] Allow options without filename in res.download

---
 History.md           |   1 +
 lib/response.js      |   7 ++
 test/res.download.js | 260 ++++++++++++++++++++++++++++++++-----------
 3 files changed, 206 insertions(+), 62 deletions(-)

diff --git a/History.md b/History.md
index 03b7ba9c7d..9b4bf4bce5 100644
--- a/History.md
+++ b/History.md
@@ -2,6 +2,7 @@ unreleased
 ==========
 
   * Add "root" option to `res.download`
+  * Allow `options` without `filename` in `res.download`
   * Deprecate string and non-integer arguments to `res.status`
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Support proper 205 responses using `res.send`
diff --git a/lib/response.js b/lib/response.js
index 101311e0eb..3713e6f9a9 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -561,6 +561,13 @@ res.download = function download (path, filename, options, callback) {
     opts = null
   }
 
+  // support optional filename, where options may be in it's place
+  if (typeof filename === 'object' &&
+    (typeof options === 'function' || options === undefined)) {
+    name = null
+    opts = filename
+  }
+
   // set Content-Disposition when file is sent
   var headers = {
     'Content-Disposition': contentDisposition(name || path)
diff --git a/test/res.download.js b/test/res.download.js
index 51380d4ba1..91b074e8bf 100644
--- a/test/res.download.js
+++ b/test/res.download.js
@@ -86,46 +86,12 @@ describe('res', function(){
     })
   })
 
-  describe('.download(path, filename, fn)', function(){
-    it('should invoke the callback', function(done){
-      var app = express();
-      var cb = after(2, done);
-
-      app.use(function(req, res){
-        res.download('test/fixtures/user.html', 'document', cb)
-      });
-
-      request(app)
-      .get('/')
-      .expect('Content-Type', 'text/html; charset=UTF-8')
-      .expect('Content-Disposition', 'attachment; filename="document"')
-      .expect(200, cb);
-    })
-  })
-
-  describe('.download(path, filename, options, fn)', function () {
-    it('should invoke the callback', function (done) {
-      var app = express()
-      var cb = after(2, done)
-      var options = {}
-
-      app.use(function (req, res) {
-        res.download('test/fixtures/user.html', 'document', options, cb)
-      })
-
-      request(app)
-      .get('/')
-      .expect(200)
-      .expect('Content-Type', 'text/html; charset=UTF-8')
-      .expect('Content-Disposition', 'attachment; filename="document"')
-      .end(cb)
-    })
-
+  describe('.download(path, options)', function () {
     it('should allow options to res.sendFile()', function (done) {
       var app = express()
 
       app.use(function (req, res) {
-        res.download('test/fixtures/.name', 'document', {
+        res.download('test/fixtures/.name', {
           dotfiles: 'allow',
           maxAge: '4h'
         })
@@ -134,51 +100,124 @@ describe('res', function(){
       request(app)
         .get('/')
         .expect(200)
-        .expect('Content-Disposition', 'attachment; filename="document"')
+        .expect('Content-Disposition', 'attachment; filename=".name"')
         .expect('Cache-Control', 'public, max-age=14400')
         .expect(utils.shouldHaveBody(Buffer.from('tobi')))
         .end(done)
     })
 
-    describe('when options.headers contains Content-Disposition', function () {
-      it('should be ignored', function (done) {
+    describe('with "headers" option', function () {
+      it('should set headers on response', function (done) {
         var app = express()
 
         app.use(function (req, res) {
-          res.download('test/fixtures/user.html', 'document', {
+          res.download('test/fixtures/user.html', {
             headers: {
-              'Content-Type': 'text/x-custom',
-              'Content-Disposition': 'inline'
+              'X-Foo': 'Bar',
+              'X-Bar': 'Foo'
             }
           })
         })
 
         request(app)
-        .get('/')
-        .expect(200)
-        .expect('Content-Type', 'text/x-custom')
-        .expect('Content-Disposition', 'attachment; filename="document"')
-        .end(done)
+          .get('/')
+          .expect(200)
+          .expect('X-Foo', 'Bar')
+          .expect('X-Bar', 'Foo')
+          .end(done)
       })
 
-      it('should be ignored case-insensitively', function (done) {
+      it('should use last header when duplicated', function (done) {
         var app = express()
 
         app.use(function (req, res) {
-          res.download('test/fixtures/user.html', 'document', {
+          res.download('test/fixtures/user.html', {
             headers: {
-              'content-type': 'text/x-custom',
-              'content-disposition': 'inline'
+              'X-Foo': 'Bar',
+              'x-foo': 'bar'
             }
           })
         })
 
         request(app)
-        .get('/')
-        .expect(200)
-        .expect('Content-Type', 'text/x-custom')
-        .expect('Content-Disposition', 'attachment; filename="document"')
-        .end(done)
+          .get('/')
+          .expect(200)
+          .expect('X-Foo', 'bar')
+          .end(done)
+      })
+
+      it('should override Content-Type', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.download('test/fixtures/user.html', {
+            headers: {
+              'Content-Type': 'text/x-custom'
+            }
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Content-Type', 'text/x-custom')
+          .end(done)
+      })
+
+      it('should not set headers on 404', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.download('test/fixtures/does-not-exist', {
+            headers: {
+              'X-Foo': 'Bar'
+            }
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(404)
+          .expect(utils.shouldNotHaveHeader('X-Foo'))
+          .end(done)
+      })
+
+      describe('when headers contains Content-Disposition', function () {
+        it('should be ignored', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.download('test/fixtures/user.html', {
+              headers: {
+                'Content-Disposition': 'inline'
+              }
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Content-Disposition', 'attachment; filename="user.html"')
+            .end(done)
+        })
+
+        it('should be ignored case-insensitively', function (done) {
+          var app = express()
+
+          app.use(function (req, res) {
+            res.download('test/fixtures/user.html', {
+              headers: {
+                'content-disposition': 'inline'
+              }
+            })
+          })
+
+          request(app)
+            .get('/')
+            .expect(200)
+            .expect('Content-Disposition', 'attachment; filename="user.html"')
+            .end(done)
+        })
       })
     })
 
@@ -187,7 +226,7 @@ describe('res', function(){
         var app = express()
 
         app.use(function (req, res) {
-          res.download('name.txt', 'document', {
+          res.download('name.txt', {
             root: FIXTURES_PATH
           })
         })
@@ -195,7 +234,7 @@ describe('res', function(){
         request(app)
           .get('/')
           .expect(200)
-          .expect('Content-Disposition', 'attachment; filename="document"')
+          .expect('Content-Disposition', 'attachment; filename="name.txt"')
           .expect(utils.shouldHaveBody(Buffer.from('tobi')))
           .end(done)
       })
@@ -204,7 +243,7 @@ describe('res', function(){
         var app = express()
 
         app.use(function (req, res) {
-          res.download('fake/../name.txt', 'document', {
+          res.download('fake/../name.txt', {
             root: FIXTURES_PATH
           })
         })
@@ -212,7 +251,7 @@ describe('res', function(){
         request(app)
           .get('/')
           .expect(200)
-          .expect('Content-Disposition', 'attachment; filename="document"')
+          .expect('Content-Disposition', 'attachment; filename="name.txt"')
           .expect(utils.shouldHaveBody(Buffer.from('tobi')))
           .end(done)
       })
@@ -224,7 +263,7 @@ describe('res', function(){
           var p = '..' + path.sep +
             path.relative(path.dirname(FIXTURES_PATH), path.join(FIXTURES_PATH, 'name.txt'))
 
-          res.download(p, 'document', {
+          res.download(p, {
             root: FIXTURES_PATH
           })
         })
@@ -240,7 +279,7 @@ describe('res', function(){
         var app = express()
 
         app.use(function (req, res) {
-          res.download('../name.txt', 'document', {
+          res.download('../name.txt', {
             root: FIXTURES_PATH
           })
         })
@@ -254,6 +293,103 @@ describe('res', function(){
     })
   })
 
+  describe('.download(path, filename, fn)', function(){
+    it('should invoke the callback', function(done){
+      var app = express();
+      var cb = after(2, done);
+
+      app.use(function(req, res){
+        res.download('test/fixtures/user.html', 'document', cb)
+      });
+
+      request(app)
+      .get('/')
+      .expect('Content-Type', 'text/html; charset=UTF-8')
+      .expect('Content-Disposition', 'attachment; filename="document"')
+      .expect(200, cb);
+    })
+  })
+
+  describe('.download(path, filename, options, fn)', function () {
+    it('should invoke the callback', function (done) {
+      var app = express()
+      var cb = after(2, done)
+      var options = {}
+
+      app.use(function (req, res) {
+        res.download('test/fixtures/user.html', 'document', options, cb)
+      })
+
+      request(app)
+      .get('/')
+      .expect(200)
+      .expect('Content-Type', 'text/html; charset=UTF-8')
+      .expect('Content-Disposition', 'attachment; filename="document"')
+      .end(cb)
+    })
+
+    it('should allow options to res.sendFile()', function (done) {
+      var app = express()
+
+      app.use(function (req, res) {
+        res.download('test/fixtures/.name', 'document', {
+          dotfiles: 'allow',
+          maxAge: '4h'
+        })
+      })
+
+      request(app)
+        .get('/')
+        .expect(200)
+        .expect('Content-Disposition', 'attachment; filename="document"')
+        .expect('Cache-Control', 'public, max-age=14400')
+        .expect(utils.shouldHaveBody(Buffer.from('tobi')))
+        .end(done)
+    })
+
+    describe('when options.headers contains Content-Disposition', function () {
+      it('should be ignored', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.download('test/fixtures/user.html', 'document', {
+            headers: {
+              'Content-Type': 'text/x-custom',
+              'Content-Disposition': 'inline'
+            }
+          })
+        })
+
+        request(app)
+        .get('/')
+        .expect(200)
+        .expect('Content-Type', 'text/x-custom')
+        .expect('Content-Disposition', 'attachment; filename="document"')
+        .end(done)
+      })
+
+      it('should be ignored case-insensitively', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.download('test/fixtures/user.html', 'document', {
+            headers: {
+              'content-type': 'text/x-custom',
+              'content-disposition': 'inline'
+            }
+          })
+        })
+
+        request(app)
+        .get('/')
+        .expect(200)
+        .expect('Content-Type', 'text/x-custom')
+        .expect('Content-Disposition', 'attachment; filename="document"')
+        .end(done)
+      })
+    })
+  })
+
   describe('on failure', function(){
     it('should invoke the callback', function(done){
       var app = express();

From 10b9b507b7d113d04965cccd8d170ee524e3d555 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 25 Mar 2022 18:14:27 -0400
Subject: [PATCH 030/130] examples: use updated res.download in example

---
 examples/downloads/index.js | 5 +----
 package.json                | 1 -
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/examples/downloads/index.js b/examples/downloads/index.js
index 62e7fa6e3e..6b67e0c886 100644
--- a/examples/downloads/index.js
+++ b/examples/downloads/index.js
@@ -6,7 +6,6 @@
 
 var express = require('../../');
 var path = require('path');
-var resolvePath = require('resolve-path')
 
 var app = module.exports = express();
 
@@ -25,9 +24,7 @@ app.get('/', function(req, res){
 // /files/* is accessed via req.params[0]
 // but here we name it :file
 app.get('/files/:file(*)', function(req, res, next){
-  var filePath = resolvePath(FILES_DIR, req.params.file)
-
-  res.download(filePath, function (err) {
+  res.download(req.params.file, { root: FILES_DIR }, function (err) {
     if (!err) return; // file sent
     if (err.status !== 404) return next(err); // non-404 error
     // file for download not found
diff --git a/package.json b/package.json
index 6de4bfff42..8f8959a4c3 100644
--- a/package.json
+++ b/package.json
@@ -75,7 +75,6 @@
     "multiparty": "4.2.3",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
-    "resolve-path": "1.4.0",
     "supertest": "6.2.2",
     "vhost": "~3.0.2"
   },

From 9482b82d0b9c498140561087d68f0409078a86ea Mon Sep 17 00:00:00 2001
From: Nadav Ivgi <nadav@shesek.info>
Date: Tue, 13 Mar 2018 08:14:06 +0200
Subject: [PATCH 031/130] Invoke default with same arguments as types in
 res.format

closes #3587
---
 History.md         |  1 +
 lib/response.js    |  9 ++++-----
 test/res.format.js | 29 ++++++++++++++++++++++++++++-
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/History.md b/History.md
index 9b4bf4bce5..d1aa9b3b88 100644
--- a/History.md
+++ b/History.md
@@ -5,6 +5,7 @@ unreleased
   * Allow `options` without `filename` in `res.download`
   * Deprecate string and non-integer arguments to `res.status`
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
+  * Invoke `default` with same arguments as types in `res.format`
   * Support proper 205 responses using `res.send`
   * deps: finalhandler@1.2.0
     - Remove set content headers that break response
diff --git a/lib/response.js b/lib/response.js
index 3713e6f9a9..bfa7871434 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -684,9 +684,8 @@ res.format = function(obj){
   var req = this.req;
   var next = req.next;
 
-  var fn = obj.default;
-  if (fn) delete obj.default;
-  var keys = Object.keys(obj);
+  var keys = Object.keys(obj)
+    .filter(function (v) { return v !== 'default' })
 
   var key = keys.length > 0
     ? req.accepts(keys)
@@ -697,8 +696,8 @@ res.format = function(obj){
   if (key) {
     this.set('Content-Type', normalizeType(key).value);
     obj[key](req, this, next);
-  } else if (fn) {
-    fn();
+  } else if (obj.default) {
+    obj.default(req, this, next)
   } else {
     var err = new Error('Not Acceptable');
     err.status = err.statusCode = 406;
diff --git a/test/res.format.js b/test/res.format.js
index 24e18d9552..45243d17a1 100644
--- a/test/res.format.js
+++ b/test/res.format.js
@@ -50,7 +50,12 @@ var app3 = express();
 app3.use(function(req, res, next){
   res.format({
     text: function(){ res.send('hey') },
-    default: function(){ res.send('default') }
+    default: function (a, b, c) {
+      assert(req === a)
+      assert(res === b)
+      assert(next === c)
+      res.send('default')
+    }
   })
 });
 
@@ -118,6 +123,28 @@ describe('res', function(){
         .set('Accept', '*/*')
         .expect('hey', done);
       })
+
+      it('should be able to invoke other formatter', function (done) {
+        var app = express()
+
+        app.use(function (req, res, next) {
+          res.format({
+            json: function () { res.send('json') },
+            default: function () {
+              res.header('x-default', '1')
+              this.json()
+            }
+          })
+        })
+
+        request(app)
+          .get('/')
+          .set('Accept', 'text/plain')
+          .expect(200)
+          .expect('x-default', '1')
+          .expect('json')
+          .end(done)
+      })
     })
 
     describe('in router', function(){

From 1cc816993832eba829a2f556f7c08e27e6371301 Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulises.gascon@guidesmiths.com>
Date: Wed, 5 Feb 2020 17:56:51 +0100
Subject: [PATCH 032/130] deps: depd@2.0.0

closes #4174
---
 History.md   | 3 +++
 package.json | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index d1aa9b3b88..0b54e1d27b 100644
--- a/History.md
+++ b/History.md
@@ -7,6 +7,9 @@ unreleased
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Invoke `default` with same arguments as types in `res.format`
   * Support proper 205 responses using `res.send`
+  * deps: depd@2.0.0
+    - Replace internal `eval` usage with `Function` constructor
+    - Use instance methods on `process` to check for listeners
   * deps: finalhandler@1.2.0
     - Remove set content headers that break response
     - deps: on-finished@2.4.1
diff --git a/package.json b/package.json
index 8f8959a4c3..d9fbe97698 100644
--- a/package.json
+++ b/package.json
@@ -36,7 +36,7 @@
     "cookie": "0.4.2",
     "cookie-signature": "1.0.6",
     "debug": "2.6.9",
-    "depd": "~1.1.2",
+    "depd": "2.0.0",
     "encodeurl": "~1.0.2",
     "escape-html": "~1.0.3",
     "etag": "~1.8.1",

From 5855339455a7f60774bef4166829e742a5056fa8 Mon Sep 17 00:00:00 2001
From: Chris Barth <chrisjbarth@hotmail.com>
Date: Thu, 18 Apr 2019 09:12:33 -0400
Subject: [PATCH 033/130] Fix behavior of null/undefined as "maxAge" in
 res.cookie

fixes #3935
closes #3936
---
 History.md         |  1 +
 lib/response.js    | 10 +++++++---
 test/res.cookie.js | 30 ++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/History.md b/History.md
index 0b54e1d27b..8d9d39b2b8 100644
--- a/History.md
+++ b/History.md
@@ -4,6 +4,7 @@ unreleased
   * Add "root" option to `res.download`
   * Allow `options` without `filename` in `res.download`
   * Deprecate string and non-integer arguments to `res.status`
+  * Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie`
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Invoke `default` with same arguments as types in `res.format`
   * Support proper 205 responses using `res.send`
diff --git a/lib/response.js b/lib/response.js
index bfa7871434..eeeee1c806 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -868,9 +868,13 @@ res.cookie = function (name, value, options) {
     val = 's:' + sign(val, secret);
   }
 
-  if ('maxAge' in opts) {
-    opts.expires = new Date(Date.now() + opts.maxAge);
-    opts.maxAge /= 1000;
+  if (opts.maxAge != null) {
+    var maxAge = opts.maxAge - 0
+
+    if (!isNaN(maxAge)) {
+      opts.expires = new Date(Date.now() + maxAge)
+      opts.maxAge = Math.floor(maxAge / 1000)
+    }
   }
 
   if (opts.path == null) {
diff --git a/test/res.cookie.js b/test/res.cookie.js
index d10e48646b..e3a921301f 100644
--- a/test/res.cookie.js
+++ b/test/res.cookie.js
@@ -111,6 +111,36 @@ describe('res', function(){
         .expect(200, optionsCopy, done)
       })
 
+      it('should not throw on null', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { maxAge: null })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Set-Cookie', 'name=tobi; Path=/')
+          .end(done)
+      })
+
+      it('should not throw on undefined', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { maxAge: undefined })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('Set-Cookie', 'name=tobi; Path=/')
+          .end(done)
+      })
+
       it('should throw an error with invalid maxAge', function (done) {
         var app = express()
 

From a10770286e7420c5a56ed3cc0b6add2c028ae56e Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sun, 27 Mar 2022 23:41:31 -0400
Subject: [PATCH 034/130] Use http-errors for res.format error

---
 History.md      | 1 +
 lib/response.js | 8 ++++----
 package.json    | 1 +
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/History.md b/History.md
index 8d9d39b2b8..2e542333d9 100644
--- a/History.md
+++ b/History.md
@@ -8,6 +8,7 @@ unreleased
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Invoke `default` with same arguments as types in `res.format`
   * Support proper 205 responses using `res.send`
+  * Use `http-errors` for `res.format` error
   * deps: depd@2.0.0
     - Replace internal `eval` usage with `Function` constructor
     - Use instance methods on `process` to check for listeners
diff --git a/lib/response.js b/lib/response.js
index eeeee1c806..d9b8db1c20 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -14,6 +14,7 @@
 
 var Buffer = require('safe-buffer').Buffer
 var contentDisposition = require('content-disposition');
+var createError = require('http-errors')
 var deprecate = require('depd')('express');
 var encodeUrl = require('encodeurl');
 var escapeHtml = require('escape-html');
@@ -699,10 +700,9 @@ res.format = function(obj){
   } else if (obj.default) {
     obj.default(req, this, next)
   } else {
-    var err = new Error('Not Acceptable');
-    err.status = err.statusCode = 406;
-    err.types = normalizeTypes(keys).map(function(o){ return o.value });
-    next(err);
+    next(createError(406, {
+      types: normalizeTypes(keys).map(function (o) { return o.value })
+    }))
   }
 
   return this;
diff --git a/package.json b/package.json
index d9fbe97698..71c110e5f2 100644
--- a/package.json
+++ b/package.json
@@ -42,6 +42,7 @@
     "etag": "~1.8.1",
     "finalhandler": "1.2.0",
     "fresh": "0.5.2",
+    "http-errors": "2.0.0",
     "merge-descriptors": "1.0.1",
     "methods": "~1.1.2",
     "on-finished": "~2.3.0",

From 32c558d414b4ac0f5bd70fa6a0f39a5558a7b016 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sat, 2 Apr 2022 21:51:31 -0400
Subject: [PATCH 035/130] deps: body-parser@1.20.0

---
 History.md                 |  10 ++
 package.json               |   2 +-
 test/express.json.js       | 339 +++++++++++++++++++++++++------------
 test/express.raw.js        | 203 ++++++++++++++++++++--
 test/express.text.js       | 221 ++++++++++++++++++++----
 test/express.urlencoded.js | 263 ++++++++++++++++++++--------
 6 files changed, 817 insertions(+), 221 deletions(-)

diff --git a/History.md b/History.md
index 2e542333d9..cba82afcbd 100644
--- a/History.md
+++ b/History.md
@@ -9,6 +9,16 @@ unreleased
   * Invoke `default` with same arguments as types in `res.format`
   * Support proper 205 responses using `res.send`
   * Use `http-errors` for `res.format` error
+  * deps: body-parser@1.20.0
+    - Fix error message for json parse whitespace in `strict`
+    - Fix internal error when inflated body exceeds limit
+    - Prevent loss of async hooks context
+    - Prevent hanging when request already read
+    - deps: depd@2.0.0
+    - deps: http-errors@2.0.0
+    - deps: on-finished@2.4.1
+    - deps: qs@6.10.3
+    - deps: raw-body@2.5.1
   * deps: depd@2.0.0
     - Replace internal `eval` usage with `Function` constructor
     - Use instance methods on `process` to check for listeners
diff --git a/package.json b/package.json
index 71c110e5f2..ce6604bd7d 100644
--- a/package.json
+++ b/package.json
@@ -30,7 +30,7 @@
   "dependencies": {
     "accepts": "~1.3.8",
     "array-flatten": "1.1.1",
-    "body-parser": "1.19.2",
+    "body-parser": "1.20.0",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
     "cookie": "0.4.2",
diff --git a/test/express.json.js b/test/express.json.js
index 53a39565a9..a8cfebc41e 100644
--- a/test/express.json.js
+++ b/test/express.json.js
@@ -1,10 +1,15 @@
 'use strict'
 
 var assert = require('assert')
+var asyncHooks = tryRequire('async_hooks')
 var Buffer = require('safe-buffer').Buffer
 var express = require('..')
 var request = require('supertest')
 
+var describeAsyncHooks = typeof asyncHooks.AsyncLocalStorage === 'function'
+  ? describe
+  : describe.skip
+
 describe('express.json()', function () {
   it('should parse JSON', function (done) {
     request(createApp())
@@ -38,6 +43,14 @@ describe('express.json()', function () {
       .expect(200, '{}', done)
   })
 
+  it('should 400 when only whitespace', function (done) {
+    request(createApp())
+      .post('/')
+      .set('Content-Type', 'application/json')
+      .send('  \n')
+      .expect(400, '[entity.parse.failed] ' + parseError(' '), done)
+  })
+
   it('should 400 when invalid content-length', function (done) {
     var app = express()
 
@@ -59,6 +72,32 @@ describe('express.json()', function () {
       .expect(400, /content length/, done)
   })
 
