.editorconfig

@@ -1,4 +1,4 @@
-# https://editorconfig.org
+# http://editorconfig.org
 root = true
 
 [*]

.eslintrc

@@ -0,0 +1,8 @@
+{
+  "rules": {
+    "eol-last": "error",
+    "indent": ["error", 2, { "SwitchCase": 1 }],
+    "no-trailing-spaces": "error",
+    "no-unused-vars": ["error", { "vars": "all", "args": "none", "ignoreRestSiblings": true }]
+  }
+}

.eslintrc.yml

@@ -1,14 +0,0 @@
-root: true
-env:
-  es2022: true
-  node: true
-rules:
-  eol-last: error
-  eqeqeq: [error, allow-null]
-  indent: [error, 2, { MemberExpression: "off", SwitchCase: 1 }]
-  no-trailing-spaces: error
-  no-unused-vars: [error, { vars: all, args: none, ignoreRestSiblings: true }]
-  no-restricted-globals:
-    - error
-    - name: Buffer
-      message: Use `import { Buffer } from "node:buffer"` instead of the global Buffer.

.github/dependabot.yml

@@ -1,17 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: monthly
-
-  - package-ecosystem: npm
-    directory: /
-    schedule:
-      interval: monthly
-      time: "23:00"
-      timezone: Europe/London
-    open-pull-requests-limit: 10
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-major"]

.github/workflows/ci.yml

@@ -1,117 +0,0 @@
-name: ci
-
-on:
-  push:
-    branches:
-      - master
-      - develop
-      - '4.x'
-      - '5.x'
-      - '5.0'
-    paths-ignore:
-      - '*.md'
-  pull_request:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-# Cancel in progress workflows
-# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run
-concurrency:
-  group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
-  cancel-in-progress: true
-
-jobs:
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-      - name: Setup Node.js
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
-        with:
-          node-version: 'lts/*'
-
-      - name: Install dependencies
-        run: npm install --ignore-scripts --include=dev
-
-      - name: Run lint
-        run: npm run lint
-
-  test:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, windows-latest]
-        node-version: [18, 19, 20, 21, 22, 23, 24, 25]
-        # Node.js release schedule: https://nodejs.org/en/about/releases/
-
-    name: Node.js ${{ matrix.node-version }} - ${{matrix.os}}
-
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
-        with:
-          node-version: ${{ matrix.node-version }}
-
-      - name: Configure npm loglevel
-        run: |
-          npm config set loglevel error
-        shell: bash
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: Output Node and NPM versions
-        run: |
-          echo "Node.js version: $(node -v)"
-          echo "NPM version: $(npm -v)"
-
-      - name: Run tests
-        shell: bash
-        run: npm run test-ci
-
-      - name: Upload code coverage
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }}
-          path: ./coverage/lcov.info
-          retention-days: 1
-
-  coverage:
-    needs: test
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      checks: write
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: Install lcov
-        shell: bash
-        run: sudo apt-get -y install lcov
-
-      - name: Collect coverage reports
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
-        with:
-          path: ./coverage
-          pattern: coverage-node-*
-
-      - name: Merge coverage reports
-        shell: bash
-        run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info
-
-      - name: Upload coverage report
-        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
-        with:
-          file: ./lcov.info

.github/workflows/codeql.yml

@@ -1,74 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: ["master"]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["master"]
-  schedule:
-    - cron: "0 0 * * 1"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [javascript, actions]
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5
-        with:
-          languages: ${{ matrix.language }}
-          config: |
-            paths-ignore:
-              - test
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      # - name: Autobuild
-      #   uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-      #   If the Autobuild fails above, remove it and uncomment the following three lines.
-      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-      # - run: |
-      #   echo "Run, Build Application using script"
-      #   ./location_of_script_within_repo/buildscript.sh
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5

