Open 43081j opened 7 months ago
Does express even accept any PRs these days?
It doesn't seem so active anymore. This one seems low priority, you're right.
It does still result in ~27m downloads a month, though.
Express looks to parse extended query parameters
But this has the allowPrototypes set to true, which looks like an attack vector, as this means you can set protected properties on the object as per the docs
This is used when configuring how the query string middleware works if you want extended options
The body parser from Express also looks to use it for the same reason
Express was last updated 5 days ago so probably worth a look
Express is actually dropping non-LTS node versions for next semver major
although express has been slow to release lately, it will continue to be used by quite a lot of projects
so it is probably still valuable to contribute upstream to them. though i agree we should probably move to polka/tinyhttp where possible
express uses the
qs
package in at least:This can be replaced by
URLSearchParams
(native functionality) instead of depending on a package.However, express specifies that it supports node
>=0.8
, so it may be that we can't contribute this yet unless the express team want to bump their node constraint.No action yet other than to discuss with the express maintainers.