+  it('should 500 if stream not readable', function (done) {
+    var app = express()
+
+    app.use(function (req, res, next) {
+      req.on('end', next)
+      req.resume()
+    })
+
+    app.use(express.json())
+
+    app.use(function (err, req, res, next) {
+      res.status(err.status || 500)
+      res.send('[' + err.type + '] ' + err.message)
+    })
+
+    app.post('/', function (req, res) {
+      res.json(req.body)
+    })
+
+    request(app)
+      .post('/')
+      .set('Content-Type', 'application/json')
+      .send('{"user":"tobi"}')
+      .expect(500, '[stream.not.readable] stream is not readable', done)
+  })
+
   it('should handle duplicated middleware', function (done) {
     var app = express()
 
@@ -86,7 +125,7 @@ describe('express.json()', function () {
         .post('/')
         .set('Content-Type', 'application/json')
         .send('{:')
-        .expect(400, parseError('{:'), done)
+        .expect(400, '[entity.parse.failed] ' + parseError('{:'), done)
     })
 
     it('should 400 for incomplete', function (done) {
@@ -94,16 +133,7 @@ describe('express.json()', function () {
         .post('/')
         .set('Content-Type', 'application/json')
         .send('{"user"')
-        .expect(400, parseError('{"user"'), done)
-    })
-
-    it('should error with type = "entity.parse.failed"', function (done) {
-      request(this.app)
-        .post('/')
-        .set('Content-Type', 'application/json')
-        .set('X-Error-Property', 'type')
-        .send(' {"user"')
-        .expect(400, 'entity.parse.failed', done)
+        .expect(400, '[entity.parse.failed] ' + parseError('{"user"'), done)
     })
 
     it('should include original body on error object', function (done) {
@@ -124,24 +154,13 @@ describe('express.json()', function () {
         .set('Content-Type', 'application/json')
         .set('Content-Length', '1034')
         .send(JSON.stringify({ str: buf.toString() }))
-        .expect(413, done)
-    })
-
-    it('should error with type = "entity.too.large"', function (done) {
-      var buf = Buffer.alloc(1024, '.')
-      request(createApp({ limit: '1kb' }))
-        .post('/')
-        .set('Content-Type', 'application/json')
-        .set('Content-Length', '1034')
-        .set('X-Error-Property', 'type')
-        .send(JSON.stringify({ str: buf.toString() }))
-        .expect(413, 'entity.too.large', done)
+        .expect(413, '[entity.too.large] request entity too large', done)
     })
 
     it('should 413 when over limit with chunked encoding', function (done) {
+      var app = createApp({ limit: '1kb' })
       var buf = Buffer.alloc(1024, '.')
-      var server = createApp({ limit: '1kb' })
-      var test = request(server).post('/')
+      var test = request(app).post('/')
       test.set('Content-Type', 'application/json')
       test.set('Transfer-Encoding', 'chunked')
       test.write('{"str":')
@@ -149,6 +168,15 @@ describe('express.json()', function () {
       test.expect(413, done)
     })
 
+    it('should 413 when inflated body over limit', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/json')
+      test.write(Buffer.from('1f8b080000000000000aab562a2e2952b252d21b05a360148c58a0540b0066f7ce1e0a040000', 'hex'))
+      test.expect(413, done)
+    })
+
     it('should accept number of bytes', function (done) {
       var buf = Buffer.alloc(1024, '.')
       request(createApp({ limit: 1024 }))
@@ -161,11 +189,11 @@ describe('express.json()', function () {
     it('should not change when options altered', function (done) {
       var buf = Buffer.alloc(1024, '.')
       var options = { limit: '1kb' }
-      var server = createApp(options)
+      var app = createApp(options)
 
       options.limit = '100kb'
 
-      request(server)
+      request(app)
         .post('/')
         .set('Content-Type', 'application/json')
         .send(JSON.stringify({ str: buf.toString() }))
@@ -174,14 +202,23 @@ describe('express.json()', function () {
 
     it('should not hang response', function (done) {
       var buf = Buffer.alloc(10240, '.')
-      var server = createApp({ limit: '8kb' })
-      var test = request(server).post('/')
+      var app = createApp({ limit: '8kb' })
+      var test = request(app).post('/')
       test.set('Content-Type', 'application/json')
       test.write(buf)
       test.write(buf)
       test.write(buf)
       test.expect(413, done)
     })
+
+    it('should not error when inflating', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/json')
+      test.write(Buffer.from('1f8b080000000000000aab562a2e2952b252d21b05a360148c58a0540b0066f7ce1e0a0400', 'hex'))
+      test.expect(413, done)
+    })
   })
 
   describe('with inflate option', function () {
@@ -195,7 +232,7 @@ describe('express.json()', function () {
         test.set('Content-Encoding', 'gzip')
         test.set('Content-Type', 'application/json')
         test.write(Buffer.from('1f8b080000000000000bab56ca4bcc4d55b2527ab16e97522d00515be1cc0e000000', 'hex'))
-        test.expect(415, 'content encoding unsupported', done)
+        test.expect(415, '[encoding.unsupported] content encoding unsupported', done)
       })
     })
 
@@ -225,7 +262,7 @@ describe('express.json()', function () {
           .post('/')
           .set('Content-Type', 'application/json')
           .send('true')
-          .expect(400, parseError('#rue').replace('#', 't'), done)
+          .expect(400, '[entity.parse.failed] ' + parseError('#rue').replace('#', 't'), done)
       })
     })
 
@@ -253,7 +290,7 @@ describe('express.json()', function () {
           .post('/')
           .set('Content-Type', 'application/json')
           .send('true')
-          .expect(400, parseError('#rue').replace('#', 't'), done)
+          .expect(400, '[entity.parse.failed] ' + parseError('#rue').replace('#', 't'), done)
       })
 
       it('should not parse primitives with leading whitespaces', function (done) {
@@ -261,7 +298,7 @@ describe('express.json()', function () {
           .post('/')
           .set('Content-Type', 'application/json')
           .send('    true')
-          .expect(400, parseError('    #rue').replace('#', 't'), done)
+          .expect(400, '[entity.parse.failed] ' + parseError('    #rue').replace('#', 't'), done)
       })
 
       it('should allow leading whitespaces in JSON', function (done) {
@@ -272,15 +309,6 @@ describe('express.json()', function () {
           .expect(200, '{"user":"tobi"}', done)
       })
 
-      it('should error with type = "entity.parse.failed"', function (done) {
-        request(this.app)
-          .post('/')
-          .set('Content-Type', 'application/json')
-          .set('X-Error-Property', 'type')
-          .send('true')
-          .expect(400, 'entity.parse.failed', done)
-      })
-
       it('should include correct message in stack trace', function (done) {
         request(this.app)
           .post('/')
@@ -397,65 +425,59 @@ describe('express.json()', function () {
     })
 
     it('should error from verify', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x5b) throw new Error('no arrays')
-      } })
-
-      request(app)
-        .post('/')
-        .set('Content-Type', 'application/json')
-        .send('["tobi"]')
-        .expect(403, 'no arrays', done)
-    })
-
-    it('should error with type = "entity.verify.failed"', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x5b) throw new Error('no arrays')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x5b) throw new Error('no arrays')
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'application/json')
-        .set('X-Error-Property', 'type')
         .send('["tobi"]')
-        .expect(403, 'entity.verify.failed', done)
+        .expect(403, '[entity.verify.failed] no arrays', done)
     })
 
     it('should allow custom codes', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] !== 0x5b) return
-        var err = new Error('no arrays')
-        err.status = 400
-        throw err
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] !== 0x5b) return
+          var err = new Error('no arrays')
+          err.status = 400
+          throw err
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'application/json')
         .send('["tobi"]')
-        .expect(400, 'no arrays', done)
+        .expect(400, '[entity.verify.failed] no arrays', done)
     })
 
     it('should allow custom type', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] !== 0x5b) return
-        var err = new Error('no arrays')
-        err.type = 'foo.bar'
-        throw err
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] !== 0x5b) return
+          var err = new Error('no arrays')
+          err.type = 'foo.bar'
+          throw err
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'application/json')
-        .set('X-Error-Property', 'type')
         .send('["tobi"]')
-        .expect(403, 'foo.bar', done)
+        .expect(403, '[foo.bar] no arrays', done)
     })
 
     it('should include original body on error object', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x5b) throw new Error('no arrays')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x5b) throw new Error('no arrays')
+        }
+      })
 
       request(app)
         .post('/')
@@ -466,9 +488,11 @@ describe('express.json()', function () {
     })
 
     it('should allow pass-through', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x5b) throw new Error('no arrays')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x5b) throw new Error('no arrays')
+        }
+      })
 
       request(app)
         .post('/')
@@ -478,9 +502,11 @@ describe('express.json()', function () {
     })
 
     it('should work with different charsets', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x5b) throw new Error('no arrays')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x5b) throw new Error('no arrays')
+        }
+      })
 
       var test = request(app).post('/')
       test.set('Content-Type', 'application/json; charset=utf-16')
@@ -489,14 +515,120 @@ describe('express.json()', function () {
     })
 
     it('should 415 on unknown charset prior to verify', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        throw new Error('unexpected verify call')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          throw new Error('unexpected verify call')
+        }
+      })
 
       var test = request(app).post('/')
       test.set('Content-Type', 'application/json; charset=x-bogus')
       test.write(Buffer.from('00000000', 'hex'))
-      test.expect(415, 'unsupported charset "X-BOGUS"', done)
+      test.expect(415, '[charset.unsupported] unsupported charset "X-BOGUS"', done)
+    })
+  })
+
+  describeAsyncHooks('async local storage', function () {
+    before(function () {
+      var app = express()
+      var store = { foo: 'bar' }
+
+      app.use(function (req, res, next) {
+        req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+        req.asyncLocalStorage.run(store, next)
+      })
+
+      app.use(express.json())
+
+      app.use(function (req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        next()
+      })
+
+      app.use(function (err, req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        res.status(err.status || 500)
+        res.send('[' + err.type + '] ' + err.message)
+      })
+
+      app.post('/', function (req, res) {
+        res.json(req.body)
+      })
+
+      this.app = app
+    })
+
+    it('should presist store', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/json')
+        .send('{"user":"tobi"}')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect('{"user":"tobi"}')
+        .end(done)
+    })
+
+    it('should presist store when unmatched content-type', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/fizzbuzz')
+        .send('buzz')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect('{}')
+        .end(done)
+    })
+
+    it('should presist store when inflated', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/json')
+      test.write(Buffer.from('1f8b080000000000000bab56ca4bcc4d55b2527ab16e97522d00515be1cc0e000000', 'hex'))
+      test.expect(200)
+      test.expect('x-store-foo', 'bar')
+      test.expect('{"name":"论"}')
+      test.end(done)
+    })
+
+    it('should presist store when inflate error', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/json')
+      test.write(Buffer.from('1f8b080000000000000bab56cc4d55b2527ab16e97522d00515be1cc0e000000', 'hex'))
+      test.expect(400)
+      test.expect('x-store-foo', 'bar')
+      test.end(done)
+    })
+
+    it('should presist store when parse error', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/json')
+        .send('{"user":')
+        .expect(400)
+        .expect('x-store-foo', 'bar')
+        .end(done)
+    })
+
+    it('should presist store when limit exceeded', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/json')
+        .send('{"user":"' + Buffer.alloc(1024 * 100, '.').toString() + '"}')
+        .expect(413)
+        .expect('x-store-foo', 'bar')
+        .end(done)
     })
   })
 
@@ -538,15 +670,7 @@ describe('express.json()', function () {
       var test = request(this.app).post('/')
       test.set('Content-Type', 'application/json; charset=koi8-r')
       test.write(Buffer.from('7b226e616d65223a22cec5d4227d', 'hex'))
-      test.expect(415, 'unsupported charset "KOI8-R"', done)
-    })
-
-    it('should error with type = "charset.unsupported"', function (done) {
-      var test = request(this.app).post('/')
-      test.set('Content-Type', 'application/json; charset=koi8-r')
-      test.set('X-Error-Property', 'type')
-      test.write(Buffer.from('7b226e616d65223a22cec5d4227d', 'hex'))
-      test.expect(415, 'charset.unsupported', done)
+      test.expect(415, '[charset.unsupported] unsupported charset "KOI8-R"', done)
     })
   })
 
@@ -599,16 +723,7 @@ describe('express.json()', function () {
       test.set('Content-Encoding', 'nulls')
       test.set('Content-Type', 'application/json')
       test.write(Buffer.from('000000000000', 'hex'))
-      test.expect(415, 'unsupported content encoding "nulls"', done)
-    })
-
-    it('should error with type = "encoding.unsupported"', function (done) {
-      var test = request(this.app).post('/')
-      test.set('Content-Encoding', 'nulls')
-      test.set('Content-Type', 'application/json')
-      test.set('X-Error-Property', 'type')
-      test.write(Buffer.from('000000000000', 'hex'))
-      test.expect(415, 'encoding.unsupported', done)
+      test.expect(415, '[encoding.unsupported] unsupported content encoding "nulls"', done)
     })
 
     it('should 400 on malformed encoding', function (done) {
@@ -639,7 +754,9 @@ function createApp (options) {
 
   app.use(function (err, req, res, next) {
     res.status(err.status || 500)
-    res.send(String(err[req.headers['x-error-property'] || 'message']))
+    res.send(String(req.headers['x-error-property']
+      ? err[req.headers['x-error-property']]
+      : ('[' + err.type + '] ' + err.message)))
   })
 
   app.post('/', function (req, res) {
@@ -663,3 +780,11 @@ function shouldContainInBody (str) {
       'expected \'' + res.text + '\' to contain \'' + str + '\'')
   }
 }
+
+function tryRequire (name) {
+  try {
+    return require(name)
+  } catch (e) {
+    return {}
+  }
+}
diff --git a/test/express.raw.js b/test/express.raw.js
index cbd0736e7c..4aa62bb85b 100644
--- a/test/express.raw.js
+++ b/test/express.raw.js
@@ -1,10 +1,15 @@
 'use strict'
 
 var assert = require('assert')
+var asyncHooks = tryRequire('async_hooks')
 var Buffer = require('safe-buffer').Buffer
 var express = require('..')
 var request = require('supertest')
 
+var describeAsyncHooks = typeof asyncHooks.AsyncLocalStorage === 'function'
+  ? describe
+  : describe.skip
+
 describe('express.raw()', function () {
   before(function () {
     this.app = createApp()
@@ -60,6 +65,36 @@ describe('express.raw()', function () {
       .expect(200, { buf: '' }, done)
   })
 
+  it('should 500 if stream not readable', function (done) {
+    var app = express()
+
+    app.use(function (req, res, next) {
+      req.on('end', next)
+      req.resume()
+    })
+
+    app.use(express.raw())
+
+    app.use(function (err, req, res, next) {
+      res.status(err.status || 500)
+      res.send('[' + err.type + '] ' + err.message)
+    })
+
+    app.post('/', function (req, res) {
+      if (Buffer.isBuffer(req.body)) {
+        res.json({ buf: req.body.toString('hex') })
+      } else {
+        res.json(req.body)
+      }
+    })
+
+    request(app)
+      .post('/')
+      .set('Content-Type', 'application/octet-stream')
+      .send('the user is tobi')
+      .expect(500, '[stream.not.readable] stream is not readable', done)
+  })
+
   it('should handle duplicated middleware', function (done) {
     var app = express()
 
@@ -102,6 +137,15 @@ describe('express.raw()', function () {
       test.expect(413, done)
     })
 
+    it('should 413 when inflated body over limit', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/octet-stream')
+      test.write(Buffer.from('1f8b080000000000000ad3d31b05a360148c64000087e5a14704040000', 'hex'))
+      test.expect(413, done)
+    })
+
     it('should accept number of bytes', function (done) {
       var buf = Buffer.alloc(1028, '.')
       var app = createApp({ limit: 1024 })
@@ -134,6 +178,15 @@ describe('express.raw()', function () {
       test.write(buf)
       test.expect(413, done)
     })
+
+    it('should not error when inflating', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/octet-stream')
+      test.write(Buffer.from('1f8b080000000000000ad3d31b05a360148c64000087e5a147040400', 'hex'))
+      test.expect(413, done)
+    })
   })
 
   describe('with inflate option', function () {
@@ -147,7 +200,7 @@ describe('express.raw()', function () {
         test.set('Content-Encoding', 'gzip')
         test.set('Content-Type', 'application/octet-stream')
         test.write(Buffer.from('1f8b080000000000000bcb4bcc4db57db16e170099a4bad608000000', 'hex'))
-        test.expect(415, 'content encoding unsupported', done)
+        test.expect(415, '[encoding.unsupported] content encoding unsupported', done)
       })
     })
 
@@ -263,34 +316,40 @@ describe('express.raw()', function () {
     })
 
     it('should error from verify', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x00) throw new Error('no leading null')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x00) throw new Error('no leading null')
+        }
+      })
 
       var test = request(app).post('/')
       test.set('Content-Type', 'application/octet-stream')
       test.write(Buffer.from('000102', 'hex'))
-      test.expect(403, 'no leading null', done)
+      test.expect(403, '[entity.verify.failed] no leading null', done)
     })
 
     it('should allow custom codes', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] !== 0x00) return
-        var err = new Error('no leading null')
-        err.status = 400
-        throw err
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] !== 0x00) return
+          var err = new Error('no leading null')
+          err.status = 400
+          throw err
+        }
+      })
 
       var test = request(app).post('/')
       test.set('Content-Type', 'application/octet-stream')
       test.write(Buffer.from('000102', 'hex'))
-      test.expect(400, 'no leading null', done)
+      test.expect(400, '[entity.verify.failed] no leading null', done)
     })
 
     it('should allow pass-through', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x00) throw new Error('no leading null')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x00) throw new Error('no leading null')
+        }
+      })
 
       var test = request(app).post('/')
       test.set('Content-Type', 'application/octet-stream')
@@ -299,6 +358,104 @@ describe('express.raw()', function () {
     })
   })
 
+  describeAsyncHooks('async local storage', function () {
+    before(function () {
+      var app = express()
+      var store = { foo: 'bar' }
+
+      app.use(function (req, res, next) {
+        req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+        req.asyncLocalStorage.run(store, next)
+      })
+
+      app.use(express.raw())
+
+      app.use(function (req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        next()
+      })
+
+      app.use(function (err, req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        res.status(err.status || 500)
+        res.send('[' + err.type + '] ' + err.message)
+      })
+
+      app.post('/', function (req, res) {
+        if (Buffer.isBuffer(req.body)) {
+          res.json({ buf: req.body.toString('hex') })
+        } else {
+          res.json(req.body)
+        }
+      })
+
+      this.app = app
+    })
+
+    it('should presist store', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/octet-stream')
+        .send('the user is tobi')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect({ buf: '746865207573657220697320746f6269' })
+        .end(done)
+    })
+
+    it('should presist store when unmatched content-type', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/fizzbuzz')
+        .send('buzz')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect('{}')
+        .end(done)
+    })
+
+    it('should presist store when inflated', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/octet-stream')
+      test.write(Buffer.from('1f8b080000000000000bcb4bcc4db57db16e170099a4bad608000000', 'hex'))
+      test.expect(200)
+      test.expect('x-store-foo', 'bar')
+      test.expect({ buf: '6e616d653de8aeba' })
+      test.end(done)
+    })
+
+    it('should presist store when inflate error', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/octet-stream')
+      test.write(Buffer.from('1f8b080000000000000bcb4bcc4db57db16e170099a4bad6080000', 'hex'))
+      test.expect(400)
+      test.expect('x-store-foo', 'bar')
+      test.end(done)
+    })
+
+    it('should presist store when limit exceeded', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/octet-stream')
+        .send('the user is ' + Buffer.alloc(1024 * 100, '.').toString())
+        .expect(413)
+        .expect('x-store-foo', 'bar')
+        .end(done)
+    })
+  })
+
   describe('charset', function () {
     before(function () {
       this.app = createApp()
@@ -356,12 +513,12 @@ describe('express.raw()', function () {
       test.expect(200, { buf: '6e616d653de8aeba' }, done)
     })
 
-    it('should fail on unknown encoding', function (done) {
+    it('should 415 on unknown encoding', function (done) {
       var test = request(this.app).post('/')
       test.set('Content-Encoding', 'nulls')
       test.set('Content-Type', 'application/octet-stream')
       test.write(Buffer.from('000000000000', 'hex'))
-      test.expect(415, 'unsupported content encoding "nulls"', done)
+      test.expect(415, '[encoding.unsupported] unsupported content encoding "nulls"', done)
     })
   })
 })
@@ -373,7 +530,9 @@ function createApp (options) {
 
   app.use(function (err, req, res, next) {
     res.status(err.status || 500)
-    res.send(String(err[req.headers['x-error-property'] || 'message']))
+    res.send(String(req.headers['x-error-property']
+      ? err[req.headers['x-error-property']]
+      : ('[' + err.type + '] ' + err.message)))
   })
 
   app.post('/', function (req, res) {
@@ -386,3 +545,11 @@ function createApp (options) {
 
   return app
 }
+
+function tryRequire (name) {
+  try {
+    return require(name)
+  } catch (e) {
+    return {}
+  }
+}
diff --git a/test/express.text.js b/test/express.text.js
index ebc12cd109..cb7750a525 100644
--- a/test/express.text.js
+++ b/test/express.text.js
@@ -1,10 +1,15 @@
 'use strict'
 
 var assert = require('assert')
+var asyncHooks = tryRequire('async_hooks')
 var Buffer = require('safe-buffer').Buffer
 var express = require('..')
 var request = require('supertest')
 
+var describeAsyncHooks = typeof asyncHooks.AsyncLocalStorage === 'function'
+  ? describe
+  : describe.skip
+
 describe('express.text()', function () {
   before(function () {
     this.app = createApp()
@@ -56,6 +61,32 @@ describe('express.text()', function () {
       .expect(200, '""', done)
   })
 
+  it('should 500 if stream not readable', function (done) {
+    var app = express()
+
+    app.use(function (req, res, next) {
+      req.on('end', next)
+      req.resume()
+    })
+
+    app.use(express.text())
+
+    app.use(function (err, req, res, next) {
+      res.status(err.status || 500)
+      res.send('[' + err.type + '] ' + err.message)
+    })
+
+    app.post('/', function (req, res) {
+      res.json(req.body)
+    })
+
+    request(app)
+      .post('/')
+      .set('Content-Type', 'text/plain')
+      .send('user is tobi')
+      .expect(500, '[stream.not.readable] stream is not readable', done)
+  })
+
   it('should handle duplicated middleware', function (done) {
     var app = express()
 
@@ -75,16 +106,16 @@ describe('express.text()', function () {
 
   describe('with defaultCharset option', function () {
     it('should change default charset', function (done) {
-      var app = createApp({ defaultCharset: 'koi8-r' })
-      var test = request(app).post('/')
+      var server = createApp({ defaultCharset: 'koi8-r' })
+      var test = request(server).post('/')
       test.set('Content-Type', 'text/plain')
       test.write(Buffer.from('6e616d6520697320cec5d4', 'hex'))
       test.expect(200, '"name is нет"', done)
     })
 
     it('should honor content-type charset', function (done) {
-      var app = createApp({ defaultCharset: 'koi8-r' })
-      var test = request(app).post('/')
+      var server = createApp({ defaultCharset: 'koi8-r' })
+      var test = request(server).post('/')
       test.set('Content-Type', 'text/plain; charset=utf-8')
       test.write(Buffer.from('6e616d6520697320e8aeba', 'hex'))
       test.expect(200, '"name is 论"', done)
@@ -103,8 +134,8 @@ describe('express.text()', function () {
     })
 
     it('should 413 when over limit with chunked encoding', function (done) {
-      var buf = Buffer.alloc(1028, '.')
       var app = createApp({ limit: '1kb' })
+      var buf = Buffer.alloc(1028, '.')
       var test = request(app).post('/')
       test.set('Content-Type', 'text/plain')
       test.set('Transfer-Encoding', 'chunked')
@@ -112,6 +143,15 @@ describe('express.text()', function () {
       test.expect(413, done)
     })
 