.github/workflows/legacy.yml

@@ -1,101 +0,0 @@
-name: legacy
-
-on:
-  push:
-    branches:
-      - master
-      - develop
-      - '4.x'
-      - '5.x'
-      - '5.0'
-    paths-ignore:
-      - '*.md'
-  pull_request:
-    paths-ignore:
-      - '*.md'
-  workflow_dispatch:
-  
-permissions:
-  contents: read
-
-# Cancel in progress workflows
-# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run
-concurrency:
-  group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
-  cancel-in-progress: true
-
-jobs:
-  test:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, windows-latest]
-        node-version: [16, 17]
-        # Node.js release schedule: https://nodejs.org/en/about/releases/
-
-    name: Node.js ${{ matrix.node-version }} - ${{matrix.os}}
-
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
-        with:
-          node-version: ${{ matrix.node-version }}
-
-      - name: Configure npm loglevel
-        run: |
-          npm config set loglevel error
-        shell: bash
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: Output Node and NPM versions
-        run: |
-          echo "Node.js version: $(node -v)"
-          echo "NPM version: $(npm -v)"
-
-      - name: Run tests
-        shell: bash
-        run: npm run test-ci
-
-      - name: Upload code coverage
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }}
-          path: ./coverage/lcov.info
-          retention-days: 1
-
-  coverage:
-    needs: test
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      checks: write
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: Install lcov
-        shell: bash
-        run: sudo apt-get -y install lcov
-
-      - name: Collect coverage reports
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
-        with:
-          path: ./coverage
-          pattern: coverage-node-*
-
-      - name: Merge coverage reports
-        shell: bash
-        run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info
-
-      - name: Upload coverage report
-        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
-        with:
-          file: ./lcov.info

.github/workflows/scorecard.yml

@@ -1,72 +0,0 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
-name: Scorecard supply-chain security
-on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
-  schedule:
-    - cron: '16 21 * * 1'
-  push:
-    branches: [ "master" ]
-
-# Declare default permissions as read only.
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
-
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
-          publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5
-        with:
-          sarif_file: results.sarif

.gitignore

@@ -1,20 +1,27 @@
+# OS X
+.DS_Store*
+Icon?
+._*
+
+# Windows
+Thumbs.db
+ehthumbs.db
+Desktop.ini
+
+# Linux
+.directory
+*~
+
+
 # npm
 node_modules
 package-lock.json
-npm-shrinkwrap.json
 *.log
 *.gz
 
-# Yarn
-yarn-error.log
-yarn.lock
 
 # Coveralls
-.nyc_output
 coverage
 
 # Benchmarking
 benchmarks/graphs
-
-# ignore additional files using core.excludesFile
-# https://git-scm.com/docs/gitignore

.npmrc

@@ -1 +0,0 @@
-package-lock=false

.travis.yml

@@ -0,0 +1,39 @@
+language: node_js
+node_js:
+  - "0.10"
+  - "0.12"
+  - "1.8"
+  - "2.5"
+  - "3.3"
+  - "4.8"
+  - "5.12"
+  - "6.11"
+  - "7.10"
+  - "8.4"
+matrix:
+  include:
+    - node_js: "8"
+      env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
+    - node_js: "9"
+      env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
+  allow_failures:
+    # Allow the nightly installs to fail
+    - env: "NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/nightly"
+sudo: false
+cache:
+  directories:
+    - node_modules
+before_install:
+  # Skip updating shrinkwrap / lock
+  - "npm config set shrinkwrap false"
+
+  # Remove all non-test dependencies
+  - "npm rm --save-dev connect-redis"
+
+  # Update Node.js modules
+  - "test ! -d node_modules || npm prune"
+  - "test ! -d node_modules || npm rebuild"
+script:
+  - "npm run test-ci"
+  - "npm run lint"
+after_script: "npm install coveralls@2.10.0 && cat ./coverage/lcov.info | coveralls"

Collaborator-Guide.md

@@ -0,0 +1,50 @@
+
+## Website Issues
+
+Open issues for the expressjs.com website in https://github.com/expressjs/expressjs.com.
+
+## PRs and Code contributions
+
+* Tests must pass.
+* Follow the [JavaScript Standard Style](http://standardjs.com/) and `npm run lint`.
+* If you fix a bug, add a test.
+
+## Branches
+
+Use the `master` branch for bug fixes or minor work that is intended for the
+current release stream.
+
+Use the correspondingly named branch, e.g. `5.0`, for anything intended for
+a future release of Express.
+
+## Steps for contributing
+
+1. [Create an issue](https://github.com/expressjs/express/issues/new) for the
+   bug you want to fix or the feature that you want to add.
+2. Create your own [fork](https://github.com/expressjs/express) on github, then
+   checkout your fork.
+3. Write your code in your local copy. It's good practice to create a branch for
+   each new issue you work on, although not compulsory.
+4. To run the test suite, first install the dependencies by running `npm install`,
+   then run `npm test`.
+5. Ensure your code is linted by running `npm run lint` -- fix any issue you
+   see listed.
+6. If the tests pass, you can commit your changes to your fork and then create
+   a pull request from there. Make sure to reference your issue from the pull
+   request comments by including the issue number e.g. `#123`.
+
+## Issues which are questions
+
+We will typically close any vague issues or questions that are specific to some
+app you are writing. Please double check the docs and other references before
+being trigger happy with posting a question issue.
+
+Things that will help get your question issue looked at:
+
+* Full and runnable JS code.
+* Clear description of the problem or unexpected behavior.
+* Clear description of the expected result.
+* Steps you have taken to debug it yourself.
+
+If you post a question and do not outline the above items or make it easy for
+us to understand and reproduce your issue, it will be closed.

