kibertoad
commented
7 months ago Does express even accept any PRs these days?
Open 43081j opened 7 months ago
kibertoad
commented
7 months ago Does express even accept any PRs these days?
43081j
commented
7 months ago It doesn't seem so active anymore. This one seems low priority, you're right.
It does still result in ~27m downloads a month, though.
jordanfinners
commented
6 months ago Express looks to parse extended query parameters
But this has the allowPrototypes set to true, which looks like an attack vector, as this means you can set protected properties on the object as per the docs
This is used when configuring how the query string middleware works if you want extended options
The body parser from Express also looks to use it for the same reason
Express was last updated 5 days ago so probably worth a look
talentlessguy
commented
2 months ago kibertoad
commented
2 months ago Express is actually dropping non-LTS node versions for next semver major
43081j
commented
2 months ago although express has been slow to release lately, it will continue to be used by quite a lot of projects
so it is probably still valuable to contribute upstream to them. though i agree we should probably move to polka/tinyhttp where possible
express uses the
qspackage in at least:This can be replaced by
URLSearchParams(native functionality) instead of depending on a package.However, express specifies that it supports node
>=0.8, so it may be that we can't contribute this yet unless the express team want to bump their node constraint.No action yet other than to discuss with the express maintainers.