+    it('should 413 when inflated body over limit', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'text/plain')
+      test.write(Buffer.from('1f8b080000000000000ad3d31b05a360148c64000087e5a14704040000', 'hex'))
+      test.expect(413, done)
+    })
+
     it('should accept number of bytes', function (done) {
       var buf = Buffer.alloc(1028, '.')
       request(createApp({ limit: 1024 }))
@@ -136,8 +176,8 @@ describe('express.text()', function () {
     })
 
     it('should not hang response', function (done) {
-      var buf = Buffer.alloc(10240, '.')
       var app = createApp({ limit: '8kb' })
+      var buf = Buffer.alloc(10240, '.')
       var test = request(app).post('/')
       test.set('Content-Type', 'text/plain')
       test.write(buf)
@@ -145,6 +185,17 @@ describe('express.text()', function () {
       test.write(buf)
       test.expect(413, done)
     })
+
+    it('should not error when inflating', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'text/plain')
+      test.write(Buffer.from('1f8b080000000000000ad3d31b05a360148c64000087e5a1470404', 'hex'))
+      setTimeout(function () {
+        test.expect(413, done)
+      }, 100)
+    })
   })
 
   describe('with inflate option', function () {
@@ -158,7 +209,7 @@ describe('express.text()', function () {
         test.set('Content-Encoding', 'gzip')
         test.set('Content-Type', 'text/plain')
         test.write(Buffer.from('1f8b080000000000000bcb4bcc4d55c82c5678b16e170072b3e0200b000000', 'hex'))
-        test.expect(415, 'content encoding unsupported', done)
+        test.expect(415, '[encoding.unsupported] content encoding unsupported', done)
       })
     })
 
@@ -278,36 +329,42 @@ describe('express.text()', function () {
     })
 
     it('should error from verify', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x20) throw new Error('no leading space')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x20) throw new Error('no leading space')
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'text/plain')
         .send(' user is tobi')
-        .expect(403, 'no leading space', done)
+        .expect(403, '[entity.verify.failed] no leading space', done)
     })
 
     it('should allow custom codes', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] !== 0x20) return
-        var err = new Error('no leading space')
-        err.status = 400
-        throw err
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] !== 0x20) return
+          var err = new Error('no leading space')
+          err.status = 400
+          throw err
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'text/plain')
         .send(' user is tobi')
-        .expect(400, 'no leading space', done)
+        .expect(400, '[entity.verify.failed] no leading space', done)
     })
 
     it('should allow pass-through', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x20) throw new Error('no leading space')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x20) throw new Error('no leading space')
+        }
+      })
 
       request(app)
         .post('/')
@@ -317,14 +374,110 @@ describe('express.text()', function () {
     })
 
     it('should 415 on unknown charset prior to verify', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        throw new Error('unexpected verify call')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          throw new Error('unexpected verify call')
+        }
+      })
 
       var test = request(app).post('/')
       test.set('Content-Type', 'text/plain; charset=x-bogus')
       test.write(Buffer.from('00000000', 'hex'))
-      test.expect(415, 'unsupported charset "X-BOGUS"', done)
+      test.expect(415, '[charset.unsupported] unsupported charset "X-BOGUS"', done)
+    })
+  })
+
+  describeAsyncHooks('async local storage', function () {
+    before(function () {
+      var app = express()
+      var store = { foo: 'bar' }
+
+      app.use(function (req, res, next) {
+        req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+        req.asyncLocalStorage.run(store, next)
+      })
+
+      app.use(express.text())
+
+      app.use(function (req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        next()
+      })
+
+      app.use(function (err, req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        res.status(err.status || 500)
+        res.send('[' + err.type + '] ' + err.message)
+      })
+
+      app.post('/', function (req, res) {
+        res.json(req.body)
+      })
+
+      this.app = app
+    })
+
+    it('should presist store', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'text/plain')
+        .send('user is tobi')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect('"user is tobi"')
+        .end(done)
+    })
+
+    it('should presist store when unmatched content-type', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/fizzbuzz')
+        .send('buzz')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect('{}')
+        .end(done)
+    })
+
+    it('should presist store when inflated', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'text/plain')
+      test.write(Buffer.from('1f8b080000000000000bcb4bcc4d55c82c5678b16e170072b3e0200b000000', 'hex'))
+      test.expect(200)
+      test.expect('x-store-foo', 'bar')
+      test.expect('"name is 论"')
+      test.end(done)
+    })
+
+    it('should presist store when inflate error', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'text/plain')
+      test.write(Buffer.from('1f8b080000000000000bcb4bcc4d55c82c5678b16e170072b3e0200b0000', 'hex'))
+      test.expect(400)
+      test.expect('x-store-foo', 'bar')
+      test.end(done)
+    })
+
+    it('should presist store when limit exceeded', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'text/plain')
+        .send('user is ' + Buffer.alloc(1024 * 100, '.').toString())
+        .expect(413)
+        .expect('x-store-foo', 'bar')
+        .end(done)
     })
   })
 
@@ -366,7 +519,7 @@ describe('express.text()', function () {
       var test = request(this.app).post('/')
       test.set('Content-Type', 'text/plain; charset=x-bogus')
       test.write(Buffer.from('00000000', 'hex'))
-      test.expect(415, 'unsupported charset "X-BOGUS"', done)
+      test.expect(415, '[charset.unsupported] unsupported charset "X-BOGUS"', done)
     })
   })
 
@@ -414,12 +567,12 @@ describe('express.text()', function () {
       test.expect(200, '"name is 论"', done)
     })
 
-    it('should fail on unknown encoding', function (done) {
+    it('should 415 on unknown encoding', function (done) {
       var test = request(this.app).post('/')
       test.set('Content-Encoding', 'nulls')
       test.set('Content-Type', 'text/plain')
       test.write(Buffer.from('000000000000', 'hex'))
-      test.expect(415, 'unsupported content encoding "nulls"', done)
+      test.expect(415, '[encoding.unsupported] unsupported content encoding "nulls"', done)
     })
   })
 })
@@ -431,7 +584,9 @@ function createApp (options) {
 
   app.use(function (err, req, res, next) {
     res.status(err.status || 500)
-    res.send(err.message)
+    res.send(String(req.headers['x-error-property']
+      ? err[req.headers['x-error-property']]
+      : ('[' + err.type + '] ' + err.message)))
   })
 
   app.post('/', function (req, res) {
@@ -440,3 +595,11 @@ function createApp (options) {
 
   return app
 }
+
+function tryRequire (name) {
+  try {
+    return require(name)
+  } catch (e) {
+    return {}
+  }
+}
diff --git a/test/express.urlencoded.js b/test/express.urlencoded.js
index 340eb74316..e07432c86c 100644
--- a/test/express.urlencoded.js
+++ b/test/express.urlencoded.js
@@ -1,10 +1,15 @@
 'use strict'
 
 var assert = require('assert')
+var asyncHooks = tryRequire('async_hooks')
 var Buffer = require('safe-buffer').Buffer
 var express = require('..')
 var request = require('supertest')
 
+var describeAsyncHooks = typeof asyncHooks.AsyncLocalStorage === 'function'
+  ? describe
+  : describe.skip
+
 describe('express.urlencoded()', function () {
   before(function () {
     this.app = createApp()
@@ -57,6 +62,32 @@ describe('express.urlencoded()', function () {
       .expect(200, '{}', done)
   })
 
+  it('should 500 if stream not readable', function (done) {
+    var app = express()
+
+    app.use(function (req, res, next) {
+      req.on('end', next)
+      req.resume()
+    })
+
+    app.use(express.urlencoded())
+
+    app.use(function (err, req, res, next) {
+      res.status(err.status || 500)
+      res.send('[' + err.type + '] ' + err.message)
+    })
+
+    app.post('/', function (req, res) {
+      res.json(req.body)
+    })
+
+    request(app)
+      .post('/')
+      .set('Content-Type', 'application/x-www-form-urlencoded')
+      .send('user=tobi')
+      .expect(500, '[stream.not.readable] stream is not readable', done)
+  })
+
   it('should handle duplicated middleware', function (done) {
     var app = express()
 
@@ -217,7 +248,7 @@ describe('express.urlencoded()', function () {
         test.set('Content-Encoding', 'gzip')
         test.set('Content-Type', 'application/x-www-form-urlencoded')
         test.write(Buffer.from('1f8b080000000000000bcb4bcc4db57db16e170099a4bad608000000', 'hex'))
-        test.expect(415, 'content encoding unsupported', done)
+        test.expect(415, '[encoding.unsupported] content encoding unsupported', done)
       })
     })
 
@@ -248,8 +279,8 @@ describe('express.urlencoded()', function () {
     })
 
     it('should 413 when over limit with chunked encoding', function (done) {
-      var buf = Buffer.alloc(1024, '.')
       var app = createApp({ limit: '1kb' })
+      var buf = Buffer.alloc(1024, '.')
       var test = request(app).post('/')
       test.set('Content-Type', 'application/x-www-form-urlencoded')
       test.set('Transfer-Encoding', 'chunked')
@@ -258,6 +289,15 @@ describe('express.urlencoded()', function () {
       test.expect(413, done)
     })
 
+    it('should 413 when inflated body over limit', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/x-www-form-urlencoded')
+      test.write(Buffer.from('1f8b080000000000000a2b2e29b2d51b05a360148c580000a0351f9204040000', 'hex'))
+      test.expect(413, done)
+    })
+
     it('should accept number of bytes', function (done) {
       var buf = Buffer.alloc(1024, '.')
       request(createApp({ limit: 1024 }))
@@ -282,8 +322,8 @@ describe('express.urlencoded()', function () {
     })
 
     it('should not hang response', function (done) {
-      var buf = Buffer.alloc(10240, '.')
       var app = createApp({ limit: '8kb' })
+      var buf = Buffer.alloc(10240, '.')
       var test = request(app).post('/')
       test.set('Content-Type', 'application/x-www-form-urlencoded')
       test.write(buf)
@@ -291,6 +331,15 @@ describe('express.urlencoded()', function () {
       test.write(buf)
       test.expect(413, done)
     })
+
+    it('should not error when inflating', function (done) {
+      var app = createApp({ limit: '1kb' })
+      var test = request(app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/x-www-form-urlencoded')
+      test.write(Buffer.from('1f8b080000000000000a2b2e29b2d51b05a360148c580000a0351f92040400', 'hex'))
+      test.expect(413, done)
+    })
   })
 
   describe('with parameterLimit option', function () {
@@ -310,16 +359,7 @@ describe('express.urlencoded()', function () {
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(11))
-          .expect(413, /too many parameters/, done)
-      })
-
-      it('should error with type = "parameters.too.many"', function (done) {
-        request(createApp({ extended: false, parameterLimit: 10 }))
-          .post('/')
-          .set('Content-Type', 'application/x-www-form-urlencoded')
-          .set('X-Error-Property', 'type')
-          .send(createManyParams(11))
-          .expect(413, 'parameters.too.many', done)
+          .expect(413, '[parameters.too.many] too many parameters', done)
       })
 
       it('should work when at the limit', function (done) {
@@ -374,16 +414,7 @@ describe('express.urlencoded()', function () {
           .post('/')
           .set('Content-Type', 'application/x-www-form-urlencoded')
           .send(createManyParams(11))
-          .expect(413, /too many parameters/, done)
-      })
-
-      it('should error with type = "parameters.too.many"', function (done) {
-        request(createApp({ extended: true, parameterLimit: 10 }))
-          .post('/')
-          .set('Content-Type', 'application/x-www-form-urlencoded')
-          .set('X-Error-Property', 'type')
-          .send(createManyParams(11))
-          .expect(413, 'parameters.too.many', done)
+          .expect(413, '[parameters.too.many] too many parameters', done)
       })
 
       it('should work when at the limit', function (done) {
@@ -526,65 +557,59 @@ describe('express.urlencoded()', function () {
     })
 
     it('should error from verify', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x20) throw new Error('no leading space')
-      } })
-
-      request(app)
-        .post('/')
-        .set('Content-Type', 'application/x-www-form-urlencoded')
-        .send(' user=tobi')
-        .expect(403, 'no leading space', done)
-    })
-
-    it('should error with type = "entity.verify.failed"', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x20) throw new Error('no leading space')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x20) throw new Error('no leading space')
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'application/x-www-form-urlencoded')
-        .set('X-Error-Property', 'type')
         .send(' user=tobi')
-        .expect(403, 'entity.verify.failed', done)
+        .expect(403, '[entity.verify.failed] no leading space', done)
     })
 
     it('should allow custom codes', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] !== 0x20) return
-        var err = new Error('no leading space')
-        err.status = 400
-        throw err
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] !== 0x20) return
+          var err = new Error('no leading space')
+          err.status = 400
+          throw err
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'application/x-www-form-urlencoded')
         .send(' user=tobi')
-        .expect(400, 'no leading space', done)
+        .expect(400, '[entity.verify.failed] no leading space', done)
     })
 
     it('should allow custom type', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] !== 0x20) return
-        var err = new Error('no leading space')
-        err.type = 'foo.bar'
-        throw err
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] !== 0x20) return
+          var err = new Error('no leading space')
+          err.type = 'foo.bar'
+          throw err
+        }
+      })
 
       request(app)
         .post('/')
         .set('Content-Type', 'application/x-www-form-urlencoded')
-        .set('X-Error-Property', 'type')
         .send(' user=tobi')
-        .expect(403, 'foo.bar', done)
+        .expect(403, '[foo.bar] no leading space', done)
     })
 
     it('should allow pass-through', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        if (buf[0] === 0x5b) throw new Error('no arrays')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          if (buf[0] === 0x5b) throw new Error('no arrays')
+        }
+      })
 
       request(app)
         .post('/')
@@ -594,14 +619,110 @@ describe('express.urlencoded()', function () {
     })
 
     it('should 415 on unknown charset prior to verify', function (done) {
-      var app = createApp({ verify: function (req, res, buf) {
-        throw new Error('unexpected verify call')
-      } })
+      var app = createApp({
+        verify: function (req, res, buf) {
+          throw new Error('unexpected verify call')
+        }
+      })
 
       var test = request(app).post('/')
       test.set('Content-Type', 'application/x-www-form-urlencoded; charset=x-bogus')
       test.write(Buffer.from('00000000', 'hex'))
-      test.expect(415, 'unsupported charset "X-BOGUS"', done)
+      test.expect(415, '[charset.unsupported] unsupported charset "X-BOGUS"', done)
+    })
+  })
+
+  describeAsyncHooks('async local storage', function () {
+    before(function () {
+      var app = express()
+      var store = { foo: 'bar' }
+
+      app.use(function (req, res, next) {
+        req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+        req.asyncLocalStorage.run(store, next)
+      })
+
+      app.use(express.urlencoded())
+
+      app.use(function (req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        next()
+      })
+
+      app.use(function (err, req, res, next) {
+        var local = req.asyncLocalStorage.getStore()
+
+        if (local) {
+          res.setHeader('x-store-foo', String(local.foo))
+        }
+
+        res.status(err.status || 500)
+        res.send('[' + err.type + '] ' + err.message)
+      })
+
+      app.post('/', function (req, res) {
+        res.json(req.body)
+      })
+
+      this.app = app
+    })
+
+    it('should presist store', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/x-www-form-urlencoded')
+        .send('user=tobi')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect('{"user":"tobi"}')
+        .end(done)
+    })
+
+    it('should presist store when unmatched content-type', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/fizzbuzz')
+        .send('buzz')
+        .expect(200)
+        .expect('x-store-foo', 'bar')
+        .expect('{}')
+        .end(done)
+    })
+
+    it('should presist store when inflated', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/x-www-form-urlencoded')
+      test.write(Buffer.from('1f8b080000000000000bcb4bcc4db57db16e170099a4bad608000000', 'hex'))
+      test.expect(200)
+      test.expect('x-store-foo', 'bar')
+      test.expect('{"name":"论"}')
+      test.end(done)
+    })
+
+    it('should presist store when inflate error', function (done) {
+      var test = request(this.app).post('/')
+      test.set('Content-Encoding', 'gzip')
+      test.set('Content-Type', 'application/x-www-form-urlencoded')
+      test.write(Buffer.from('1f8b080000000000000bcb4bcc4db57db16e170099a4bad6080000', 'hex'))
+      test.expect(400)
+      test.expect('x-store-foo', 'bar')
+      test.end(done)
+    })
+
+    it('should presist store when limit exceeded', function (done) {
+      request(this.app)
+        .post('/')
+        .set('Content-Type', 'application/x-www-form-urlencoded')
+        .send('user=' + Buffer.alloc(1024 * 100, '.').toString())
+        .expect(413)
+        .expect('x-store-foo', 'bar')
+        .end(done)
     })
   })
 
@@ -636,7 +757,7 @@ describe('express.urlencoded()', function () {
       var test = request(this.app).post('/')
       test.set('Content-Type', 'application/x-www-form-urlencoded; charset=koi8-r')
       test.write(Buffer.from('6e616d653dcec5d4', 'hex'))
-      test.expect(415, 'unsupported charset "KOI8-R"', done)
+      test.expect(415, '[charset.unsupported] unsupported charset "KOI8-R"', done)
     })
   })
 
@@ -684,12 +805,12 @@ describe('express.urlencoded()', function () {
       test.expect(200, '{"name":"论"}', done)
     })
 
-    it('should fail on unknown encoding', function (done) {
+    it('should 415 on unknown encoding', function (done) {
       var test = request(this.app).post('/')
       test.set('Content-Encoding', 'nulls')
       test.set('Content-Type', 'application/x-www-form-urlencoded')
       test.write(Buffer.from('000000000000', 'hex'))
-      test.expect(415, 'unsupported content encoding "nulls"', done)
+      test.expect(415, '[encoding.unsupported] unsupported content encoding "nulls"', done)
     })
   })
 })
@@ -718,7 +839,9 @@ function createApp (options) {
 
   app.use(function (err, req, res, next) {
     res.status(err.status || 500)
-    res.send(String(err[req.headers['x-error-property'] || 'message']))
+    res.send(String(req.headers['x-error-property']
+      ? err[req.headers['x-error-property']]
+      : ('[' + err.type + '] ' + err.message)))
   })
 
   app.post('/', function (req, res) {
@@ -733,3 +856,11 @@ function expectKeyCount (count) {
     assert.strictEqual(Object.keys(JSON.parse(res.text)).length, count)
   }
 }
+
+function tryRequire (name) {
+  try {
+    return require(name)
+  } catch (e) {
+    return {}
+  }
+}

From 1df75763e315bd0582669238cd14baadec1d6db5 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sat, 2 Apr 2022 21:56:41 -0400
Subject: [PATCH 036/130] deps: qs@6.10.3

---
 History.md   | 1 +
 package.json | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index cba82afcbd..ef5ce5fc02 100644
--- a/History.md
+++ b/History.md
@@ -26,6 +26,7 @@ unreleased
     - Remove set content headers that break response
     - deps: on-finished@2.4.1
     - deps: statuses@2.0.1
+  * deps: qs@6.10.3
   * deps: send@0.18.0
     - Fix emitted 416 error missing headers property
     - Limit the headers removed for 304 response
diff --git a/package.json b/package.json
index ce6604bd7d..04e39b06e1 100644
--- a/package.json
+++ b/package.json
@@ -49,7 +49,7 @@
     "parseurl": "~1.3.3",
     "path-to-regexp": "0.1.7",
     "proxy-addr": "~2.0.7",
-    "qs": "6.9.7",
+    "qs": "6.10.3",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
     "send": "0.18.0",

From 980d881e3b023db079de60477a2588a91f046ca5 Mon Sep 17 00:00:00 2001
From: 3imed-jaberi <imed_jebari@hotmail.fr>
Date: Fri, 3 Jul 2020 05:38:59 +0200
Subject: [PATCH 037/130] deps: statuses@2.0.1

closes #4336
---
 History.md      | 3 +++
 lib/response.js | 8 ++++----
 package.json    | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/History.md b/History.md
index ef5ce5fc02..ef9bbb6e42 100644
--- a/History.md
+++ b/History.md
@@ -37,6 +37,9 @@ unreleased
     - deps: statuses@2.0.1
   * deps: serve-static@1.15.0
     - deps: send@0.18.0
+  * deps: statuses@2.0.1
+    - Remove code 306
+    - Rename `425 Unordered Collection` to standard `425 Too Early`
 
 4.17.3 / 2022-02-16
 ===================
diff --git a/lib/response.js b/lib/response.js
index d9b8db1c20..fede486c06 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -139,7 +139,7 @@ res.send = function send(body) {
 
     deprecate('res.send(status): Use res.sendStatus(status) instead');
     this.statusCode = chunk;
-    chunk = statuses[chunk]
+    chunk = statuses.message[chunk]
   }
 
   switch (typeof chunk) {
@@ -367,7 +367,7 @@ res.jsonp = function jsonp(obj) {
  */
 
 res.sendStatus = function sendStatus(statusCode) {
-  var body = statuses[statusCode] || String(statusCode)
+  var body = statuses.message[statusCode] || String(statusCode)
 
   this.statusCode = statusCode;
   this.type('txt');
@@ -955,12 +955,12 @@ res.redirect = function redirect(url) {
   // Support text/{plain,html} by default
   this.format({
     text: function(){
-      body = statuses[status] + '. Redirecting to ' + address
+      body = statuses.message[status] + '. Redirecting to ' + address
     },
 
     html: function(){
       var u = escapeHtml(address);
-      body = '<p>' + statuses[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
+      body = '<p>' + statuses.message[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
     },
 
     default: function(){
diff --git a/package.json b/package.json
index 04e39b06e1..1e1f674097 100644
--- a/package.json
+++ b/package.json
@@ -55,7 +55,7 @@
     "send": "0.18.0",
     "serve-static": "1.15.0",
     "setprototypeof": "1.2.0",
-    "statuses": "~1.5.0",
+    "statuses": "2.0.1",
     "type-is": "~1.6.18",
     "utils-merge": "1.0.1",
     "vary": "~1.1.2"

From 2e2d78c4d99829250018c6e4d20f3c6377a90683 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sun, 3 Apr 2022 01:15:37 -0400
Subject: [PATCH 038/130] deps: on-finished@2.4.1