Contributing.md

@@ -0,0 +1,85 @@
+# Express.js Community Contributing Guide 1.0
+
+The goal of this document is to create a contribution process that:
+
+* Encourages new contributions.
+* Encourages contributors to remain involved.
+* Avoids unnecessary processes and bureaucracy whenever possible.
+* Creates a transparent decision making process that makes it clear how
+contributors can be involved in decision making.
+
+## Vocabulary
+
+* A **Contributor** is any individual creating or commenting on an issue or pull request.
+* A **Committer** is a subset of contributors who have been given write access to the repository.
+* A **TC (Technical Committee)** is a group of committers representing the required technical
+expertise to resolve rare disputes.
+
+# Logging Issues
+
+Log an issue for any question or problem you might have. When in doubt, log an issue, and
+any additional policies about what to include will be provided in the responses. The only
+exception is security dislosures which should be sent privately.
+
+Committers may direct you to another repository, ask for additional clarifications, and
+add appropriate metadata before the issue is addressed.
+
+Please be courteous and respectful. Every participant is expected to follow the
+project's Code of Conduct.
+
+# Contributions
+
+Any change to resources in this repository must be through pull requests. This applies to all changes
+to documentation, code, binary files, etc. Even long term committers and TC members must use
+pull requests.
+
+No pull request can be merged without being reviewed.
+
+For non-trivial contributions, pull requests should sit for at least 36 hours to ensure that
+contributors in other timezones have time to review. Consideration should also be given to
+weekends and other holiday periods to ensure active committers all have reasonable time to
+become involved in the discussion and review process if they wish.
+
+The default for each contribution is that it is accepted once no committer has an objection.
+During review committers may also request that a specific contributor who is most versed in a
+particular area gives a "LGTM" before the PR can be merged. There is no additional "sign off"
+process for contributions to land. Once all issues brought by committers are addressed it can
+be landed by any committer.
+
+In the case of an objection being raised in a pull request by another committer, all involved
+committers should seek to arrive at a consensus by way of addressing concerns being expressed
+by discussion, compromise on the proposed change, or withdrawal of the proposed change.
+
+If a contribution is controversial and committers cannot agree about how to get it to land
+or if it should land then it should be escalated to the TC. TC members should regularly
+discuss pending contributions in order to find a resolution. It is expected that only a
+small minority of issues be brought to the TC for resolution and that discussion and
+compromise among committers be the default resolution mechanism.
+
+# Becoming a Committer
+
+All contributors who land a non-trivial contribution should be on-boarded in a timely manner,
+and added as a committer, and be given write access to the repository.
+
+Committers are expected to follow this policy and continue to send pull requests, go through
+proper review, and have other committers merge their pull requests.
+
+# TC Process
+
+The TC uses a "consensus seeking" process for issues that are escalated to the TC.
+The group tries to find a resolution that has no open objections among TC members.
+If a consensus cannot be reached that has no objections then a majority wins vote
+is called. It is also expected that the majority of decisions made by the TC are via
+a consensus seeking process and that voting is only used as a last-resort.
+
+Resolution may involve returning the issue to committers with suggestions on how to
+move forward towards a consensus. It is not expected that a meeting of the TC
+will resolve all issues on its agenda during that meeting and may prefer to continue
+the discussion happening among the committers.
+
+Members can be added to the TC at any time. Any committer can nominate another committer
+to the TC and the TC uses its standard consensus seeking process to evaluate whether or
+not to add this new member. Members who do not participate consistently at the level of
+a majority of the other members are expected to resign.
+
+

