Update dependency express to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
express (source)	4.22.1 → 5.2.1

---

Release Notes

expressjs/express (express)

v5.2.1

Compare Source

=======================

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

v5.2.0

Compare Source

========================

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

v5.1.0

Compare Source

========================

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

v5.0.1

Compare Source

==========

• Update cookie semver lock to address CVE-2024-47764

v5.0.0

Compare Source

=========================

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@​1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@​4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@​6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge with Testing

Overview

This PR upgrades Express from v4.22.1 to v5.2.1, a major version upgrade. The codebase appears compatible with Express 5's breaking changes based on code analysis.

Express 5 Compatibility Verified

✅ No usage of deprecated methods:

• No app.del() (use app.delete() instead)
• No req.param() (use req.params, req.body, or req.query)
• No res.redirect('back') or res.location('back') magic strings

✅ Status codes are valid:

• All HTTP status codes used are valid integers

✅ Route handlers:

• Socket.IO event handlers use proper async/await patterns
• Error handling present in async operations

Testing Recommendations

Before merging to production:

1. Run the existing test suite (npm test)
2. Test Socket.IO integration (Express 5 has updated middleware handling)
3. Verify file upload/download functionality
4. Test all HTTP routes and error handling
5. Verify static file serving works correctly

Key areas to test:

• Dashboard info retrieval (Socket.IO event: getdash)
• Menu upgrades (Socket.IO events: upgrademenus, upgrademenusdev)
• File editing and saving (Socket.IO events: editgetfile, saveconfig)
• Remote file downloads (Socket.IO event: dlremote)

Files Reviewed (1 file)

• package.json - Express version upgrade from 4.22.1 to 5.2.1

---

Note: This is a major version upgrade. While the code review shows no blocking issues, thorough testing is recommended before deploying to production.

Fix any issues in Kilo Cloud