---
 History.md           |   2 +
 package.json         |   2 +-
 test/res.download.js |  73 ++++++++++++++++++++++++
 test/res.sendFile.js | 129 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 205 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index ef9bbb6e42..84efe9b4d8 100644
--- a/History.md
+++ b/History.md
@@ -26,6 +26,8 @@ unreleased
     - Remove set content headers that break response
     - deps: on-finished@2.4.1
     - deps: statuses@2.0.1
+  * deps: on-finished@2.4.1
+    - Prevent loss of async hooks context
   * deps: qs@6.10.3
   * deps: send@0.18.0
     - Fix emitted 416 error missing headers property
diff --git a/package.json b/package.json
index 1e1f674097..dfce12352c 100644
--- a/package.json
+++ b/package.json
@@ -45,7 +45,7 @@
     "http-errors": "2.0.0",
     "merge-descriptors": "1.0.1",
     "methods": "~1.1.2",
-    "on-finished": "~2.3.0",
+    "on-finished": "2.4.1",
     "parseurl": "~1.3.3",
     "path-to-regexp": "0.1.7",
     "proxy-addr": "~2.0.7",
diff --git a/test/res.download.js b/test/res.download.js
index 91b074e8bf..b52e66803c 100644
--- a/test/res.download.js
+++ b/test/res.download.js
@@ -1,6 +1,8 @@
 'use strict'
 
 var after = require('after');
+var assert = require('assert')
+var asyncHooks = tryRequire('async_hooks')
 var Buffer = require('safe-buffer').Buffer
 var express = require('..');
 var path = require('path')
@@ -9,6 +11,10 @@ var utils = require('./support/utils')
 
 var FIXTURES_PATH = path.join(__dirname, 'fixtures')
 
+var describeAsyncHooks = typeof asyncHooks.AsyncLocalStorage === 'function'
+  ? describe
+  : describe.skip
+
 describe('res', function(){
   describe('.download(path)', function(){
     it('should transfer as an attachment', function(done){
@@ -84,6 +90,65 @@ describe('res', function(){
       .expect('Content-Disposition', 'attachment; filename="user.html"')
       .expect(200, cb);
     })
+
+    describeAsyncHooks('async local storage', function () {
+      it('should presist store', function (done) {
+        var app = express()
+        var cb = after(2, done)
+        var store = { foo: 'bar' }
+
+        app.use(function (req, res, next) {
+          req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+          req.asyncLocalStorage.run(store, next)
+        })
+
+        app.use(function (req, res) {
+          res.download('test/fixtures/name.txt', function (err) {
+            if (err) return cb(err)
+
+            var local = req.asyncLocalStorage.getStore()
+
+            assert.strictEqual(local.foo, 'bar')
+            cb()
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect('Content-Type', 'text/plain; charset=UTF-8')
+          .expect('Content-Disposition', 'attachment; filename="name.txt"')
+          .expect(200, 'tobi', cb)
+      })
+
+      it('should presist store on error', function (done) {
+        var app = express()
+        var store = { foo: 'bar' }
+
+        app.use(function (req, res, next) {
+          req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+          req.asyncLocalStorage.run(store, next)
+        })
+
+        app.use(function (req, res) {
+          res.download('test/fixtures/does-not-exist', function (err) {
+            var local = req.asyncLocalStorage.getStore()
+
+            if (local) {
+              res.setHeader('x-store-foo', String(local.foo))
+            }
+
+            res.send(err ? 'got ' + err.status + ' error' : 'no error')
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('x-store-foo', 'bar')
+          .expect('got 404 error')
+          .end(done)
+      })
+    })
   })
 
   describe('.download(path, options)', function () {
@@ -423,3 +488,11 @@ describe('res', function(){
     })
   })
 })
+
+function tryRequire (name) {
+  try {
+    return require(name)
+  } catch (e) {
+    return {}
+  }
+}
diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index e828c17e25..ba5c33516b 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -1,6 +1,7 @@
 'use strict'
 
 var after = require('after');
+var asyncHooks = tryRequire('async_hooks')
 var Buffer = require('safe-buffer').Buffer
 var express = require('../')
   , request = require('supertest')
@@ -10,6 +11,10 @@ var path = require('path');
 var fixtures = path.join(__dirname, 'fixtures');
 var utils = require('./support/utils');
 
+var describeAsyncHooks = typeof asyncHooks.AsyncLocalStorage === 'function'
+  ? describe
+  : describe.skip
+
 describe('res', function(){
   describe('.sendFile(path)', function () {
     it('should error missing path', function (done) {
@@ -261,6 +266,64 @@ describe('res', function(){
         .get('/')
         .expect(200, 'got 404 error', done)
     })
+
+    describeAsyncHooks('async local storage', function () {
+      it('should presist store', function (done) {
+        var app = express()
+        var cb = after(2, done)
+        var store = { foo: 'bar' }
+
+        app.use(function (req, res, next) {
+          req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+          req.asyncLocalStorage.run(store, next)
+        })
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'name.txt'), function (err) {
+            if (err) return cb(err)
+
+            var local = req.asyncLocalStorage.getStore()
+
+            assert.strictEqual(local.foo, 'bar')
+            cb()
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect('Content-Type', 'text/plain; charset=UTF-8')
+          .expect(200, 'tobi', cb)
+      })
+
+      it('should presist store on error', function (done) {
+        var app = express()
+        var store = { foo: 'bar' }
+
+        app.use(function (req, res, next) {
+          req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+          req.asyncLocalStorage.run(store, next)
+        })
+
+        app.use(function (req, res) {
+          res.sendFile(path.resolve(fixtures, 'does-not-exist'), function (err) {
+            var local = req.asyncLocalStorage.getStore()
+
+            if (local) {
+              res.setHeader('x-store-foo', String(local.foo))
+            }
+
+            res.send(err ? 'got ' + err.status + ' error' : 'no error')
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('x-store-foo', 'bar')
+          .expect('got 404 error')
+          .end(done)
+      })
+    })
   })
 
   describe('.sendFile(path, options)', function () {
@@ -999,6 +1062,64 @@ describe('res', function(){
       .get('/')
       .end(function(){});
     })
+
+    describeAsyncHooks('async local storage', function () {
+      it('should presist store', function (done) {
+        var app = express()
+        var cb = after(2, done)
+        var store = { foo: 'bar' }
+
+        app.use(function (req, res, next) {
+          req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+          req.asyncLocalStorage.run(store, next)
+        })
+
+        app.use(function (req, res) {
+          res.sendfile('test/fixtures/name.txt', function (err) {
+            if (err) return cb(err)
+
+            var local = req.asyncLocalStorage.getStore()
+
+            assert.strictEqual(local.foo, 'bar')
+            cb()
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect('Content-Type', 'text/plain; charset=UTF-8')
+          .expect(200, 'tobi', cb)
+      })
+
+      it('should presist store on error', function (done) {
+        var app = express()
+        var store = { foo: 'bar' }
+
+        app.use(function (req, res, next) {
+          req.asyncLocalStorage = new asyncHooks.AsyncLocalStorage()
+          req.asyncLocalStorage.run(store, next)
+        })
+
+        app.use(function (req, res) {
+          res.sendfile('test/fixtures/does-not-exist', function (err) {
+            var local = req.asyncLocalStorage.getStore()
+
+            if (local) {
+              res.setHeader('x-store-foo', String(local.foo))
+            }
+
+            res.send(err ? 'got ' + err.status + ' error' : 'no error')
+          })
+        })
+
+        request(app)
+          .get('/')
+          .expect(200)
+          .expect('x-store-foo', 'bar')
+          .expect('got 404 error')
+          .end(done)
+      })
+    })
   })
 
   describe('.sendfile(path)', function(){
@@ -1280,3 +1401,11 @@ function createApp(path, options, fn) {
 
   return app;
 }
+
+function tryRequire (name) {
+  try {
+    return require(name)
+  } catch (e) {
+    return {}
+  }
+}

From 04da4aaf1a484e81856fc4713340300e4d84d573 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 7 Apr 2022 19:17:10 -0400
Subject: [PATCH 039/130] build: use supertest@3.4.2 for Node.js 6.x

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7b153d1b43..83a8edee87 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -61,7 +61,7 @@ jobs:
 
         - name: Node.js 6.x
           node-version: "6.17"
-          npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6
+          npm-i: mocha@6.2.2 nyc@14.1.1 supertest@3.4.2
 
         - name: Node.js 7.x
           node-version: "7.10"
diff --git a/appveyor.yml b/appveyor.yml
index 2a2507b411..93ea2c8161 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -71,11 +71,11 @@ install:
   - ps: |
       # supertest for http calls
       # - use 2.0.0 for Node.js < 4
-      # - use 3.4.2 for Node.js < 6
+      # - use 3.4.2 for Node.js < 7
       # - use 6.1.6 for Node.js < 8
       if ([int]$env:nodejs_version.split(".")[0] -lt 4) {
         npm install --silent --save-dev supertest@2.0.0
-      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) {
+      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 7) {
         npm install --silent --save-dev supertest@3.4.2
       } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) {
         npm install --silent --save-dev supertest@6.1.6

From 1b2e097be2f5b62b7db7dae09f399ace54836e0a Mon Sep 17 00:00:00 2001
From: Hashen <37979557+Hashen110@users.noreply.github.com>
Date: Thu, 7 Apr 2022 21:14:16 +0530
Subject: [PATCH 040/130] tests: fix typo in description

closes #4882
---
 test/res.sendFile.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index ba5c33516b..eb71adeb6a 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -747,7 +747,7 @@ describe('res', function(){
       })
 
       describe('when cacheControl: false', function () {
-        it('shold not send cache-control', function (done) {
+        it('should not send cache-control', function (done) {
           var app = express()
 
           app.use(function (req, res) {

From 99175c3ef63166d199bab8f402103522dec5f0ee Mon Sep 17 00:00:00 2001
From: Ghouse Mohamed <ghousemohamed7126@gmail.com>
Date: Sun, 27 Mar 2022 05:15:01 +0530
Subject: [PATCH 041/130] docs: fix typo in casing of HTTP

closes #4872
---
 Charter.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Charter.md b/Charter.md
index f9647cb734..a906e52909 100644
--- a/Charter.md
+++ b/Charter.md
@@ -9,7 +9,7 @@ also easily visible to outsiders.
 
 ## Section 1: Scope
 
-Express is a http web server framework with a simple and expressive API
+Express is a HTTP web server framework with a simple and expressive API
 which is highly aligned with Node.js core. We aim to be the best in
 class for writing performant, spec compliant, and powerful web servers
 in Node.js. As one of the oldest and most popular web frameworks in
@@ -24,7 +24,7 @@ Express is made of many modules spread between three GitHub Orgs:
   libraries
 - [pillarjs](http://github.com/pillarjs/): Components which make up
   Express but can also be used for other web frameworks
-- [jshttp](http://github.com/jshttp/): Low level http libraries
+- [jshttp](http://github.com/jshttp/): Low level HTTP libraries
 
 ### 1.2: Out-of-Scope
 

From ecaf67c9305f3bf75a9798e8a2e10b36955df42c Mon Sep 17 00:00:00 2001
From: Eslam Salem <eslam@shieldfy.com>
Date: Mon, 11 Apr 2022 10:56:45 +0200
Subject: [PATCH 042/130] docs: remove Node Security Project from security
 policy

closes #4890
---
 Security.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Security.md b/Security.md
index 858dfffc5b..cdcd7a6e0a 100644
--- a/Security.md
+++ b/Security.md
@@ -27,8 +27,7 @@ endeavor to keep you informed of the progress towards a fix and full
 announcement, and may ask for additional information or guidance.
 
 Report security bugs in third-party modules to the person or team maintaining
-the module. You can also report a vulnerability through the
-[Node Security Project](https://nodesecurity.io/report).
+the module.
 
 ## Disclosure Policy
 

From b91c7ffb289af1753b9d1d84e16fbfcd34954124 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 11 Apr 2022 19:28:50 -0400
Subject: [PATCH 043/130] examples: use http-errors to create errors

---
 examples/params/index.js | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/examples/params/index.js b/examples/params/index.js
index b153b93b98..b6fc483c8b 100644
--- a/examples/params/index.js
+++ b/examples/params/index.js
@@ -4,6 +4,7 @@
  * Module dependencies.
  */
 
+var createError = require('http-errors')
 var express = require('../../');
 var app = module.exports = express();
 
@@ -17,14 +18,6 @@ var users = [
   , { name: 'bandit' }
 ];
 
-// Create HTTP error
-
-function createError(status, message) {
-  var err = new Error(message);
-  err.status = status;
-  return err;
-}
-
 // Convert :to and :from to integers
 
 app.param(['to', 'from'], function(req, res, next, num, name){

From 8880ddad1c0f00612b53f5f686f55e7566b16562 Mon Sep 17 00:00:00 2001
From: Hashen <37979557+Hashen110@users.noreply.github.com>
Date: Thu, 7 Apr 2022 21:34:47 +0530
Subject: [PATCH 044/130] examples: add missing html label associations

closes #4884
---
 examples/auth/views/login.ejs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/examples/auth/views/login.ejs b/examples/auth/views/login.ejs
index 8a20411a2c..181c36caf7 100644
--- a/examples/auth/views/login.ejs
+++ b/examples/auth/views/login.ejs
@@ -6,12 +6,12 @@
 Try accessing <a href="/restricted">/restricted</a>, then authenticate with "tj" and "foobar".
 <form method="post" action="/login">
   <p>
-    <label>Username:</label>
-    <input type="text" name="username">
+    <label for="username">Username:</label>
+    <input type="text" name="username" id="username">
   </p>
   <p>
-    <label>Password:</label>
-    <input type="text" name="password">
+    <label for="password">Password:</label>
+    <input type="text" name="password" id="password">
   </p>
   <p>
     <input type="submit" value="Login">

From 92c5ce59f51cce4b3598fd040117772fac42dce8 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 11 Apr 2022 22:51:13 -0400
Subject: [PATCH 045/130] deps: cookie@0.5.0

---
 History.md         |  3 ++
 package.json       |  2 +-
 test/res.cookie.js | 72 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index 84efe9b4d8..4f43ad9255 100644
--- a/History.md
+++ b/History.md
@@ -19,6 +19,9 @@ unreleased
     - deps: on-finished@2.4.1
     - deps: qs@6.10.3
     - deps: raw-body@2.5.1
+  * deps: cookie@0.5.0
+    - Add `priority` option
+    - Fix `expires` option to reject invalid dates
   * deps: depd@2.0.0
     - Replace internal `eval` usage with `Function` constructor
     - Use instance methods on `process` to check for listeners
diff --git a/package.json b/package.json
index dfce12352c..ede86798cf 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
     "body-parser": "1.20.0",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
-    "cookie": "0.4.2",
+    "cookie": "0.5.0",
     "cookie-signature": "1.0.6",
     "debug": "2.6.9",
     "depd": "2.0.0",
diff --git a/test/res.cookie.js b/test/res.cookie.js
index e3a921301f..93deb76988 100644
--- a/test/res.cookie.js
+++ b/test/res.cookie.js
@@ -67,6 +67,21 @@ describe('res', function(){
       .expect(200, done)
     })
 
+    describe('expires', function () {
+      it('should throw on invalid date', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { expires: new Date(NaN) })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /option expires is invalid/, done)
+      })
+    })
+
     describe('maxAge', function(){
       it('should set relative expires', function(done){
         var app = express();
@@ -155,6 +170,63 @@ describe('res', function(){
       })
     })
 
+    describe('priority', function () {
+      it('should set low priority', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { priority: 'low' })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect('Set-Cookie', /Priority=Low/)
+          .expect(200, done)
+      })
+
+      it('should set medium priority', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { priority: 'medium' })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect('Set-Cookie', /Priority=Medium/)
+          .expect(200, done)
+      })
+
+      it('should set high priority', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { priority: 'high' })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect('Set-Cookie', /Priority=High/)
+          .expect(200, done)
+      })
+
+      it('should throw with invalid priority', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { priority: 'foobar' })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /option priority is invalid/, done)
+      })
+    })
+
     describe('signed', function(){
       it('should generate a signed JSON cookie', function(done){
         var app = express();

From 708ac4cdf5cd0a658d62490a9f4d78d3e1ec6612 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 13 Apr 2022 23:29:25 -0400
Subject: [PATCH 046/130] Fix handling very large stacks of sync middleware

closes #4891
---
 History.md          |  1 +
 lib/router/index.js |  8 ++++++++
 lib/router/route.js |  9 +++++++++
 test/Route.js       | 22 ++++++++++++++++++++++
 test/Router.js      | 16 ++++++++++++++++
 5 files changed, 56 insertions(+)

diff --git a/History.md b/History.md
index 4f43ad9255..3f7851ba57 100644
--- a/History.md
+++ b/History.md
@@ -5,6 +5,7 @@ unreleased
   * Allow `options` without `filename` in `res.download`
   * Deprecate string and non-integer arguments to `res.status`
   * Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie`
+  * Fix handling very large stacks of sync middleware
   * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
   * Invoke `default` with same arguments as types in `res.format`
   * Support proper 205 responses using `res.send`
diff --git a/lib/router/index.js b/lib/router/index.js
index 791a600f86..f4c8c0a79e 100644
--- a/lib/router/index.js
+++ b/lib/router/index.js
@@ -142,6 +142,7 @@ proto.handle = function handle(req, res, out) {
   var protohost = getProtohost(req.url) || ''
   var removed = '';
   var slashAdded = false;
+  var sync = 0
   var paramcalled = {};
 
   // store options for OPTIONS request
@@ -203,6 +204,11 @@ proto.handle = function handle(req, res, out) {
       return;
     }
 
+    // max sync stack
+    if (++sync > 100) {
+      return setImmediate(next, err)
+    }
+
     // get pathname of request
     var path = getPathname(req);
 
@@ -321,6 +327,8 @@ proto.handle = function handle(req, res, out) {
     } else {
       layer.handle_request(req, res, next);
     }
+
+    sync = 0
   }
 };
 
diff --git a/lib/router/route.js b/lib/router/route.js
index 178df0d516..5adaa125e2 100644
--- a/lib/router/route.js
+++ b/lib/router/route.js
@@ -98,6 +98,8 @@ Route.prototype._options = function _options() {
 Route.prototype.dispatch = function dispatch(req, res, done) {
   var idx = 0;
   var stack = this.stack;
+  var sync = 0
+
   if (stack.length === 0) {
     return done();
   }
@@ -127,6 +129,11 @@ Route.prototype.dispatch = function dispatch(req, res, done) {
       return done(err);
     }
 
+    // max sync stack
+    if (++sync > 100) {
+      return setImmediate(next, err)
+    }
+
     if (layer.method && layer.method !== method) {
       return next(err);
     }
@@ -136,6 +143,8 @@ Route.prototype.dispatch = function dispatch(req, res, done) {
     } else {
       layer.handle_request(req, res, next);
     }
+
+    sync = 0
   }
 };
 
diff --git a/test/Route.js b/test/Route.js
index 8e7ddbdbcc..3bdc8d7df2 100644
--- a/test/Route.js
+++ b/test/Route.js
@@ -13,6 +13,28 @@ describe('Route', function(){
     route.dispatch(req, {}, done)
   })
 
+  it('should not stack overflow with a large sync stack', function (done) {
+    this.timeout(5000) // long-running test
+
+    var req = { method: 'GET', url: '/' }
+    var route = new Route('/foo')
+
+    for (var i = 0; i < 6000; i++) {
+      route.all(function (req, res, next) { next() })
+    }
+
+    route.get(function (req, res, next) {
+      req.called = true
+      next()
+    })
+
+    route.dispatch(req, {}, function (err) {
+      if (err) return done(err)
+      assert.ok(req.called)
+      done()
+    })
+  })
+
   describe('.all', function(){
     it('should add handler', function(done){
       var req = { method: 'GET', url: '/' };
diff --git a/test/Router.js b/test/Router.js
index 907b972636..8a0654bca3 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -76,6 +76,22 @@ describe('Router', function(){
     router.handle({ url: '/', method: 'GET' }, { end: done });
   });
 
+  it('should not stack overflow with a large sync stack', function (done) {
+    this.timeout(5000) // long-running test
+
+    var router = new Router()
+
+    for (var i = 0; i < 6000; i++) {
+      router.use(function (req, res, next) { next() })
+    }
+
+    router.use(function (req, res) {
+      res.end()
+    })
+
+    router.handle({ url: '/', method: 'GET' }, { end: done })
+  })
+
   describe('.handle', function(){
     it('should dispatch', function(done){
       var router = new Router();

From fd8e45c344325a4a91c1b916f3617a3574018976 Mon Sep 17 00:00:00 2001
From: phoenix <felix.niederwanger@suse.com>
Date: Fri, 8 Apr 2022 10:31:27 +0200
Subject: [PATCH 047/130] tests: mark stack overflow as long running

closes #4887
---
 test/Router.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/test/Router.js b/test/Router.js
index 8a0654bca3..bf5a31ffdd 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -62,6 +62,8 @@ describe('Router', function(){
   })
 
   it('should not stack overflow with many registered routes', function(done){
+    this.timeout(5000) // long-running test
+
     var handler = function(req, res){ res.end(new Error('wrong handler')) };
     var router = new Router();
 

From 11a209e4b7e229bf5041e1ab76ba0ac4e0cad324 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 20 Apr 2022 22:02:37 -0400
Subject: [PATCH 048/130] build: support Node.js 17.x

---
 .github/workflows/ci.yml | 4 ++++
 appveyor.yml             | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 83a8edee87..f4a5902ac9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -29,6 +29,7 @@ jobs:
         - Node.js 14.x
         - Node.js 15.x
         - Node.js 16.x
+        - Node.js 17.x
 
         include:
         - name: Node.js 0.10
@@ -98,6 +99,9 @@ jobs:
         - name: Node.js 16.x
           node-version: "16.14"
 
+        - name: Node.js 17.x
+          node-version: "17.9"
+
     steps:
     - uses: actions/checkout@v2
 
diff --git a/appveyor.yml b/appveyor.yml
index 93ea2c8161..f97addec1c 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -18,6 +18,7 @@ environment:
     - nodejs_version: "14.19"
     - nodejs_version: "15.14"
     - nodejs_version: "16.14"
+    - nodejs_version: "17.9"
 cache:
   - node_modules
 install:

From 29ea1b2f74c5e76e79e329ef425e5fbbcd6a71c3 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 21 Apr 2022 01:38:59 -0400
Subject: [PATCH 049/130] build: use 64-bit Node.js in AppVeyor

---
 appveyor.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appveyor.yml b/appveyor.yml
index f97addec1c..faf31abf12 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -25,7 +25,7 @@ install:
   # Install Node.js
   - ps: >-
       try { Install-Product node $env:nodejs_version -ErrorAction Stop }
-      catch { Update-NodeJsInstallation (Get-NodeJsLatestBuild $env:nodejs_version) }
+      catch { Update-NodeJsInstallation (Get-NodeJsLatestBuild $env:nodejs_version) x64 }
   # Configure npm
   - ps: |
       npm config set loglevel error

From 158a17031a2668269aedb31ea07b58d6b700272b Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 21 Apr 2022 02:09:08 -0400
Subject: [PATCH 050/130] build: support Node.js 18.x

---
 .github/workflows/ci.yml | 4 ++++
 appveyor.yml             | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f4a5902ac9..9d3663762c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,6 +30,7 @@ jobs:
         - Node.js 15.x
         - Node.js 16.x
         - Node.js 17.x
+        - Node.js 18.x
 
         include:
         - name: Node.js 0.10
@@ -102,6 +103,9 @@ jobs:
         - name: Node.js 17.x
           node-version: "17.9"
 
+        - name: Node.js 18.x
+          node-version: "18.0"
+
     steps:
     - uses: actions/checkout@v2
 
diff --git a/appveyor.yml b/appveyor.yml
index faf31abf12..8804cfd398 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,6 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.14"
     - nodejs_version: "17.9"
+    - nodejs_version: "18.0"
 cache:
   - node_modules
 install:

From 0b330ef57c0801313251c95a461d93f8d3afa7f7 Mon Sep 17 00:00:00 2001
From: Deniz <denizy@protonmail.com>
Date: Mon, 4 Apr 2022 01:31:32 +0200
Subject: [PATCH 051/130] bench: print latency and vary connections

closes #4880
---
 benchmarks/Makefile | 20 ++++++++++++--------
 benchmarks/run      |  8 +++++---
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/benchmarks/Makefile b/benchmarks/Makefile
index baf0d6fce9..ed1ddfc4f3 100644
--- a/benchmarks/Makefile
+++ b/benchmarks/Makefile
@@ -1,13 +1,17 @@
 
 all:
-	@./run 1 middleware
-	@./run 5 middleware
-	@./run 10 middleware
-	@./run 15 middleware
-	@./run 20 middleware
-	@./run 30 middleware
-	@./run 50 middleware
-	@./run 100 middleware
+	@./run 1 middleware 50
+	@./run 5 middleware 50
+	@./run 10 middleware 50
+	@./run 15 middleware 50
+	@./run 20 middleware 50
+	@./run 30 middleware 50
+	@./run 50 middleware 50
+	@./run 100 middleware 50
+	@./run 10 middleware 100
+	@./run 10 middleware 250
+	@./run 10 middleware 500
+	@./run 10 middleware 1000
 	@echo
 
 .PHONY: all
diff --git a/benchmarks/run b/benchmarks/run
index 93b5bc52ff..ec8f55d564 100755
--- a/benchmarks/run
+++ b/benchmarks/run
@@ -4,13 +4,15 @@ echo
 MW=$1 node $2 &
 pid=$!
 