History.md

@@ -1,487 +1,3 @@
-5.1.0 / 2025-03-31
-========================
-
-* Add support for `Uint8Array` in `res.send()`
-* Add support for ETag option in `res.sendFile()`
-* Add support for multiple links with the same rel in `res.links()`
-* Add funding field to package.json
-* perf: use loop for acceptParams
-* refactor: prefix built-in node module imports
-* deps: remove `setprototypeof`
-* deps: remove `safe-buffer`
-* deps: remove `utils-merge`
-* deps: remove `methods`
-* deps: remove `depd`
-* deps: `debug@^4.4.0`
-* deps: `body-parser@^2.2.0`
-* deps: `router@^2.2.0`
-* deps: `content-type@^1.0.5`
-* deps: `finalhandler@^2.1.0`
-* deps: `qs@^6.14.0`
-* deps: `server-static@2.2.0`
-* deps: `type-is@2.0.1`
-
-5.0.1 / 2024-10-08
-==========
-
-* Update `cookie` semver lock to address [CVE-2024-47764](https://nvd.nist.gov/vuln/detail/CVE-2024-47764)
-
-5.0.0 / 2024-09-10
-=========================
-* remove:
-  - `path-is-absolute` dependency - use `path.isAbsolute` instead
-* breaking:
-  * `res.status()` accepts only integers, and input must be greater than 99 and less than 1000
-    * will throw a `RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000.` for inputs outside this range
-    * will throw a `TypeError: Invalid status code: ${code}. Status code must be an integer.` for non integer inputs
-  * deps: send@1.0.0
-  * `res.redirect('back')` and `res.location('back')` is no longer a supported magic string, explicitly use `req.get('Referrer') || '/'`.
-* change:
-  - `res.clearCookie` will ignore user provided `maxAge` and `expires` options
-* deps: cookie-signature@^1.2.1
-* deps: debug@4.3.6
-* deps: merge-descriptors@^2.0.0
-* deps: serve-static@^2.1.0
-* deps: qs@6.13.0
-* deps: accepts@^2.0.0
-* deps: mime-types@^3.0.0
-  - `application/javascript` => `text/javascript`
-* deps: type-is@^2.0.0
-* deps: content-disposition@^1.0.0
-* deps: finalhandler@^2.0.0
-* deps: fresh@^2.0.0
-* deps: body-parser@^2.0.1
-* deps: send@^1.1.0
-
-5.0.0-beta.3 / 2024-03-25
-=========================
-
-This incorporates all changes after 4.19.1 up to 4.19.2.
-
-5.0.0-beta.2 / 2024-03-20
-=========================
-
-This incorporates all changes after 4.17.2 up to 4.19.1.
-
-5.0.0-beta.1 / 2022-02-14
-=========================
-
-This is the first Express 5.0 beta release, based off 4.17.2 and includes
-changes from 5.0.0-alpha.8.
-
-  * change:
-    - Default "query parser" setting to `'simple'`
-    - Requires Node.js 4+
-    - Use `mime-types` for file to content type mapping
-  * deps: array-flatten@3.0.0
-  * deps: body-parser@2.0.0-beta.1
-    - `req.body` is no longer always initialized to `{}`
-    - `urlencoded` parser now defaults `extended` to `false`
-    - Use `on-finished` to determine when body read
-  * deps: router@2.0.0-beta.1
-    - Add new `?`, `*`, and `+` parameter modifiers
-    - Internalize private `router.process_params` method
-    - Matching group expressions are only RegExp syntax
-    - Named matching groups no longer available by position in `req.params`
-    - Regular expressions can only be used in a matching group
-    - Remove `debug` dependency
-    - Special `*` path segment behavior removed
-    - deps: array-flatten@3.0.0
-    - deps: parseurl@~1.3.3
-    - deps: path-to-regexp@3.2.0
-    - deps: setprototypeof@1.2.0
-  * deps: send@1.0.0-beta.1
-    - Change `dotfiles` option default to `'ignore'`
-    - Remove `hidden` option; use `dotfiles` option instead
-    - Use `mime-types` for file to content type mapping
-    - deps: debug@3.1.0
-  * deps: serve-static@2.0.0-beta.1
-    - Change `dotfiles` option default to `'ignore'`
-    - Remove `hidden` option; use `dotfiles` option instead
-    - Use `mime-types` for file to content type mapping
-    - Remove `express.static.mime` export; use `mime-types` package instead