+echo "  $3 connections"
+
 sleep 2
 
 wrk 'http://localhost:3333/?foo[bar]=baz' \
   -d 3 \
-  -c 50 \
+  -c $3 \
   -t 8 \
-  | grep 'Requests/sec' \
-  | awk '{ print "  " $2 }'
+  | grep 'Requests/sec\|Latency' \
+  | awk '{ print " " $2 }'
 
 kill $pid

From 547fdd41dca9ae9c49956748cc0bd1f011310fb6 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 25 Apr 2022 14:53:28 -0400
Subject: [PATCH 052/130] 4.18.0

---
 History.md   | 4 ++--
 package.json | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/History.md b/History.md
index 3f7851ba57..32e75b391e 100644
--- a/History.md
+++ b/History.md
@@ -1,5 +1,5 @@
-unreleased
-==========
+4.18.0 / 2022-04-25
+===================
 
   * Add "root" option to `res.download`
   * Allow `options` without `filename` in `res.download`
diff --git a/package.json b/package.json
index ede86798cf..d07cdf82b9 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.17.3",
+  "version": "4.18.0",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",

From a38fae126a9d5681d075c1a5c44fd7357eae843b Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 28 Apr 2022 13:04:11 -0400
Subject: [PATCH 053/130] build: mocha@9.2.2

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index d07cdf82b9..da94b92fd4 100644
--- a/package.json
+++ b/package.json
@@ -71,7 +71,7 @@
     "hbs": "4.2.0",
     "marked": "0.7.0",
     "method-override": "3.0.0",
-    "mocha": "9.2.1",
+    "mocha": "9.2.2",
     "morgan": "1.10.0",
     "multiparty": "4.2.3",
     "nyc": "15.1.0",

From 2df96e349f49bbcf51126c1f3b93b3b7fe8c16d2 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 28 Apr 2022 13:04:38 -0400
Subject: [PATCH 054/130] build: supertest@6.2.3

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index da94b92fd4..0499571ed4 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
     "multiparty": "4.2.3",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
-    "supertest": "6.2.2",
+    "supertest": "6.2.3",
     "vhost": "~3.0.2"
   },
   "engines": {

From e2482b7e36e39fd9875508a297c2db4a80a33635 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 28 Apr 2022 21:59:32 -0400
Subject: [PATCH 055/130] build: ejs@3.1.7

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 0499571ed4..f0781ddfd4 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
     "connect-redis": "3.4.2",
     "cookie-parser": "1.4.6",
     "cookie-session": "2.0.0",
-    "ejs": "3.1.6",
+    "ejs": "3.1.7",
     "eslint": "7.32.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",

From 75e0c7a2c91665f44d053d83be15f8ecd0177f41 Mon Sep 17 00:00:00 2001
From: Hashen <37979557+Hashen110@users.noreply.github.com>
Date: Tue, 26 Apr 2022 23:23:14 +0530
Subject: [PATCH 056/130] bench: remove unused parameter

closes #4898
---
 benchmarks/middleware.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benchmarks/middleware.js b/benchmarks/middleware.js
index df4df2c5ac..fed97ba8ce 100644
--- a/benchmarks/middleware.js
+++ b/benchmarks/middleware.js
@@ -13,7 +13,7 @@ while (n--) {
   });
 }
 
-app.use(function(req, res, next){
+app.use(function(req, res){
   res.send('Hello World')
 });
 

From 631ada0c645dc84c6df8788f5a7eb2b8100acea5 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 29 Apr 2022 13:34:47 -0400
Subject: [PATCH 057/130] Fix hanging on large stack of sync routes

fixes #4899
---
 History.md          |  5 +++++
 lib/router/index.js | 14 ++++++--------
 test/Router.js      | 18 +++++++++++++++++-
 3 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/History.md b/History.md
index 32e75b391e..b052c577f7 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix hanging on large stack of sync routes
+
 4.18.0 / 2022-04-25
 ===================
 
diff --git a/lib/router/index.js b/lib/router/index.js
index f4c8c0a79e..5174c34f45 100644
--- a/lib/router/index.js
+++ b/lib/router/index.js
@@ -279,14 +279,14 @@ proto.handle = function handle(req, res, out) {
     // this should be done for the layer
     self.process_params(layer, paramcalled, req, res, function (err) {
       if (err) {
-        return next(layerError || err);
+        next(layerError || err)
+      } else if (route) {
+        layer.handle_request(req, res, next)
+      } else {
+        trim_prefix(layer, layerError, layerPath, path)
       }
 
-      if (route) {
-        return layer.handle_request(req, res, next);
-      }
-
-      trim_prefix(layer, layerError, layerPath, path);
+      sync = 0
     });
   }
 
@@ -327,8 +327,6 @@ proto.handle = function handle(req, res, out) {
     } else {
       layer.handle_request(req, res, next);
     }
-
-    sync = 0
   }
 };
 
diff --git a/test/Router.js b/test/Router.js
index bf5a31ffdd..fcfee80625 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -78,7 +78,23 @@ describe('Router', function(){
     router.handle({ url: '/', method: 'GET' }, { end: done });
   });
 
-  it('should not stack overflow with a large sync stack', function (done) {
+  it('should not stack overflow with a large sync route stack', function (done) {
+    this.timeout(5000) // long-running test
+
+    var router = new Router()
+
+    for (var i = 0; i < 6000; i++) {
+      router.get('/foo', function (req, res, next) { next() })
+    }
+
+    router.get('/foo', function (req, res) {
+      res.end()
+    })
+
+    router.handle({ url: '/foo', method: 'GET' }, { end: done })
+  })
+
+  it('should not stack overflow with a large sync middleware stack', function (done) {
     this.timeout(5000) // long-running test
 
     var router = new Router()

From b02a95c6937e3b7e0b85a51c7e1a7366e1699dce Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 29 Apr 2022 14:52:20 -0400
Subject: [PATCH 058/130] build: Node.js@16.15

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9d3663762c..a4b40dc982 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -98,7 +98,7 @@ jobs:
           node-version: "15.14"
 
         - name: Node.js 16.x
-          node-version: "16.14"
+          node-version: "16.15"
 
         - name: Node.js 17.x
           node-version: "17.9"
diff --git a/appveyor.yml b/appveyor.yml
index 8804cfd398..80802e180e 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -17,7 +17,7 @@ environment:
     - nodejs_version: "13.14"
     - nodejs_version: "14.19"
     - nodejs_version: "15.14"
-    - nodejs_version: "16.14"
+    - nodejs_version: "16.15"
     - nodejs_version: "17.9"
     - nodejs_version: "18.0"
 cache:

From d854c43ea177d1faeea56189249fff8c24a764bd Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 29 Apr 2022 15:32:26 -0400
Subject: [PATCH 059/130] 4.18.1

---
 History.md   | 4 ++--
 package.json | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/History.md b/History.md
index b052c577f7..4c12ec9735 100644
--- a/History.md
+++ b/History.md
@@ -1,5 +1,5 @@
-unreleased
-==========
+4.18.1 / 2022-04-29
+===================
 
   * Fix hanging on large stack of sync routes
 
diff --git a/package.json b/package.json
index f0781ddfd4..f5872a5333 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.18.0",
+  "version": "4.18.1",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",

From a2dfc56a4982e0a33c67d6d0c22e087e95bff79e Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 20 May 2022 09:33:19 -0400
Subject: [PATCH 060/130] build: mocha@10.0.0

---
 .github/workflows/ci.yml | 2 ++
 appveyor.yml             | 3 +++
 package.json             | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a4b40dc982..6df74b37f8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -87,9 +87,11 @@ jobs:
 
         - name: Node.js 12.x
           node-version: "12.22"
+          npm-i: mocha@9.2.2
 
         - name: Node.js 13.x
           node-version: "13.14"
+          npm-i: mocha@9.2.2
 
         - name: Node.js 14.x
           node-version: "14.19"
diff --git a/appveyor.yml b/appveyor.yml
index 80802e180e..e9b28e7d0f 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -47,6 +47,7 @@ install:
       # - use 6.x for Node.js < 8
       # - use 7.x for Node.js < 10
       # - use 8.x for Node.js < 12
+      # - use 9.x for Node.js < 14
       if ([int]$env:nodejs_version.split(".")[0] -lt 4) {
         npm install --silent --save-dev mocha@3.5.3
       } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) {
@@ -57,6 +58,8 @@ install:
         npm install --silent --save-dev mocha@7.2.0
       } elseif ([int]$env:nodejs_version.split(".")[0] -lt 12) {
         npm install --silent --save-dev mocha@8.4.0
+      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 14) {
+        npm install --silent --save-dev mocha@9.2.2
       }
   - ps: |
       # nyc for test coverage
diff --git a/package.json b/package.json
index f5872a5333..6880db2524 100644
--- a/package.json
+++ b/package.json
@@ -71,7 +71,7 @@
     "hbs": "4.2.0",
     "marked": "0.7.0",
     "method-override": "3.0.0",
-    "mocha": "9.2.2",
+    "mocha": "10.0.0",
     "morgan": "1.10.0",
     "multiparty": "4.2.3",
     "nyc": "15.1.0",

From 745a63f8256828a061e1b2f0a5f8e52eb9538da1 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 20 May 2022 09:34:47 -0400
Subject: [PATCH 061/130] build: ejs@3.1.8

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 6880db2524..3430f77097 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
     "connect-redis": "3.4.2",
     "cookie-parser": "1.4.6",
     "cookie-session": "2.0.0",
-    "ejs": "3.1.7",
+    "ejs": "3.1.8",
     "eslint": "7.32.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",

From ab2c70b954ac2ceb3aaf466b0f59089999952dd0 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 20 May 2022 09:35:20 -0400
Subject: [PATCH 062/130] build: Node.js@18.1

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6df74b37f8..b7ad457829 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -106,7 +106,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.0"
+          node-version: "18.1"
 
     steps:
     - uses: actions/checkout@v2
diff --git a/appveyor.yml b/appveyor.yml
index e9b28e7d0f..b78a0b1550 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.15"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.0"
+    - nodejs_version: "18.1"
 cache:
   - node_modules
 install:

From 7ec5dd2b3c5e7379f68086dae72859f5573c8b9b Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 20 May 2022 09:37:20 -0400
Subject: [PATCH 063/130] Fix regression routing a large stack in a single
 route

fixes #4913
---
 History.md          |  5 +++++
 lib/router/route.js | 16 ++++++++--------
 test/Route.js       | 11 ++++++++++-
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/History.md b/History.md
index 4c12ec9735..cbf4b5249f 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix regression routing a large stack in a single route
+
 4.18.1 / 2022-04-29
 ===================
 
diff --git a/lib/router/route.js b/lib/router/route.js
index 5adaa125e2..cc643ac8bd 100644
--- a/lib/router/route.js
+++ b/lib/router/route.js
@@ -124,21 +124,21 @@ Route.prototype.dispatch = function dispatch(req, res, done) {
       return done(err)
     }
 
-    var layer = stack[idx++];
-    if (!layer) {
-      return done(err);
-    }
-
     // max sync stack
     if (++sync > 100) {
       return setImmediate(next, err)
     }
 
-    if (layer.method && layer.method !== method) {
-      return next(err);
+    var layer = stack[idx++]
+
+    // end of layers
+    if (!layer) {
+      return done(err)
     }
 
-    if (err) {
+    if (layer.method && layer.method !== method) {
+      next(err)
+    } else if (err) {
       layer.handle_error(err, req, res, next);
     } else {
       layer.handle_request(req, res, next);
diff --git a/test/Route.js b/test/Route.js
index 3bdc8d7df2..64dbad60ce 100644
--- a/test/Route.js
+++ b/test/Route.js
@@ -19,8 +19,16 @@ describe('Route', function(){
     var req = { method: 'GET', url: '/' }
     var route = new Route('/foo')
 
+    route.get(function (req, res, next) {
+      req.counter = 0
+      next()
+    })
+
     for (var i = 0; i < 6000; i++) {
-      route.all(function (req, res, next) { next() })
+      route.all(function (req, res, next) {
+        req.counter++
+        next()
+      })
     }
 
     route.get(function (req, res, next) {
@@ -31,6 +39,7 @@ describe('Route', function(){
     route.dispatch(req, {}, function (err) {
       if (err) return done(err)
       assert.ok(req.called)
+      assert.strictEqual(req.counter, 6000)
       done()
     })
   })

From 97f0a518d8d697e310abf293a71383cf9d04d749 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 20 May 2022 11:54:35 -0400
Subject: [PATCH 064/130] tests: verify all handlers called in stack tests

---
 test/Router.js | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/test/Router.js b/test/Router.js
index fcfee80625..0d0502ab40 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -83,11 +83,20 @@ describe('Router', function(){
 
     var router = new Router()
 
+    router.get('/foo', function (req, res, next) {
+      req.counter = 0
+      next()
+    })
+
     for (var i = 0; i < 6000; i++) {
-      router.get('/foo', function (req, res, next) { next() })
+      router.get('/foo', function (req, res, next) {
+        req.counter++
+        next()
+      })
     }
 
     router.get('/foo', function (req, res) {
+      assert.strictEqual(req.counter, 6000)
       res.end()
     })
 
@@ -99,11 +108,20 @@ describe('Router', function(){
 
     var router = new Router()
 
+    router.use(function (req, res, next) {
+      req.counter = 0
+      next()
+    })
+
     for (var i = 0; i < 6000; i++) {
-      router.use(function (req, res, next) { next() })
+      router.use(function (req, res, next) {
+        req.counter++
+        next()
+      })
     }
 
     router.use(function (req, res) {
+      assert.strictEqual(req.counter, 6000)
       res.end()
     })
 

From 2c47827053233e707536019a15499ccf5496dc9d Mon Sep 17 00:00:00 2001
From: Alexandru Dragomir <alexandru.dragomir2@gmail.com>
Date: Fri, 20 May 2022 18:49:44 +0300
Subject: [PATCH 065/130] examples: remove unused function arguments in params

closes #4914
---
 examples/params/index.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/params/index.js b/examples/params/index.js
index b6fc483c8b..f3cd8457eb 100644
--- a/examples/params/index.js
+++ b/examples/params/index.js
@@ -51,7 +51,7 @@ app.get('/', function(req, res){
  * GET :user.
  */
 
-app.get('/user/:user', function(req, res, next){
+app.get('/user/:user', function (req, res) {
   res.send('user ' + req.user.name);
 });
 
@@ -59,7 +59,7 @@ app.get('/user/:user', function(req, res, next){
  * GET users :from - :to.
  */
 
-app.get('/users/:from-:to', function(req, res, next){
+app.get('/users/:from-:to', function (req, res) {
   var from = req.params.from;
   var to = req.params.to;
   var names = users.map(function(user){ return user.name; });

From 8d98e86d7fe4e4dd50e42e73301b0bb7b7132758 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 18 Aug 2022 23:00:36 -0400
Subject: [PATCH 066/130] build: Node.js@16.17

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b7ad457829..5be813b2fe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -100,7 +100,7 @@ jobs:
           node-version: "15.14"
 
         - name: Node.js 16.x
-          node-version: "16.15"
+          node-version: "16.17"
 
         - name: Node.js 17.x
           node-version: "17.9"
diff --git a/appveyor.yml b/appveyor.yml
index b78a0b1550..ef183ed7d7 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -17,7 +17,7 @@ environment:
     - nodejs_version: "13.14"
     - nodejs_version: "14.19"
     - nodejs_version: "15.14"
-    - nodejs_version: "16.15"
+    - nodejs_version: "16.17"
     - nodejs_version: "17.9"
     - nodejs_version: "18.1"
 cache:

From 97131bcda8bd3cdbe53ef14fbd08dcc23a53e758 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 18 Aug 2022 23:01:25 -0400
Subject: [PATCH 067/130] build: Node.js@18.7

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5be813b2fe..1ad8d11766 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -106,7 +106,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.1"
+          node-version: "18.7"
 
     steps:
     - uses: actions/checkout@v2
diff --git a/appveyor.yml b/appveyor.yml
index ef183ed7d7..071f0de092 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.17"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.1"
+    - nodejs_version: "18.7"
 cache:
   - node_modules
 install:

From ecd7572f1e920b7a512452b8d9806ae617a99c54 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 18 Aug 2022 23:41:10 -0400
Subject: [PATCH 068/130] build: Node.js@14.20

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1ad8d11766..5d2cef5a4d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -94,7 +94,7 @@ jobs:
           npm-i: mocha@9.2.2
 
         - name: Node.js 14.x
-          node-version: "14.19"
+          node-version: "14.20"
 
         - name: Node.js 15.x
           node-version: "15.14"
diff --git a/appveyor.yml b/appveyor.yml
index 071f0de092..7bf0141b38 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -15,7 +15,7 @@ environment:
     - nodejs_version: "11.15"
     - nodejs_version: "12.22"
     - nodejs_version: "13.14"
-    - nodejs_version: "14.19"
+    - nodejs_version: "14.20"
     - nodejs_version: "15.14"
     - nodejs_version: "16.17"
     - nodejs_version: "17.9"

From 644f6464b9f61cbafa8f880636b1aa5237d95bad Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 18 Aug 2022 23:42:39 -0400
Subject: [PATCH 069/130] build: supertest@6.2.4

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 3430f77097..cbfa910ff0 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
     "multiparty": "4.2.3",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
-    "supertest": "6.2.3",
+    "supertest": "6.2.4",
     "vhost": "~3.0.2"
   },
   "engines": {

From 33e8dc303af9277f8a7e4f46abfdcb5e72f6797b Mon Sep 17 00:00:00 2001
From: REALSTEVEIG <101066723+REALSTEVEIG@users.noreply.github.com>
Date: Sat, 11 Jun 2022 21:26:10 +0100
Subject: [PATCH 070/130] docs: use Node.js name style

closes #4926
---
 Readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Readme.md b/Readme.md
index 720bf38922..9b8bc34a0c 100644
--- a/Readme.md
+++ b/Readme.md
@@ -1,6 +1,6 @@
 [![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](http://expressjs.com/)
 
-  Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
+  Fast, unopinionated, minimalist web framework for [Node.js](http://nodejs.org).
 