-    - deps: send@1.0.0-beta.1
-
-5.0.0-alpha.8 / 2020-03-25
-==========================
-
-This is the eighth Express 5.0 alpha release, based off 4.17.1 and includes
-changes from 5.0.0-alpha.7.
-
-5.0.0-alpha.7 / 2018-10-26
-==========================
-
-This is the seventh Express 5.0 alpha release, based off 4.16.4 and includes
-changes from 5.0.0-alpha.6.
-
-The major change with this alpha is the basic support for returned, rejected
-Promises in the router.
-
-  * remove:
-    - `path-to-regexp` dependency
-  * deps: debug@3.1.0
-    - Add `DEBUG_HIDE_DATE` environment variable
-    - Change timer to per-namespace instead of global
-    - Change non-TTY date format
-    - Remove `DEBUG_FD` environment variable support
-    - Support 256 namespace colors
-  * deps: router@2.0.0-alpha.1
-    - Add basic support for returned, rejected Promises
-    - Fix JSDoc for `Router` constructor
-    - deps: debug@3.1.0
-    - deps: parseurl@~1.3.2
-    - deps: setprototypeof@1.1.0
-    - deps: utils-merge@1.0.1
-
-5.0.0-alpha.6 / 2017-09-24
-==========================
-
-This is the sixth Express 5.0 alpha release, based off 4.15.5 and includes
-changes from 5.0.0-alpha.5.
-
-  * remove:
-    - `res.redirect(url, status)` signature - use `res.redirect(status, url)`
-    - `res.send(status, body)` signature - use `res.status(status).send(body)`
-  * deps: router@~1.3.1
-    - deps: debug@2.6.8
-
-5.0.0-alpha.5 / 2017-03-06
-==========================
-
-This is the fifth Express 5.0 alpha release, based off 4.15.2 and includes
-changes from 5.0.0-alpha.4.
-
-5.0.0-alpha.4 / 2017-03-01
-==========================
-
-This is the fourth Express 5.0 alpha release, based off 4.15.0 and includes
-changes from 5.0.0-alpha.3.
-
-  * remove:
-    - Remove Express 3.x middleware error stubs
-  * deps: router@~1.3.0
-    - Add `next("router")` to exit from router
-    - Fix case where `router.use` skipped requests routes did not
-    - Skip routing when `req.url` is not set
-    - Use `%o` in path debug to tell types apart
-    - deps: debug@2.6.1
-    - deps: setprototypeof@1.0.3
-    - perf: add fast match path for `*` route
-
-5.0.0-alpha.3 / 2017-01-28
-==========================
-
-This is the third Express 5.0 alpha release, based off 4.14.1 and includes
-changes from 5.0.0-alpha.2.
-
-  * remove:
-    - `res.json(status, obj)` signature - use `res.status(status).json(obj)`
-    - `res.jsonp(status, obj)` signature - use `res.status(status).jsonp(obj)`
-    - `res.vary()` (no arguments) -- provide a field name as an argument
-  * deps: array-flatten@2.1.1
-  * deps: path-is-absolute@1.0.1
-  * deps: router@~1.1.5
-    - deps: array-flatten@2.0.1
-    - deps: methods@~1.1.2
-    - deps: parseurl@~1.3.1
-    - deps: setprototypeof@1.0.2
-
-5.0.0-alpha.2 / 2015-07-06
-==========================
-
-This is the second Express 5.0 alpha release, based off 4.13.1 and includes
-changes from 5.0.0-alpha.1.
-
-  * remove:
-    - `app.param(fn)`
-    - `req.param()` -- use `req.params`, `req.body`, or `req.query` instead
-  * change:
-    - `res.render` callback is always async, even for sync view engines
-    - The leading `:` character in `name` for `app.param(name, fn)` is no longer removed
-    - Use `router` module for routing
-    - Use `path-is-absolute` module for absolute path detection
-
-5.0.0-alpha.1 / 2014-11-06
-==========================
-
-This is the first Express 5.0 alpha release, based off 4.10.1.
-
-  * remove:
-    - `app.del` - use `app.delete`
-    - `req.acceptsCharset` - use `req.acceptsCharsets`
-    - `req.acceptsEncoding` - use `req.acceptsEncodings`
-    - `req.acceptsLanguage` - use `req.acceptsLanguages`
-    - `res.json(obj, status)` signature - use `res.json(status, obj)`
-    - `res.jsonp(obj, status)` signature - use `res.jsonp(status, obj)`