   [![NPM Version][npm-version-image]][npm-url]
   [![NPM Install Size][npm-install-size-image]][npm-install-size-url]

From 340be0f79afb9b3176afb76235aa7f92acbd5050 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 5 Oct 2022 22:40:51 -0400
Subject: [PATCH 071/130] build: eslint@8.24.0

---
 .github/workflows/ci.yml | 4 ++--
 package.json             | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5d2cef5a4d..6125da491a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -133,8 +133,8 @@ jobs:
       shell: bash
       run: |
         # eslint for linting
-        # - remove on Node.js < 10
-        if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 10 ]]; then
+        # - remove on Node.js < 12
+        if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 12 ]]; then
           node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \
             grep -E '^eslint(-|$)' | \
             sort -r | \
diff --git a/package.json b/package.json
index cbfa910ff0..defab0eec0 100644
--- a/package.json
+++ b/package.json
@@ -66,7 +66,7 @@
     "cookie-parser": "1.4.6",
     "cookie-session": "2.0.0",
     "ejs": "3.1.8",
-    "eslint": "7.32.0",
+    "eslint": "8.24.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",
     "marked": "0.7.0",

From 689d175b8b39d8860b81d723233fb83d15201827 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 6 Oct 2022 10:26:18 -0400
Subject: [PATCH 072/130] deps: body-parser@1.20.1

---
 History.md   | 3 +++
 package.json | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index cbf4b5249f..389c837b08 100644
--- a/History.md
+++ b/History.md
@@ -2,6 +2,9 @@ unreleased
 ==========
 
   * Fix regression routing a large stack in a single route
+  * deps: body-parser@1.20.1
+    - deps: qs@6.11.0
+    - perf: remove unnecessary object clone
 
 4.18.1 / 2022-04-29
 ===================
diff --git a/package.json b/package.json
index defab0eec0..2c2d40a73f 100644
--- a/package.json
+++ b/package.json
@@ -30,7 +30,7 @@
   "dependencies": {
     "accepts": "~1.3.8",
     "array-flatten": "1.1.1",
-    "body-parser": "1.20.0",
+    "body-parser": "1.20.1",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
     "cookie": "0.5.0",

From 24b3dc551670ac4fb0cd5a2bd5ef643c9525e60f Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 6 Oct 2022 10:27:01 -0400
Subject: [PATCH 073/130] deps: qs@6.11.0

---
 History.md   | 1 +
 package.json | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index 389c837b08..a05baee617 100644
--- a/History.md
+++ b/History.md
@@ -5,6 +5,7 @@ unreleased
   * deps: body-parser@1.20.1
     - deps: qs@6.11.0
     - perf: remove unnecessary object clone
+  * deps: qs@6.11.0
 
 4.18.1 / 2022-04-29
 ===================
diff --git a/package.json b/package.json
index 2c2d40a73f..a7815d9fbe 100644
--- a/package.json
+++ b/package.json
@@ -49,7 +49,7 @@
     "parseurl": "~1.3.3",
     "path-to-regexp": "0.1.7",
     "proxy-addr": "~2.0.7",
-    "qs": "6.10.3",
+    "qs": "6.11.0",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
     "send": "0.18.0",

From f56ce73186e885a938bfdb3d3d1005a58e6ae12b Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 6 Oct 2022 10:28:13 -0400
Subject: [PATCH 074/130] build: supertest@6.3.0

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index a7815d9fbe..6a11013c72 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
     "multiparty": "4.2.3",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
-    "supertest": "6.2.4",
+    "supertest": "6.3.0",
     "vhost": "~3.0.2"
   },
   "engines": {

From bb7907b932afe3a19236a642f6054b6c8f7349a0 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Fri, 7 Oct 2022 17:48:59 -0400
Subject: [PATCH 075/130] build: Node.js@18.10

closes #5014
---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 test/res.sendFile.js     | 7 ++++---
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6125da491a..cd93ab223d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -106,7 +106,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.7"
+          node-version: "18.10"
 
     steps:
     - uses: actions/checkout@v2
diff --git a/appveyor.yml b/appveyor.yml
index 7bf0141b38..1fca21801e 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.17"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.7"
+    - nodejs_version: "18.10"
 cache:
   - node_modules
 install:
diff --git a/test/res.sendFile.js b/test/res.sendFile.js
index eb71adeb6a..4db0a3b6a4 100644
--- a/test/res.sendFile.js
+++ b/test/res.sendFile.js
@@ -1050,12 +1050,13 @@ describe('res', function(){
 
       app.use(function(req, res){
         res.sendfile('test/fixtures/user.html', function(err){
-          assert(!res.headersSent);
-          assert.strictEqual(req.socket.listeners('error').length, 1) // node's original handler
+          assert.ok(err)
+          assert.ok(!res.headersSent)
+          assert.strictEqual(err.message, 'broken!')
           done();
         });
 
-        req.socket.emit('error', new Error('broken!'));
+        req.socket.destroy(new Error('broken!'))
       });
 
       request(app)

From 61f40491222dbede653b9938e6a4676f187aab44 Mon Sep 17 00:00:00 2001
From: Abhinav Das <theabhinavdas@gmail.com>
Date: Sat, 8 Oct 2022 00:32:42 +0530
Subject: [PATCH 076/130] docs: replace Freenode with Libera Chat

closes #5013
---
 Readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Readme.md b/Readme.md
index 9b8bc34a0c..0936816bed 100644
--- a/Readme.md
+++ b/Readme.md
@@ -51,7 +51,7 @@ for more information.
 ## Docs & Community
 
   * [Website and Documentation](http://expressjs.com/) - [[website repo](https://github.com/expressjs/expressjs.com)]
-  * [#express](https://webchat.freenode.net/?channels=express) on freenode IRC
+  * [#express](https://web.libera.chat/#express) on [Libera Chat](https://libera.chat) IRC
   * [GitHub Organization](https://github.com/expressjs) for Official Middleware & Modules
   * Visit the [Wiki](https://github.com/expressjs/express/wiki)
   * [Google Group](https://groups.google.com/group/express-js) for discussion

From 8368dc178af16b91b576c4c1d135f701a0007e5d Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sat, 8 Oct 2022 16:11:42 -0400
Subject: [PATCH 077/130] 4.18.2

---
 History.md   | 4 ++--
 package.json | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/History.md b/History.md
index a05baee617..e49870fed0 100644
--- a/History.md
+++ b/History.md
@@ -1,5 +1,5 @@
-unreleased
-==========
+4.18.2 / 2022-10-08
+===================
 
   * Fix regression routing a large stack in a single route
   * deps: body-parser@1.20.1
diff --git a/package.json b/package.json
index 6a11013c72..0996637dea 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.18.1",
+  "version": "4.18.2",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",

From 06b2b1416d07698b8a6eed467f90d0b3ceb380c8 Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Mon, 31 Oct 2022 16:39:42 -0400
Subject: [PATCH 078/130] docs: update git clone to https protocol

closes #5032
---
 Readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Readme.md b/Readme.md
index 0936816bed..d0f3cf56e6 100644
--- a/Readme.md
+++ b/Readme.md
@@ -104,7 +104,7 @@ $ npm start
   To view the examples, clone the Express repo and install the dependencies:
 
 ```console
-$ git clone git://github.com/expressjs/express.git --depth 1
+$ git clone https://github.com/expressjs/express.git --depth 1
 $ cd express
 $ npm install
 ```

From 29e117e676901a804031896f95f0eba317b05099 Mon Sep 17 00:00:00 2001
From: Arnaud Benhamdine <arnaud.benhamdine@gmail.com>
Date: Tue, 1 Nov 2022 22:34:11 +0100
Subject: [PATCH 079/130] build: Node.js@16.18

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cd93ab223d..33da666df3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -100,7 +100,7 @@ jobs:
           node-version: "15.14"
 
         - name: Node.js 16.x
-          node-version: "16.17"
+          node-version: "16.18"
 
         - name: Node.js 17.x
           node-version: "17.9"
diff --git a/appveyor.yml b/appveyor.yml
index 1fca21801e..5c55ace4a0 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -17,7 +17,7 @@ environment:
     - nodejs_version: "13.14"
     - nodejs_version: "14.20"
     - nodejs_version: "15.14"
-    - nodejs_version: "16.17"
+    - nodejs_version: "16.18"
     - nodejs_version: "17.9"
     - nodejs_version: "18.10"
 cache:

From 723b67766fb864424a59ebe46b6516bb484f6a23 Mon Sep 17 00:00:00 2001
From: Arnaud Benhamdine <arnaud.benhamdine@gmail.com>
Date: Tue, 1 Nov 2022 22:34:11 +0100
Subject: [PATCH 080/130] build: Node.js@18.12

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 33da666df3..868525a4b1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -106,7 +106,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.10"
+          node-version: "18.12"
 
     steps:
     - uses: actions/checkout@v2
diff --git a/appveyor.yml b/appveyor.yml
index 5c55ace4a0..02a5c1169d 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.18"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.10"
+    - nodejs_version: "18.12"
 cache:
   - node_modules
 install:

From 442fd467992992558806da8da07e945838712587 Mon Sep 17 00:00:00 2001
From: Abdul Rauf <abdulraufmujahid@gmail.com>
Date: Wed, 19 Oct 2022 18:05:06 +0500
Subject: [PATCH 081/130] build: actions/checkout@v3

closes #5027
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 868525a4b1..b6a2879603 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
           node-version: "18.12"
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Install Node.js ${{ matrix.node-version }}
       shell: bash -eo pipefail -l {0}

From c6ee8d6e7f11c3ac6bdda8e1bd4c1e38445f2d22 Mon Sep 17 00:00:00 2001
From: Rakesh Bisht <raks.bisht@gmail.com>
Date: Fri, 10 Feb 2023 11:50:16 +0530
Subject: [PATCH 082/130] lint: remove unused function arguments in tests

closes #5124
---
 test/Router.js     |  2 +-
 test/app.param.js  |  6 +++---
 test/app.router.js | 22 +++++++++++-----------
 test/res.format.js |  4 ++--
 4 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/test/Router.js b/test/Router.js
index 0d0502ab40..620c60278a 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -201,7 +201,7 @@ describe('Router', function(){
     it('should handle throwing inside routes with params', function(done) {
       var router = new Router();
 
-      router.get('/foo/:id', function(req, res, next){
+      router.get('/foo/:id', function () {
         throw new Error('foo');
       });
 
diff --git a/test/app.param.js b/test/app.param.js
index 8893851f9d..b4ccc8a2d1 100644
--- a/test/app.param.js
+++ b/test/app.param.js
@@ -166,7 +166,7 @@ describe('app', function(){
       app.get('/:user', function(req, res, next) {
         next('route');
       });
-      app.get('/:user', function(req, res, next) {
+      app.get('/:user', function (req, res) {
         res.send(req.params.user);
       });
 
@@ -187,11 +187,11 @@ describe('app', function(){
         next(new Error('invalid invocation'))
       });
 
-      app.post('/:user', function(req, res, next) {
+      app.post('/:user', function (req, res) {
         res.send(req.params.user);
       });
 
-      app.get('/:thing', function(req, res, next) {
+      app.get('/:thing', function (req, res) {
         res.send(req.thing);
       });
 
diff --git a/test/app.router.js b/test/app.router.js
index 3069a22c77..4fde03105c 100644
--- a/test/app.router.js
+++ b/test/app.router.js
@@ -90,7 +90,7 @@ describe('app.router', function(){
     it('should decode correct params', function(done){
       var app = express();
 
-      app.get('/:name', function(req, res, next){
+      app.get('/:name', function (req, res) {
         res.send(req.params.name);
       });
 
@@ -102,7 +102,7 @@ describe('app.router', function(){
     it('should not accept params in malformed paths', function(done) {
       var app = express();
 
-      app.get('/:name', function(req, res, next){
+      app.get('/:name', function (req, res) {
         res.send(req.params.name);
       });
 
@@ -114,7 +114,7 @@ describe('app.router', function(){
     it('should not decode spaces', function(done) {
       var app = express();
 
-      app.get('/:name', function(req, res, next){
+      app.get('/:name', function (req, res) {
         res.send(req.params.name);
       });
 
@@ -126,7 +126,7 @@ describe('app.router', function(){
     it('should work with unicode', function(done) {
       var app = express();
 
-      app.get('/:name', function(req, res, next){
+      app.get('/:name', function (req, res) {
         res.send(req.params.name);
       });
 
@@ -910,7 +910,7 @@ describe('app.router', function(){
         next();
       });
 
-      app.get('/bar', function(req, res){
+      app.get('/bar', function () {
         assert(0);
       });
 
@@ -919,7 +919,7 @@ describe('app.router', function(){
         next();
       });
 
-      app.get('/foo', function(req, res, next){
+      app.get('/foo', function (req, res) {
         calls.push('/foo 2');
         res.json(calls)
       });
@@ -939,7 +939,7 @@ describe('app.router', function(){
         next('route')
       }
 
-      app.get('/foo', fn, function(req, res, next){
+      app.get('/foo', fn, function (req, res) {
         res.end('failure')
       });
 
@@ -964,11 +964,11 @@ describe('app.router', function(){
         next('router')
       }
 
-      router.get('/foo', fn, function (req, res, next) {
+      router.get('/foo', fn, function (req, res) {
         res.end('failure')
       })
 
-      router.get('/foo', function (req, res, next) {
+      router.get('/foo', function (req, res) {
         res.end('failure')
       })
 
@@ -995,7 +995,7 @@ describe('app.router', function(){
         next();
       });
 
-      app.get('/bar', function(req, res){
+      app.get('/bar', function () {
         assert(0);
       });
 
@@ -1004,7 +1004,7 @@ describe('app.router', function(){
         next(new Error('fail'));
       });
 
-      app.get('/foo', function(req, res, next){
+      app.get('/foo', function () {
         assert(0);
       });
 
diff --git a/test/res.format.js b/test/res.format.js
index 45243d17a1..cba6fe136b 100644
--- a/test/res.format.js
+++ b/test/res.format.js
@@ -61,7 +61,7 @@ app3.use(function(req, res, next){
 
 var app4 = express();
 
-app4.get('/', function(req, res, next){
+app4.get('/', function (req, res) {
   res.format({
     text: function(){ res.send('hey') },
     html: function(){ res.send('<p>hey</p>') },
@@ -155,7 +155,7 @@ describe('res', function(){
       var app = express();
       var router = express.Router();
 
-      router.get('/', function(req, res, next){
+      router.get('/', function (req, res) {
         res.format({
           text: function(){ res.send('hey') },
           html: function(){ res.send('<p>hey</p>') },

From a1efd9d6cf968a9e863f3fdd3fef63d06ff039c4 Mon Sep 17 00:00:00 2001
From: Rakesh Bisht <raks.bisht@gmail.com>
Date: Wed, 8 Feb 2023 16:13:20 +0530
Subject: [PATCH 083/130] lint: remove unused parameter from internal function

coses #5119
---
 lib/utils.js | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/utils.js b/lib/utils.js
index 799a6a2b4e..ab22f61e96 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -117,17 +117,15 @@ exports.contentDisposition = deprecate.function(contentDisposition,
 /**
  * Parse accept params `str` returning an
  * object with `.value`, `.quality` and `.params`.
- * also includes `.originalIndex` for stable sorting
  *
  * @param {String} str
- * @param {Number} index
  * @return {Object}
  * @api private
  */
 
-function acceptParams(str, index) {
+function acceptParams (str) {
   var parts = str.split(/ *; */);
-  var ret = { value: parts[0], quality: 1, params: {}, originalIndex: index };
+  var ret = { value: parts[0], quality: 1, params: {} }
 
   for (var i = 1; i < parts.length; ++i) {
     var pms = parts[i].split(/ *= */);

From 6b4c4f5426fb5de23fb7174fd6e3bf53048e06ca Mon Sep 17 00:00:00 2001
From: Rakesh Bisht <raks.bisht@gmail.com>
Date: Wed, 8 Feb 2023 15:56:13 +0530
Subject: [PATCH 084/130] docs: fix typos in JSDoc comments

closes #5117
---
 examples/markdown/index.js | 2 +-
 lib/router/index.js        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/markdown/index.js b/examples/markdown/index.js
index 74ac05e77f..23d645e66b 100644
--- a/examples/markdown/index.js
+++ b/examples/markdown/index.js
@@ -26,7 +26,7 @@ app.engine('md', function(path, options, fn){
 
 app.set('views', path.join(__dirname, 'views'));
 
-// make it the default so we dont need .md
+// make it the default, so we don't need .md
 app.set('view engine', 'md');
 
 app.get('/', function(req, res){
diff --git a/lib/router/index.js b/lib/router/index.js
index 5174c34f45..abb3a6f589 100644
--- a/lib/router/index.js
+++ b/lib/router/index.js
@@ -36,7 +36,7 @@ var toString = Object.prototype.toString;
  * Initialize a new `Router` with the given `options`.
  *
  * @param {Object} [options]
- * @return {Router} which is an callable function
+ * @return {Router} which is a callable function
  * @public
  */
 

From 3c1d605da76a6c25dbe423a42d58871803c3e328 Mon Sep 17 00:00:00 2001
From: Rakesh Bisht <raks.bisht@gmail.com>
Date: Fri, 3 Feb 2023 20:34:39 +0530
Subject: [PATCH 085/130] lint: remove unused parameters in examples

closes #5113
---
 examples/error/index.js       | 2 +-
 examples/view-locals/index.js | 4 ++--
 examples/web-service/index.js | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/examples/error/index.js b/examples/error/index.js
index d922de06cc..d733a81172 100644
--- a/examples/error/index.js
+++ b/examples/error/index.js
@@ -26,7 +26,7 @@ function error(err, req, res, next) {
   res.send('Internal Server Error');
 }
 
-app.get('/', function(req, res){
+app.get('/', function () {
   // Caught and passed down to the errorHandler middleware
   throw new Error('something broke!');
 });
diff --git a/examples/view-locals/index.js b/examples/view-locals/index.js
index bf52d2a85a..a2af24f355 100644
--- a/examples/view-locals/index.js
+++ b/examples/view-locals/index.js
@@ -61,7 +61,7 @@ function users(req, res, next) {
   })
 }
 
-app.get('/middleware', count, users, function(req, res, next){
+app.get('/middleware', count, users, function (req, res) {
   res.render('index', {
     title: 'Users',
     count: req.count,
@@ -99,7 +99,7 @@ function users2(req, res, next) {
   })
 }
 
-app.get('/middleware-locals', count2, users2, function(req, res, next){
+app.get('/middleware-locals', count2, users2, function (req, res) {
   // you can see now how we have much less
   // to pass to res.render(). If we have
   // several routes related to users this
diff --git a/examples/web-service/index.js b/examples/web-service/index.js
index a2cd2cb7f9..d1a9036215 100644
--- a/examples/web-service/index.js
+++ b/examples/web-service/index.js
@@ -72,12 +72,12 @@ var userRepos = {
 // and simply expose the data
 
 // example: http://localhost:3000/api/users/?api-key=foo
-app.get('/api/users', function(req, res, next){
+app.get('/api/users', function (req, res) {
   res.send(users);
 });
 
 // example: http://localhost:3000/api/repos/?api-key=foo
-app.get('/api/repos', function(req, res, next){
+app.get('/api/repos', function (req, res) {
   res.send(repos);
 });
 

From f05b5d0e9c43625e5677b427c33b2f950eb5bea8 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 22 Feb 2023 11:59:40 -0500
Subject: [PATCH 086/130] build: Node.js@16.19

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b6a2879603..332ce4394c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -100,7 +100,7 @@ jobs:
           node-version: "15.14"
 
         - name: Node.js 16.x
-          node-version: "16.18"
+          node-version: "16.19"
 
         - name: Node.js 17.x
           node-version: "17.9"
diff --git a/appveyor.yml b/appveyor.yml
index 02a5c1169d..4c8722ed9f 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -17,7 +17,7 @@ environment:
     - nodejs_version: "13.14"
     - nodejs_version: "14.20"
     - nodejs_version: "15.14"
-    - nodejs_version: "16.18"
+    - nodejs_version: "16.19"
     - nodejs_version: "17.9"
     - nodejs_version: "18.12"
 cache:

From 546969d1989d00fda460ccb23fabb943650dac51 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 22 Feb 2023 12:07:48 -0500
Subject: [PATCH 087/130] build: Node.js@18.14

---
 .github/workflows/ci.yml | 8 ++++++--
 appveyor.yml             | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 332ce4394c..64538c290c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -106,7 +106,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.12"
+          node-version: "18.14"
 
     steps:
     - uses: actions/checkout@v3
@@ -120,7 +120,11 @@ jobs:
     - name: Configure npm
       run: |
         npm config set loglevel error
-        npm config set shrinkwrap false
+        if [[ "$(npm config get package-lock)" == "true" ]]; then
+          npm config set package-lock false
+        else
+          npm config set shrinkwrap false
+        fi
 
     - name: Install npm module(s) ${{ matrix.npm-i }}
       run: npm install --save-dev ${{ matrix.npm-i }}
diff --git a/appveyor.yml b/appveyor.yml
index 4c8722ed9f..47941052bf 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.19"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.12"
+    - nodejs_version: "18.14"
 cache:
   - node_modules
 install:
@@ -30,7 +30,11 @@ install:
   # Configure npm
   - ps: |
       npm config set loglevel error
-      npm config set shrinkwrap false
+      if ((npm config get package-lock) -eq "true") {
+        npm config set package-lock false
+      } else {
+        npm config set shrinkwrap false
+      }
   # Remove all non-test dependencies
   - ps: |
       # Remove example dependencies

From b9f7a97fe164d2a64279105abe375c69eaab9ebb Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 22 Feb 2023 18:10:59 -0500
Subject: [PATCH 088/130] build: use $GITHUB_OUTPUT for environment list

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 64538c290c..a4bf538948 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -155,7 +155,7 @@ jobs:
         echo "node@$(node -v)"
         echo "npm@$(npm -v)"
         npm -s ls ||:
-        (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print "::set-output name=" $2 "::" $3 }'
+        (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print $2 "=" $3 }' >> "$GITHUB_OUTPUT"
 
     - name: Run tests
       shell: bash

From 506fbd63befe810783dba49d11159c7ad46c239a Mon Sep 17 00:00:00 2001
From: Rakesh Bisht <raks.bisht@gmail.com>
Date: Wed, 22 Feb 2023 18:30:50 +0530
Subject: [PATCH 089/130] docs: add missing JSDoc param for
 parseExtendedQueryString

closes #5130
---
 lib/utils.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/utils.js b/lib/utils.js
index ab22f61e96..56e12b9b54 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -280,6 +280,7 @@ function createETagGenerator (options) {
 /**
  * Parse an extended query string with qs.
  *
+ * @param {String} str
  * @return {Object}
  * @private
  */

From 1e42a98db6708e5a3609d0f7c09bcc176b481ea7 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 23 Feb 2023 00:24:20 -0500
Subject: [PATCH 090/130] deps: body-parser@1.20.2

---
 History.md           | 8 ++++++++
 package.json         | 2 +-
 test/express.json.js | 8 ++++----
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/History.md b/History.md
index e49870fed0..7b0cc4abf7 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,11 @@
+unreleased
+==========
+
+  * deps: body-parser@1.20.2
+    - Fix strict json error message on Node.js 19+
+    - deps: content-type@~1.0.5
+    - deps: raw-body@2.5.2
+
 4.18.2 / 2022-10-08
 ===================
 
diff --git a/package.json b/package.json
index 0996637dea..adf479dfce 100644
--- a/package.json
+++ b/package.json
@@ -30,7 +30,7 @@
   "dependencies": {
     "accepts": "~1.3.8",
     "array-flatten": "1.1.1",
-    "body-parser": "1.20.1",
+    "body-parser": "1.20.2",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
     "cookie": "0.5.0",
diff --git a/test/express.json.js b/test/express.json.js
index a8cfebc41e..f6f536b15e 100644
--- a/test/express.json.js
+++ b/test/express.json.js
@@ -262,7 +262,7 @@ describe('express.json()', function () {
           .post('/')
           .set('Content-Type', 'application/json')
           .send('true')
-          .expect(400, '[entity.parse.failed] ' + parseError('#rue').replace('#', 't'), done)
+          .expect(400, '[entity.parse.failed] ' + parseError('#rue').replace(/#/g, 't'), done)
       })
     })
 
@@ -290,7 +290,7 @@ describe('express.json()', function () {
           .post('/')
           .set('Content-Type', 'application/json')
           .send('true')
-          .expect(400, '[entity.parse.failed] ' + parseError('#rue').replace('#', 't'), done)
+          .expect(400, '[entity.parse.failed] ' + parseError('#rue').replace(/#/g, 't'), done)
       })
 
       it('should not parse primitives with leading whitespaces', function (done) {
@@ -298,7 +298,7 @@ describe('express.json()', function () {
           .post('/')
           .set('Content-Type', 'application/json')
           .send('    true')
-          .expect(400, '[entity.parse.failed] ' + parseError('    #rue').replace('#', 't'), done)
+          .expect(400, '[entity.parse.failed] ' + parseError('    #rue').replace(/#/g, 't'), done)
       })
 
       it('should allow leading whitespaces in JSON', function (done) {
@@ -316,7 +316,7 @@ describe('express.json()', function () {
           .set('X-Error-Property', 'stack')
           .send('true')
           .expect(400)
-          .expect(shouldContainInBody(parseError('#rue').replace('#', 't')))
+          .expect(shouldContainInBody(parseError('#rue').replace(/#/g, 't')))
           .end(done)
       })
     })

From 60b7c672c19ba6b96cc7e5383eee00f8bf99a45a Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 23 Feb 2023 00:27:06 -0500
Subject: [PATCH 091/130] build: mocha@10.2.0

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index adf479dfce..c3641a02c8 100644
--- a/package.json
+++ b/package.json
@@ -71,7 +71,7 @@
     "hbs": "4.2.0",
     "marked": "0.7.0",
     "method-override": "3.0.0",
-    "mocha": "10.0.0",
+    "mocha": "10.2.0",
     "morgan": "1.10.0",
     "multiparty": "4.2.3",
     "nyc": "15.1.0",

From 8a76f39d9844f36797cd794fb74b47c635798ae5 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 23 Feb 2023 00:28:41 -0500
Subject: [PATCH 092/130] build: eslint@8.34.0

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index c3641a02c8..e4ed037cfa 100644
--- a/package.json
+++ b/package.json
@@ -66,7 +66,7 @@
     "cookie-parser": "1.4.6",
     "cookie-session": "2.0.0",
     "ejs": "3.1.8",
-    "eslint": "8.24.0",
+    "eslint": "8.34.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",
     "marked": "0.7.0",

From 5ad95419bac1cb5bcc1f09fd1872f2b2af4aed1a Mon Sep 17 00:00:00 2001
From: Rakesh Bisht <raks.bisht@gmail.com>
Date: Thu, 23 Feb 2023 11:36:40 +0530
Subject: [PATCH 093/130] docs: fix typos in history

closes #5131
---
 History.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/History.md b/History.md
index 7b0cc4abf7..17b03705df 100644
--- a/History.md
+++ b/History.md
@@ -2119,7 +2119,7 @@ unreleased
  * deps: connect@2.21.0
    - deprecate `connect(middleware)` -- use `app.use(middleware)` instead
    - deprecate `connect.createServer()` -- use `connect()` instead
-   - fix `res.setHeader()` patch to work with with get -> append -> set pattern
+   - fix `res.setHeader()` patch to work with get -> append -> set pattern
    - deps: compression@~1.0.8
    - deps: errorhandler@~1.1.1
    - deps: express-session@~1.5.0
@@ -3330,8 +3330,8 @@ Shaw]
   * Added node v0.1.97 compatibility
   * Added support for deleting cookies via Request#cookie('key', null)
   * Updated haml submodule
-  * Fixed not-found page, now using using charset utf-8
-  * Fixed show-exceptions page, now using using charset utf-8
+  * Fixed not-found page, now using charset utf-8
+  * Fixed show-exceptions page, now using charset utf-8
   * Fixed view support due to fs.readFile Buffers
   * Changed; mime.type() no longer accepts ".type" due to node extname() changes
 
@@ -3366,7 +3366,7 @@ Shaw]
 ==================
 
   * Added charset support via Request#charset (automatically assigned to 'UTF-8' when respond()'s
-    encoding is set to 'utf8' or 'utf-8'.
+    encoding is set to 'utf8' or 'utf-8').
   * Added "encoding" option to Request#render(). Closes #299
   * Added "dump exceptions" setting, which is enabled by default.
   * Added simple ejs template engine support
@@ -3405,7 +3405,7 @@ Shaw]
   * Added [haml.js](http://github.com/visionmedia/haml.js) submodule; removed haml-js
   * Added callback function support to Request#halt() as 3rd/4th arg
   * Added preprocessing of route param wildcards using param(). Closes #251
-  * Added view partial support (with collections etc)
+  * Added view partial support (with collections etc.)
   * Fixed bug preventing falsey params (such as ?page=0). Closes #286
   * Fixed setting of multiple cookies. Closes #199
   * Changed; view naming convention is now NAME.TYPE.ENGINE (for example page.html.haml)

From 9bc1742937253825d2dc1e9a48c8e8424f0a315b Mon Sep 17 00:00:00 2001
From: Arnaud Benhamdine <arnaud.benhamdine@gmail.com>
Date: Thu, 23 Feb 2023 14:18:57 +0100
Subject: [PATCH 094/130] build: support Node.js 19.x

---
 .github/workflows/ci.yml | 4 ++++
 appveyor.yml             | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a4bf538948..c6fb81de93 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,6 +31,7 @@ jobs:
         - Node.js 16.x
         - Node.js 17.x
         - Node.js 18.x
+        - Node.js 19.x
 
         include:
         - name: Node.js 0.10
@@ -108,6 +109,9 @@ jobs:
         - name: Node.js 18.x
           node-version: "18.14"
 
+        - name: Node.js 19.x
+          node-version: "19.7"
+
     steps:
     - uses: actions/checkout@v3
 
diff --git a/appveyor.yml b/appveyor.yml
index 47941052bf..ac671ef47b 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -20,6 +20,7 @@ environment:
     - nodejs_version: "16.19"
     - nodejs_version: "17.9"
     - nodejs_version: "18.14"
+    - nodejs_version: "19.7"
 cache:
   - node_modules
 install:

From 74beeac0718c928b4ba249aba3652c52fbe32ca8 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 23 Feb 2023 17:23:22 -0500
Subject: [PATCH 095/130] Fix routing requests without method

---
 History.md          |  1 +
 lib/router/route.js |  9 +++++++--
 test/Router.js      | 27 +++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/History.md b/History.md
index 17b03705df..9e85df3ceb 100644
--- a/History.md
+++ b/History.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Fix routing requests without method
   * deps: body-parser@1.20.2
     - Fix strict json error message on Node.js 19+
     - deps: content-type@~1.0.5
diff --git a/lib/router/route.js b/lib/router/route.js
index cc643ac8bd..a65756d6de 100644
--- a/lib/router/route.js
+++ b/lib/router/route.js
@@ -60,7 +60,10 @@ Route.prototype._handles_method = function _handles_method(method) {
     return true;
   }
 
-  var name = method.toLowerCase();
+  // normalize name
+  var name = typeof method === 'string'
+    ? method.toLowerCase()
+    : method
 
   if (name === 'head' && !this.methods['head']) {
     name = 'get';
@@ -103,8 +106,10 @@ Route.prototype.dispatch = function dispatch(req, res, done) {
   if (stack.length === 0) {
     return done();
   }
+  var method = typeof req.method === 'string'
+    ? req.method.toLowerCase()
+    : req.method
 
-  var method = req.method.toLowerCase();
   if (method === 'head' && !this.methods['head']) {
     method = 'get';
   }
diff --git a/test/Router.js b/test/Router.js
index 620c60278a..cf5b5c1f0d 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -61,6 +61,33 @@ describe('Router', function(){
     router.handle({ method: 'GET' }, {}, done)
   })
 
+  it('handle missing method', function (done) {
+    var all = false
+    var router = new Router()
+    var route = router.route('/foo')
+    var use = false
+
+    route.post(function (req, res, next) { next(new Error('should not run')) })
+    route.all(function (req, res, next) {
+      all = true
+      next()
+    })
+    route.get(function (req, res, next) { next(new Error('should not run')) })
+
+    router.get('/foo', function (req, res, next) { next(new Error('should not run')) })
+    router.use(function (req, res, next) {
+      use = true
+      next()
+    })
+
+    router.handle({ url: '/foo' }, {}, function (err) {
+      if (err) return done(err)
+      assert.ok(all)
+      assert.ok(use)
+      done()
+    })
+  })
+
   it('should not stack overflow with many registered routes', function(done){
     this.timeout(5000) // long-running test
 

From 0debedf4f31bb20203da0534719b9b10d6ac9a29 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Sun, 26 Feb 2023 13:34:32 -0500
Subject: [PATCH 096/130] build: fix code coverage aggregate upload

---
 .github/workflows/ci.yml | 39 +++++++++++++++++++++++++++++++--------
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c6fb81de93..b30c56c2f1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -163,25 +163,48 @@ jobs:
 
     - name: Run tests
       shell: bash
-      run: npm run test-ci
+      run: |
+        npm run test-ci
+        cp coverage/lcov.info "coverage/${{ matrix.name }}.lcov"
 
     - name: Lint code
       if: steps.list_env.outputs.eslint != ''
       run: npm run lint
 
     - name: Collect code coverage
-      uses: coverallsapp/github-action@master
+      run: |
+        mv ./coverage "./${{ matrix.name }}"
+        mkdir ./coverage
+        mv "./${{ matrix.name }}" "./coverage/${{ matrix.name }}"
+
+    - name: Upload code coverage
+      uses: actions/upload-artifact@v3
       with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-        flag-name: run-${{ matrix.test_number }}
-        parallel: true
+        name: coverage
+        path: ./coverage
+        retention-days: 1
 
   coverage:
     needs: test
     runs-on: ubuntu-latest
     steps:
-    - name: Upload code coverage
+    - uses: actions/checkout@v3
+
+    - name: Install lcov
+      shell: bash
+      run: sudo apt-get -y install lcov
+
+    - name: Collect coverage reports
+      uses: actions/download-artifact@v3
+      with:
+        name: coverage
+        path: ./coverage
+
+    - name: Merge coverage reports
+      shell: bash
+      run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./coverage/lcov.info
+
+    - name: Upload coverage report
       uses: coverallsapp/github-action@master
       with:
-        github-token: ${{ secrets.github_token }}
-        parallel-finished: true
+        github-token: ${{ secrets.GITHUB_TOKEN }}

From 8c24fa8f7b6d443869c655166c93869d8b299627 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 13 Mar 2023 22:43:19 -0400
Subject: [PATCH 097/130] tests: wait for server close in app.listen()

---
 test/app.listen.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/test/app.listen.js b/test/app.listen.js
index 08eeaaa63c..0eec582e69 100644
--- a/test/app.listen.js
+++ b/test/app.listen.js
@@ -7,8 +7,7 @@ describe('app.listen()', function(){
     var app = express();
 
     var server = app.listen(9999, function(){
-      server.close();
-      done();
+      server.close(done)
     });
   })
 })

From f4e48bc43eece928f005a4458c87a16ce089e8e5 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 13 Mar 2023 22:49:54 -0400
Subject: [PATCH 098/130] build: ejs@3.1.9

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index e4ed037cfa..8a7548aff5 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
     "connect-redis": "3.4.2",
     "cookie-parser": "1.4.6",
     "cookie-session": "2.0.0",
-    "ejs": "3.1.8",
+    "ejs": "3.1.9",
     "eslint": "8.34.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",

From b8b2eff3c3eac6a1df3919a87f7c7316d40ae97a Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 13 Mar 2023 22:52:34 -0400
Subject: [PATCH 099/130] build: eslint@8.36.0

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 8a7548aff5..b77937d439 100644
--- a/package.json
+++ b/package.json
@@ -66,7 +66,7 @@
     "cookie-parser": "1.4.6",
     "cookie-session": "2.0.0",
     "ejs": "3.1.9",
-    "eslint": "8.34.0",
+    "eslint": "8.36.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",
     "marked": "0.7.0",

From f540c3b0195393974d4875a410f4c00a07a2ab60 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Mon, 13 Mar 2023 22:59:15 -0400
Subject: [PATCH 100/130] build: Node.js@18.15

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b30c56c2f1..20c37976a4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -107,7 +107,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.14"
+          node-version: "18.15"
 
         - name: Node.js 19.x
           node-version: "19.7"
diff --git a/appveyor.yml b/appveyor.yml
index ac671ef47b..e9a6e6d57e 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.19"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.14"
+    - nodejs_version: "18.15"
     - nodejs_version: "19.7"
 cache:
   - node_modules

From 3531987844e533742f1159b0c3f1e07fad2e4597 Mon Sep 17 00:00:00 2001
From: Rakesh Bisht <raks.bisht@gmail.com>
Date: Sat, 4 Mar 2023 13:48:00 +0530
Subject: [PATCH 101/130] lint: remove unused function arguments in Route tests

closes #5137
---
 test/Route.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/Route.js b/test/Route.js
index 64dbad60ce..2a37b9a483 100644
--- a/test/Route.js
+++ b/test/Route.js
@@ -124,7 +124,7 @@ describe('Route', function(){
       var req = { method: 'POST', url: '/' };
       var route = new Route('');
 
-      route.get(function(req, res, next) {
+      route.get(function () {
         throw new Error('not me!');
       })
 
@@ -198,7 +198,7 @@ describe('Route', function(){
       var req = { order: '', method: 'GET', url: '/' };
       var route = new Route('');
 
-      route.all(function(req, res, next){
+      route.all(function () {
         throw new Error('foobar');
       });
 
@@ -224,7 +224,7 @@ describe('Route', function(){
       var req = { method: 'GET', url: '/' };
       var route = new Route('');
 
-      route.get(function(req, res, next){
+      route.get(function () {
         throw new Error('boom!');
       });
 

From 91b6fb83b4cf30ec626c0582f0b3a0a98d8afcb4 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 6 Apr 2023 20:40:27 -0400
Subject: [PATCH 102/130] build: use nyc@14.1.1 for Node.js < 10

---
 .github/workflows/ci.yml | 4 ++--
 appveyor.yml             | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 20c37976a4..856c6314e8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,11 +72,11 @@ jobs:
 
         - name: Node.js 8.x
           node-version: "8.17"
-          npm-i: mocha@7.2.0
+          npm-i: mocha@7.2.0 nyc@14.1.1
 
         - name: Node.js 9.x
           node-version: "9.11"
-          npm-i: mocha@7.2.0
+          npm-i: mocha@7.2.0 nyc@14.1.1
 
         - name: Node.js 10.x
           node-version: "10.24"
diff --git a/appveyor.yml b/appveyor.yml
index e9a6e6d57e..88e81dfeee 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -70,12 +70,12 @@ install:
       # nyc for test coverage
       # - use 10.3.2 for Node.js < 4
       # - use 11.9.0 for Node.js < 6
-      # - use 14.1.1 for Node.js < 8
+      # - use 14.1.1 for Node.js < 10
       if ([int]$env:nodejs_version.split(".")[0] -lt 4) {
         npm install --silent --save-dev nyc@10.3.2
       } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) {
         npm install --silent --save-dev nyc@11.9.0
-      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) {
+      } elseif ([int]$env:nodejs_version.split(".")[0] -lt 10) {
         npm install --silent --save-dev nyc@14.1.1
       }
   - ps: |

From 24e4a2570d15d6cca53023410f754929c5391c6f Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 6 Apr 2023 20:43:53 -0400
Subject: [PATCH 103/130] build: Node.js@16.20

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 856c6314e8..30767d9896 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -101,7 +101,7 @@ jobs:
           node-version: "15.14"
 
         - name: Node.js 16.x
-          node-version: "16.19"
+          node-version: "16.20"
 
         - name: Node.js 17.x
           node-version: "17.9"
diff --git a/appveyor.yml b/appveyor.yml
index 88e81dfeee..1412811ff4 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -17,7 +17,7 @@ environment:
     - nodejs_version: "13.14"
     - nodejs_version: "14.20"
     - nodejs_version: "15.14"
-    - nodejs_version: "16.19"
+    - nodejs_version: "16.20"
     - nodejs_version: "17.9"
     - nodejs_version: "18.15"
     - nodejs_version: "19.7"

From 2a00da2067b7017f769c9100205a2a5f267a884b Mon Sep 17 00:00:00 2001
From: Raz Luvaton <16746759+rluvaton@users.noreply.github.com>
Date: Tue, 11 Apr 2023 15:31:47 +0300
Subject: [PATCH 104/130] tests: use random port in listen test

closes #5162
---
 test/app.listen.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/app.listen.js b/test/app.listen.js
index 0eec582e69..5b150063b9 100644
--- a/test/app.listen.js
+++ b/test/app.listen.js
@@ -6,7 +6,7 @@ describe('app.listen()', function(){
   it('should wrap with an HTTP server', function(done){
     var app = express();
 
-    var server = app.listen(9999, function(){
+    var server = app.listen(0, function () {
       server.close(done)
     });
   })

From 13df1de857688057f3c7e6d315321b19f8e4259e Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 23 Aug 2023 19:49:36 -0400
Subject: [PATCH 105/130] build: eslint@8.47.0

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index b77937d439..fdf81725b4 100644
--- a/package.json
+++ b/package.json
@@ -66,7 +66,7 @@
     "cookie-parser": "1.4.6",
     "cookie-session": "2.0.0",
     "ejs": "3.1.9",
-    "eslint": "8.36.0",
+    "eslint": "8.47.0",
     "express-session": "1.17.2",
     "hbs": "4.2.0",
     "marked": "0.7.0",

From 8d8bfaac7be5d06c0a8fcc069b1ee5b0ec398cd9 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 23 Aug 2023 19:58:41 -0400
Subject: [PATCH 106/130] build: Node.js@18.17

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 30767d9896..3d14976a9b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -107,7 +107,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.15"
+          node-version: "18.17"
 
         - name: Node.js 19.x
           node-version: "19.7"
diff --git a/appveyor.yml b/appveyor.yml
index 1412811ff4..63adc423c8 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.20"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.15"
+    - nodejs_version: "18.17"
     - nodejs_version: "19.7"
 cache:
   - node_modules

From 02d1c3916ebaec776b4d754be54aa1500e2e9563 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 23 Aug 2023 20:07:50 -0400
Subject: [PATCH 107/130] build: Node.js@19.9

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3d14976a9b..3501778533 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -110,7 +110,7 @@ jobs:
           node-version: "18.17"
 
         - name: Node.js 19.x
-          node-version: "19.7"
+          node-version: "19.9"
 
     steps:
     - uses: actions/checkout@v3
diff --git a/appveyor.yml b/appveyor.yml
index 63adc423c8..44af842e85 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -20,7 +20,7 @@ environment:
     - nodejs_version: "16.20"
     - nodejs_version: "17.9"
     - nodejs_version: "18.17"
-    - nodejs_version: "19.7"
+    - nodejs_version: "19.9"
 cache:
   - node_modules
 install:

From a22920707bfd30e083e5b8e076841d226266cb06 Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Wed, 1 Nov 2023 22:08:37 -0400
Subject: [PATCH 108/130] build: actions/checkout@v4

---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3501778533..b545e8bd0d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -113,7 +113,7 @@ jobs:
           node-version: "19.9"
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Install Node.js ${{ matrix.node-version }}
       shell: bash -eo pipefail -l {0}
@@ -188,7 +188,7 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Install lcov
       shell: bash

From c4fe7de7bcb7ce241dfa7137fad96d48b75e86f3 Mon Sep 17 00:00:00 2001
From: Wes Todd <wes@wesleytodd.com>
Date: Fri, 16 Feb 2024 08:52:09 -0600
Subject: [PATCH 109/130] docs: update TC governance rules

closes #5483
---
 Contributing.md | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/Contributing.md b/Contributing.md
index 485dee597e..89f9280632 100644
--- a/Contributing.md
+++ b/Contributing.md
@@ -107,7 +107,22 @@ move forward towards a consensus. It is not expected that a meeting of the TC
 will resolve all issues on its agenda during that meeting and may prefer to continue
 the discussion happening among the committers.
 
-Members can be added to the TC at any time. Any committer can nominate another committer
+Members can be added to the TC at any time. Any TC member can nominate another committer
 to the TC and the TC uses its standard consensus seeking process to evaluate whether or
-not to add this new member. Members who do not participate consistently at the level of
-a majority of the other members are expected to resign.
+not to add this new member. The TC will consist of a minimum of 3 active members and a
+maximum of 10. If the TC should drop below 5 members the active TC members should nominate
+someone new. If a TC member is stepping down, they are encouraged (but not required) to
+nominate someone to take their place.
+
+TC members will be added as admin's on the Github orgs, npm orgs, and other resources as
+necessary to be effective in the role.
+
+To remain "active" a TC member should have participation within the last 6 months and miss
+no more than three consecutive TC meetings. Members who do not meet this are expected to step down.
+If A TC member does not step down, an issue can be opened in the discussions repo to move them
+to inactive status. TC members who step down or are removed due to inactivity will be moved
+into inactive status.
+
+Inactive status members can become active members by self nomination if the TC is not already
+larger than the maximum of 10. They will also be given preference if, while at max size, an
+active member steps down.

From 59aae7686b995186a71da48abd4af5be72ff4ef5 Mon Sep 17 00:00:00 2001
From: Gireesh Punathil <gpunathi@in.ibm.com>
Date: Mon, 9 Mar 2020 14:12:29 +0530
Subject: [PATCH 110/130] docs: add project captains to contribution

closes #4210
closes #5484
---
 Contributing.md | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/Contributing.md b/Contributing.md
index 89f9280632..dfe5f13833 100644
--- a/Contributing.md
+++ b/Contributing.md
@@ -12,6 +12,7 @@ contributors can be involved in decision making.
 
 * A **Contributor** is any individual creating or commenting on an issue or pull request.
 * A **Committer** is a subset of contributors who have been given write access to the repository.
+* A **Project Captain** is the lead maintainer of a repository.
 * A **TC (Technical Committee)** is a group of committers representing the required technical
 expertise to resolve rare disputes.
 * A **Triager** is a subset of contributors who have been given triage access to the repository.
@@ -102,10 +103,10 @@ If a consensus cannot be reached that has no objections then a majority wins vot
 is called. It is also expected that the majority of decisions made by the TC are via
 a consensus seeking process and that voting is only used as a last-resort.
 
-Resolution may involve returning the issue to committers with suggestions on how to
-move forward towards a consensus. It is not expected that a meeting of the TC
+Resolution may involve returning the issue to project captains with suggestions on
+how to move forward towards a consensus. It is not expected that a meeting of the TC
 will resolve all issues on its agenda during that meeting and may prefer to continue
-the discussion happening among the committers.
+the discussion happening among the project captains.
 
 Members can be added to the TC at any time. Any TC member can nominate another committer
 to the TC and the TC uses its standard consensus seeking process to evaluate whether or
@@ -126,3 +127,34 @@ into inactive status.
 Inactive status members can become active members by self nomination if the TC is not already
 larger than the maximum of 10. They will also be given preference if, while at max size, an
 active member steps down.
+
+## Project Captains
+
+The Express TC can designate captains for individual projects/repos in the
+organizations. These captains are responsible for being the primary
+day-to-day maintainers of the repo on a technical and community front.
+Repo captains are empowered with repo ownership and package publication rights.
+When there are conflicts, especially on topics that effect the Express project
+at large, captains are responsible to raise it up to the TC and drive
+those conflicts to resolution. Captains are also responsible for making sure
+community members follow the community guidelines, maintaining the repo
+and the published package, as well as in providing user support.
+
+Like TC members, Repo captains are a subset of committers.
+
+To become a captain for a project the candidate is expected to participate in that
+project for at least 6 months as a committer prior to the request. They should have
+helped with code contributions as well as triaging issues. They are also required to
+have 2FA enabled on both their GitHub and npm accounts. Any TC member or existing
+captain on the repo can nominate another committer to the captain role, submit a PR to
+this doc, under `Current Project Captains` section (maintaining the sort order) with
+the project, their GitHub handle and npm username (if different). The PR will require
+at least 2 approvals from TC members and 2 weeks hold time to allow for comment and/or
+dissent.  When the PR is merged, a TC member will add them to the proper GitHub/npm groups.
+
+### Current Project Captains
+
+- `expressjs.com`: @crandmck
+- `multer`: @LinusU
+- `path-to-regexp`: @blakeembrey
+- `router`: @dougwilson

From 2a89eb5c749a168820d6ea96723ad8a7e979a58b Mon Sep 17 00:00:00 2001
From: christof louw <louw.christof@gmail.com>
Date: Thu, 27 Jul 2023 11:06:18 +0200
Subject: [PATCH 111/130] tests: fix handling multiple callbacks

closes #5233
---
 test/Router.js     | 6 +++---
 test/app.router.js | 2 +-
 test/app.use.js    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/test/Router.js b/test/Router.js
index cf5b5c1f0d..b22001a9ff 100644
--- a/test/Router.js
+++ b/test/Router.js
@@ -606,8 +606,8 @@ describe('Router', function(){
       var req2 = { url: '/foo/10/bar', method: 'get' };
       var router = new Router();
       var sub = new Router();
+      var cb = after(2, done)
 
-      done = after(2, done);
 
       sub.get('/bar', function(req, res, next) {
         next();
@@ -626,14 +626,14 @@ describe('Router', function(){
         assert.ifError(err);
         assert.equal(req1.ms, 50);
         assert.equal(req1.originalUrl, '/foo/50/bar');
-        done();
+        cb()
       });
 
       router.handle(req2, {}, function(err) {
         assert.ifError(err);
         assert.equal(req2.ms, 10);
         assert.equal(req2.originalUrl, '/foo/10/bar');
-        done();
+        cb()
       });
     });
   });
diff --git a/test/app.router.js b/test/app.router.js
index 4fde03105c..12b6c1fa51 100644
--- a/test/app.router.js
+++ b/test/app.router.js
@@ -896,7 +896,7 @@ describe('app.router', function(){
 
       request(app)
         .get('/foo.json')
-        .expect(200, 'foo as json', done)
+        .expect(200, 'foo as json', cb)
     })
   })
 
diff --git a/test/app.use.js b/test/app.use.js
index fd9b1751a3..1de3275c8e 100644
--- a/test/app.use.js
+++ b/test/app.use.js
@@ -57,7 +57,7 @@ describe('app', function(){
 
       request(app)
         .get('/forum')
-        .expect(200, 'forum', done)
+        .expect(200, 'forum', cb)
     })
 
     it('should set the child\'s .parent', function(){

From 3abea7f8189c73f7f219d8878343d961eb9a4910 Mon Sep 17 00:00:00 2001
From: riddlew <riddle.w@gmail.com>
Date: Thu, 18 May 2023 09:26:47 -0400
Subject: [PATCH 112/130] examples: remove multipart example

Closes #5193
closes #5195
---
 examples/README.md          |  1 -
 examples/multipart/index.js | 62 -------------------------------------
 package.json                |  1 -
 3 files changed, 64 deletions(-)
 delete mode 100644 examples/multipart/index.js

diff --git a/examples/README.md b/examples/README.md
index c19ed30a25..bd1f1f6310 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -13,7 +13,6 @@ This page contains list of examples using Express.
 - [hello-world](./hello-world) - Simple request handler
 - [markdown](./markdown) - Markdown as template engine
 - [multi-router](./multi-router) - Working with multiple Express routers
-- [multipart](./multipart) - Accepting multipart-encoded forms
 - [mvc](./mvc) - MVC-style controllers
 - [online](./online) - Tracking online user activity with `online` and `redis` packages
 - [params](./params) - Working with route parameters
diff --git a/examples/multipart/index.js b/examples/multipart/index.js
deleted file mode 100644
index ea7b86e0c9..0000000000
--- a/examples/multipart/index.js
+++ /dev/null
@@ -1,62 +0,0 @@
-'use strict'
-
-/**
- * Module dependencies.
- */
-
-var express = require('../..');
-var multiparty = require('multiparty');
-var format = require('util').format;
-
-var app = module.exports = express();
-
-app.get('/', function(req, res){
-  res.send('<form method="post" enctype="multipart/form-data">'
-    + '<p>Title: <input type="text" name="title" /></p>'
-    + '<p>Image: <input type="file" name="image" /></p>'
-    + '<p><input type="submit" value="Upload" /></p>'
-    + '</form>');
-});
-
-app.post('/', function(req, res, next){
-  // create a form to begin parsing
-  var form = new multiparty.Form();
-  var image;
-  var title;
-
-  form.on('error', next);
-  form.on('close', function(){
-    res.send(format('\nuploaded %s (%d Kb) as %s'
-      , image.filename
-      , image.size / 1024 | 0
-      , title));
-  });
-
-  // listen on field event for title
-  form.on('field', function(name, val){
-    if (name !== 'title') return;
-    title = val;
-  });
-
-  // listen on part event for image file
-  form.on('part', function(part){
-    if (!part.filename) return;
-    if (part.name !== 'image') return part.resume();
-    image = {};
-    image.filename = part.filename;
-    image.size = 0;
-    part.on('data', function(buf){
-      image.size += buf.length;
-    });
-  });
-
-
-  // parse the form
-  form.parse(req);
-});
-
-/* istanbul ignore next */
-if (!module.parent) {
-  app.listen(4000);
-  console.log('Express started on port 4000');
-}
diff --git a/package.json b/package.json
index fdf81725b4..cf36773643 100644
--- a/package.json
+++ b/package.json
@@ -73,7 +73,6 @@
     "method-override": "3.0.0",
     "mocha": "10.2.0",
     "morgan": "1.10.0",
-    "multiparty": "4.2.3",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
     "supertest": "6.3.0",

From e720c5a21bfed5a9c73b2407797023bacad6980e Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Sat, 11 Nov 2023 20:02:47 +0100
Subject: [PATCH 113/130] docs: add documentation for benchmarks

closes #5312
---
 benchmarks/README.md | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 benchmarks/README.md

diff --git a/benchmarks/README.md b/benchmarks/README.md
new file mode 100644
index 0000000000..1894c527d6
--- /dev/null
+++ b/benchmarks/README.md
@@ -0,0 +1,34 @@
+# Express Benchmarks
+
+## Installation
+
+You will need to install [wrk](https://github.com/wg/wrk/blob/master/INSTALL) in order to run the benchmarks.
+
+## Running
+
+To run the benchmarks, first install the dependencies `npm i`, then run `make`
+
+The output will look something like this:
+
+```
+  50 connections
+  1 middleware
+ 7.15ms
+ 6784.01
+
+ [...redacted...]
+
+  1000 connections
+  10 middleware
+ 139.21ms
+ 6155.19
+
+```
+
+### Tip: Include Node.js version in output
+
+You can use `make && node -v` to include the node.js version in the output.
+
+### Tip: Save the results to a file
+
+You can use `make > results.log` to save the results to a file `results.log`.

From 59af63ac2e6aea6a9cefb6fe27705ccf024d8373 Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Sat, 17 Feb 2024 18:26:40 +0100
Subject: [PATCH 114/130] build: Node.js@18.19

closes #5490
---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b545e8bd0d..5bef1f67ed 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -107,7 +107,7 @@ jobs:
           node-version: "17.9"
 
         - name: Node.js 18.x
-          node-version: "18.17"
+          node-version: "18.19"
 
         - name: Node.js 19.x
           node-version: "19.9"
diff --git a/appveyor.yml b/appveyor.yml
index 44af842e85..b865082930 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -19,7 +19,7 @@ environment:
     - nodejs_version: "15.14"
     - nodejs_version: "16.20"
     - nodejs_version: "17.9"
-    - nodejs_version: "18.17"
+    - nodejs_version: "18.19"
     - nodejs_version: "19.9"
 cache:
   - node_modules

From 0e3ab6ec215fc297473323fb1e8d0df03033e774 Mon Sep 17 00:00:00 2001
From: Dmitry Kondar <dmitry.kondar@speedandfunction.com>
Date: Sat, 27 Jan 2024 20:29:09 +0200
Subject: [PATCH 115/130] examples: improve view count in cookie-sessions

closes #5414
---
 examples/cookie-sessions/index.js | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/examples/cookie-sessions/index.js b/examples/cookie-sessions/index.js
index 01c731c1c8..83b6faee82 100644
--- a/examples/cookie-sessions/index.js
+++ b/examples/cookie-sessions/index.js
@@ -13,13 +13,10 @@ var app = module.exports = express();
 app.use(cookieSession({ secret: 'manny is cool' }));
 
 // do something with the session
-app.use(count);
-
-// custom middleware
-function count(req, res) {
+app.get('/', function (req, res) {
   req.session.count = (req.session.count || 0) + 1
   res.send('viewed ' + req.session.count + ' times\n')
-}
+})
 
 /* istanbul ignore next */
 if (!module.parent) {

From 734b28190085c052e3ecd9c7d0b9595d9edb1b85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Fri, 2 Feb 2024 15:35:20 +0100
Subject: [PATCH 116/130] build: support Node.js 20.x

---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5bef1f67ed..df123370d9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,6 +32,7 @@ jobs:
         - Node.js 17.x
         - Node.js 18.x
         - Node.js 19.x
+        - Node.js 20.x
 
         include:
         - name: Node.js 0.10
@@ -112,6 +113,8 @@ jobs:
         - name: Node.js 19.x
           node-version: "19.9"
 
+        - name: Node.js 20.x
+          node-version: "20.11"
     steps:
     - uses: actions/checkout@v4
 

From fdeb1d3176d11506557388ecaa2fe6a250e17efc Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Fri, 2 Feb 2024 16:31:12 +0100
Subject: [PATCH 117/130] build: support Node.js 20.x in appveyor

closes #5429
---
 appveyor.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/appveyor.yml b/appveyor.yml
index b865082930..cb3e835a89 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -21,6 +21,7 @@ environment:
     - nodejs_version: "17.9"
     - nodejs_version: "18.19"
     - nodejs_version: "19.9"
+    - nodejs_version: "20.11"
 cache:
   - node_modules
 install:

From c259c3407f8c503c83d95fb1f30b132b73bb6388 Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Fri, 2 Feb 2024 15:38:07 +0100
Subject: [PATCH 118/130] build: support Node.js 21.x

---
 .github/workflows/ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index df123370d9..e880f74dab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -33,6 +33,7 @@ jobs:
         - Node.js 18.x
         - Node.js 19.x
         - Node.js 20.x
+        - Node.js 21.x
 
         include:
         - name: Node.js 0.10
@@ -115,6 +116,10 @@ jobs:
 
         - name: Node.js 20.x
           node-version: "20.11"
+
+        - name: Node.js 21.x
+          node-version: "21.6.1"
+
     steps:
     - uses: actions/checkout@v4
 

From b9fea1224516e372f6f63480cc1830e5f6ee63e6 Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Fri, 2 Feb 2024 16:31:54 +0100
Subject: [PATCH 119/130] build: support Node.js 21.x in appveyor

---
 appveyor.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/appveyor.yml b/appveyor.yml
index cb3e835a89..5c01a8d02a 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -22,6 +22,7 @@ environment:
     - nodejs_version: "18.19"
     - nodejs_version: "19.9"
     - nodejs_version: "20.11"
+    - nodejs_version: "21.6.1"
 cache:
   - node_modules
 install:

From 23b44b3ddd45bc68487cc34cd576b117ba9d2609 Mon Sep 17 00:00:00 2001
From: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Date: Sat, 17 Feb 2024 18:23:09 +0100
Subject: [PATCH 120/130] build: support Node.js 21.6.2

---
 .github/workflows/ci.yml | 2 +-
 appveyor.yml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e880f74dab..aa231b74d2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -118,7 +118,7 @@ jobs:
           node-version: "20.11"
 
         - name: Node.js 21.x
-          node-version: "21.6.1"
+          node-version: "21.6.2"
 
     steps:
     - uses: actions/checkout@v4
diff --git a/appveyor.yml b/appveyor.yml
index 5c01a8d02a..8ece802a7f 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -22,7 +22,7 @@ environment:
     - nodejs_version: "18.19"
     - nodejs_version: "19.9"
     - nodejs_version: "20.11"
-    - nodejs_version: "21.6.1"
+    - nodejs_version: "21.6.2"
 cache:
   - node_modules
 install:

From e3eca805847e0057ab1c83e7d61a6cc1c1ca47f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Tue, 20 Feb 2024 08:44:27 +0100
Subject: [PATCH 121/130] build: pin Node 21.x to minor

Co-authored-by: Aravind Nair <22199259+aravindvnair99@users.noreply.github.com>
---
 appveyor.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appveyor.yml b/appveyor.yml
index 8ece802a7f..ce26523b3a 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -22,7 +22,7 @@ environment:
     - nodejs_version: "18.19"
     - nodejs_version: "19.9"
     - nodejs_version: "20.11"
-    - nodejs_version: "21.6.2"
+    - nodejs_version: "21.6"
 cache:
   - node_modules
 install:

From b625132864ef40b1fb119ff7c7b984573a7974c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Tue, 20 Feb 2024 08:44:34 +0100
Subject: [PATCH 122/130] build: pin Node 21.x to minor

Co-authored-by: Aravind Nair <22199259+aravindvnair99@users.noreply.github.com>
closes #5430
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aa231b74d2..01c82f8196 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -118,7 +118,7 @@ jobs:
           node-version: "20.11"
 
         - name: Node.js 21.x
-          node-version: "21.6.2"
+          node-version: "21.6"
 
     steps:
     - uses: actions/checkout@v4

From 1b51edac7c5f2844e23602164a52643bb625993a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Mon, 26 Feb 2024 20:20:53 +0100
Subject: [PATCH 123/130] 4.18.3

---
 History.md   | 2 +-
 package.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/History.md b/History.md
index 9e85df3ceb..0784045557 100644
--- a/History.md
+++ b/History.md
@@ -1,4 +1,4 @@
-unreleased
+4.18.3 / 2024-02-26
 ==========
 
   * Fix routing requests without method
diff --git a/package.json b/package.json
index cf36773643..c3845d2d4b 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.18.2",
+  "version": "4.18.3",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",

From 06c6b88808f6d836afc58296812235a96d708b33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Sun, 10 Mar 2024 20:04:02 +0100
Subject: [PATCH 124/130] docs: update release date

---
 History.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/History.md b/History.md
index 0784045557..b674cab4b0 100644
--- a/History.md
+++ b/History.md
@@ -1,4 +1,4 @@
-4.18.3 / 2024-02-26
+4.18.3 / 2024-02-29
 ==========
 
   * Fix routing requests without method

From 414854b82ea4312f50641ddf7668c9194c3c209c Mon Sep 17 00:00:00 2001
From: Wes Todd <wes@wesleytodd.com>
Date: Thu, 29 Feb 2024 08:49:34 -0600
Subject: [PATCH 125/130] docs: nominating @wesleytodd to be project captian

---
 Contributing.md | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/Contributing.md b/Contributing.md
index dfe5f13833..7311454dd8 100644
--- a/Contributing.md
+++ b/Contributing.md
@@ -154,7 +154,21 @@ dissent.  When the PR is merged, a TC member will add them to the proper GitHub/
 
 ### Current Project Captains
 
-- `expressjs.com`: @crandmck
-- `multer`: @LinusU
-- `path-to-regexp`: @blakeembrey
-- `router`: @dougwilson
+- `expressjs/express`: @wesleytodd
+- `expressjs/discussions`: @wesleytodd
+- `expressjs/expressjs.com`: @crandmck
+- `expressjs/body-parser`: @wesleytodd
+- `expressjs/multer`: @LinusU
+- `expressjs/cookie-parser`: @wesleytodd
+- `expressjs/generator`: @wesleytodd
+- `expressjs/statusboard`: @wesleytodd
+- `pillarjs/path-to-regexp`: @blakeembrey
+- `pillarjs/router`: @dougwilson, @wesleytodd
+- `pillarjs/finalhandler`: @wesleytodd
+- `pillarjs/request`: @wesleytodd
+- `jshttp/http-errors`: @wesleytodd
+- `jshttp/cookie`: @wesleytodd
+- `jshttp/on-finished`: @wesleytodd
+- `jshttp/forwarded`: @wesleytodd
+- `jshttp/proxy-addr`: @wesleytodd
+

From 4ee853e837dcc6c6c9f93c52278abe775c717fa1 Mon Sep 17 00:00:00 2001
From: Wes Todd <wes@wesleytodd.com>
Date: Wed, 28 Feb 2024 14:49:11 -0600
Subject: [PATCH 126/130] docs: loosen TC activity rules

---
 Contributing.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/Contributing.md b/Contributing.md
index 7311454dd8..a9ba84690c 100644
--- a/Contributing.md
+++ b/Contributing.md
@@ -118,11 +118,13 @@ nominate someone to take their place.
 TC members will be added as admin's on the Github orgs, npm orgs, and other resources as
 necessary to be effective in the role.
 
-To remain "active" a TC member should have participation within the last 6 months and miss
-no more than three consecutive TC meetings. Members who do not meet this are expected to step down.
-If A TC member does not step down, an issue can be opened in the discussions repo to move them
-to inactive status. TC members who step down or are removed due to inactivity will be moved
-into inactive status.
+To remain "active" a TC member should have participation within the last 12 months and miss
+no more than six consecutive TC meetings. Our goal is to increase participation, not punish
+people for any lack of participation, this guideline should be only be used as such
+(replace an inactive member with a new active one, for example). Members who do not meet this
+are expected to step down. If A TC member does not step down, an issue can be opened in the
+discussions repo to move them to inactive status. TC members who step down or are removed due
+to inactivity will be moved into inactive status.
 
 Inactive status members can become active members by self nomination if the TC is not already
 larger than the maximum of 10. They will also be given preference if, while at max size, an

From 69a4cf2819c4449ec6ea45649691fb43a528d5d1 Mon Sep 17 00:00:00 2001
From: Rich Hodgkins <rich@bookcreator.com>
Date: Thu, 11 Jan 2024 11:36:11 +0000
Subject: [PATCH 127/130] deps: cookie@0.6.0

closes #5404
---
 History.md         |  7 +++++++
 package.json       |  2 +-
 test/res.cookie.js | 16 ++++++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/History.md b/History.md
index b674cab4b0..0559bb012c 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * deps: cookie@0.6.0
+
 4.18.3 / 2024-02-29
 ==========
 
@@ -6,6 +11,8 @@
     - Fix strict json error message on Node.js 19+
     - deps: content-type@~1.0.5
     - deps: raw-body@2.5.2
+  * deps: cookie@0.6.0
+    - Add `partitioned` option
 
 4.18.2 / 2022-10-08
 ===================
diff --git a/package.json b/package.json
index c3845d2d4b..990e98dc1a 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
     "body-parser": "1.20.2",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
-    "cookie": "0.5.0",
+    "cookie": "0.6.0",
     "cookie-signature": "1.0.6",
     "debug": "2.6.9",
     "depd": "2.0.0",
diff --git a/test/res.cookie.js b/test/res.cookie.js
index 93deb76988..c837820605 100644
--- a/test/res.cookie.js
+++ b/test/res.cookie.js
@@ -82,6 +82,22 @@ describe('res', function(){
       })
     })
 
+    describe('partitioned', function () {
+      it('should set partitioned', function (done) {
+        var app = express();
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { partitioned: true });
+          res.end();
+        });
+
+        request(app)
+          .get('/')
+          .expect('Set-Cookie', 'name=tobi; Path=/; Partitioned')
+          .expect(200, done)
+      })
+    })
+
     describe('maxAge', function(){
       it('should set relative expires', function(done){
         var app = express();

From 567c9c665d0de4c344b8e160146050770233783c Mon Sep 17 00:00:00 2001
From: Rand McKinney <crandmck@yahoo.com>
Date: Sat, 16 Mar 2024 11:57:42 -0600
Subject: [PATCH 128/130] Add note on how to update docs for new release
 (#5541)

* Update Release-Process.md

Add note about updating docs.

* Update Release-Process.md

* Update Release-Process.md
---
 Release-Process.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Release-Process.md b/Release-Process.md
index ae740972f7..55e6218925 100644
--- a/Release-Process.md
+++ b/Release-Process.md
@@ -184,3 +184,9 @@ $ npm publish
 
 **NOTE:** The version number to publish will be picked up automatically from
           package.json.
+          
+### Step 7. Update documentation website
+
+The documentation website https://expressjs.com/ documents the current release version in various places.  For a new release:
+1. Change the value of `current_version` in https://github.com/expressjs/expressjs.com/blob/gh-pages/_data/express.yml to match the latest version number.
+2. Add a new section to the change log.  For example, for a 4.x release, https://github.com/expressjs/expressjs.com/blob/gh-pages/en/changelog/4x.md,

From 0867302ddbde0e9463d0564fea5861feb708c2dd Mon Sep 17 00:00:00 2001
From: FDrag0n <34733637+FDrag0n@users.noreply.github.com>
Date: Fri, 15 Mar 2024 15:49:01 +0800
Subject: [PATCH 129/130] Prevent open redirect allow list bypass due to
 encodeurl

Co-authored-by: Jon Church <me@jonchurch.com>
---
 lib/response.js      | 20 ++++++++++++++++++-
 test/res.location.js | 46 +++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/lib/response.js b/lib/response.js
index fede486c06..f7c94d10e7 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -34,6 +34,7 @@ var extname = path.extname;
 var mime = send.mime;
 var resolve = path.resolve;
 var vary = require('vary');
+var urlParse = require('url').parse;
 
 /**
  * Response prototype.
@@ -911,8 +912,25 @@ res.location = function location(url) {
     loc = this.req.get('Referrer') || '/';
   }
 
+  var lowerLoc = loc.toLowerCase();
+  var encodedUrl = encodeUrl(loc);
+  if (lowerLoc.indexOf('https://') === 0 || lowerLoc.indexOf('http://') === 0) {
+    try {
+      var parsedUrl = urlParse(loc);
+      var parsedEncodedUrl = urlParse(encodedUrl);
+      // Because this can encode the host, check that we did not change the host
+      if (parsedUrl.host !== parsedEncodedUrl.host) {
+        // If the host changes after encodeUrl, return the original url
+        return this.set('Location', loc);
+      }
+    } catch (e) {
+      // If parse fails, return the original url
+      return this.set('Location', loc);
+    }
+  }
+
   // set location
-  return this.set('Location', encodeUrl(loc));
+  return this.set('Location', encodedUrl);
 };
 
 /**
diff --git a/test/res.location.js b/test/res.location.js
index 158afac01e..38cab027a8 100644
--- a/test/res.location.js
+++ b/test/res.location.js
@@ -1,13 +1,27 @@
 'use strict'
 
 var express = require('../')
-  , request = require('supertest');
+  , request = require('supertest')
+  , url = require('url');
 
 describe('res', function(){
   describe('.location(url)', function(){
     it('should set the header', function(done){
       var app = express();
 
+      app.use(function(req, res){
+        res.location('http://google.com/').end();
+      });
+
+      request(app)
+      .get('/')
+      .expect('Location', 'http://google.com/')
+      .expect(200, done)
+    })
+
+    it('should preserve trailing slashes when not present', function(done){
+      var app = express();
+
       app.use(function(req, res){
         res.location('http://google.com').end();
       });
@@ -31,6 +45,36 @@ describe('res', function(){
       .expect(200, done)
     })
 
+    it('should not encode bad "url"', function (done) {
+      var app = express()
+
+      app.use(function (req, res) {
+        // This is here to show a basic check one might do which
+        // would pass but then the location header would still be bad
+        if (url.parse(req.query.q).host !== 'google.com') {
+          res.status(400).end('Bad url');
+        }
+        res.location(req.query.q).end();
+      });
+
+      request(app)
+        .get('/?q=http://google.com\\@apple.com')
+        .expect(200)
+        .expect('Location', 'http://google.com\\@apple.com')
+        .end(function (err) {
+          if (err) {
+            throw err;
+          }
+
+          // This ensures that our protocol check is case insensitive
+          request(app)
+            .get('/?q=HTTP://google.com\\@apple.com')
+            .expect(200)
+            .expect('Location', 'HTTP://google.com\\@apple.com')
+            .end(done)
+        });
+    });
+
     it('should not touch already-encoded sequences in "url"', function (done) {
       var app = express()
 

From 084e36506a18774f85206a65d8da04dc1107fc1b Mon Sep 17 00:00:00 2001
From: Wes Todd <wes@wesleytodd.com>
Date: Wed, 20 Mar 2024 10:09:10 -0500
Subject: [PATCH 130/130] 4.19.0

---
 History.md   | 3 ++-
 package.json | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/History.md b/History.md
index 0559bb012c..877f1c56fb 100644
--- a/History.md
+++ b/History.md
@@ -1,6 +1,7 @@
-unreleased
+4.18.3 / 2024-03-20
 ==========
 
+  * Prevent open redirect allow list bypass due to encodeurl
   * deps: cookie@0.6.0
 
 4.18.3 / 2024-02-29
diff --git a/package.json b/package.json
index 990e98dc1a..eca07b57c8 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.18.3",
+  "version": "4.19.0",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",