-    - `res.send(body, status)` signature - use `res.send(status, body)`
-    - `res.send(status)` signature - use `res.sendStatus(status)`
-    - `res.sendfile` - use `res.sendFile` instead
-    - `express.query` middleware
-  * change:
-    - `req.host` now returns host (`hostname:port`) - use `req.hostname` for only hostname
-    - `req.query` is now a getter instead of a plain property
-  * add:
-    - `app.router` is a reference to the base router
-
-4.20.0 / 2024-09-10
-==========
-  * deps: serve-static@0.16.0
-    * Remove link renderization in html while redirecting
-  * deps: send@0.19.0
-    * Remove link renderization in html while redirecting
-  * deps: body-parser@0.6.0
-    * add `depth` option to customize the depth level in the parser
-    * IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)
-  * Remove link renderization in html while using `res.redirect`
-  * deps: path-to-regexp@0.1.10
-    - Adds support for named matching groups in the routes using a regex
-    - Adds backtracking protection to parameters without regexes defined
-  * deps: encodeurl@~2.0.0
-    - Removes encoding of `\`, `|`, and `^` to align better with URL spec
-  * Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie`
-    - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie
-
-4.19.2 / 2024-03-25
-==========
-
-  * Improved fix for open redirect allow list bypass
-
-4.19.1 / 2024-03-20
-==========
-
-  * Allow passing non-strings to res.location with new encoding handling checks
-
-4.19.0 / 2024-03-20
-==========
-
-  * Prevent open redirect allow list bypass due to encodeurl
-  * deps: cookie@0.6.0
-
-4.18.3 / 2024-02-29
-==========
-
-  * Fix routing requests without method
-  * deps: body-parser@1.20.2
-    - Fix strict json error message on Node.js 19+
-    - deps: content-type@~1.0.5
-    - deps: raw-body@2.5.2
-  * deps: cookie@0.6.0
-    - Add `partitioned` option
-
-4.18.2 / 2022-10-08
-===================
-
-  * Fix regression routing a large stack in a single route
-  * deps: body-parser@1.20.1
-    - deps: qs@6.11.0
-    - perf: remove unnecessary object clone
-  * deps: qs@6.11.0
-
-4.18.1 / 2022-04-29
-===================
-
-  * Fix hanging on large stack of sync routes
-
-4.18.0 / 2022-04-25
-===================
-
-  * Add "root" option to `res.download`
-  * Allow `options` without `filename` in `res.download`
-  * Deprecate string and non-integer arguments to `res.status`
-  * Fix behavior of `null`/`undefined` as `maxAge` in `res.cookie`
-  * Fix handling very large stacks of sync middleware
-  * Ignore `Object.prototype` values in settings through `app.set`/`app.get`
-  * Invoke `default` with same arguments as types in `res.format`
-  * Support proper 205 responses using `res.send`
-  * Use `http-errors` for `res.format` error
-  * deps: body-parser@1.20.0
-    - Fix error message for json parse whitespace in `strict`
-    - Fix internal error when inflated body exceeds limit
-    - Prevent loss of async hooks context
-    - Prevent hanging when request already read
-    - deps: depd@2.0.0
-    - deps: http-errors@2.0.0
-    - deps: on-finished@2.4.1
-    - deps: qs@6.10.3
-    - deps: raw-body@2.5.1
-  * deps: cookie@0.5.0
-    - Add `priority` option
-    - Fix `expires` option to reject invalid dates
-  * deps: depd@2.0.0
-    - Replace internal `eval` usage with `Function` constructor
-    - Use instance methods on `process` to check for listeners
-  * deps: finalhandler@1.2.0
-    - Remove set content headers that break response
-    - deps: on-finished@2.4.1
-    - deps: statuses@2.0.1
-  * deps: on-finished@2.4.1
-    - Prevent loss of async hooks context
-  * deps: qs@6.10.3
-  * deps: send@0.18.0
-    - Fix emitted 416 error missing headers property
-    - Limit the headers removed for 304 response
-    - deps: depd@2.0.0
-    - deps: destroy@1.2.0
-    - deps: http-errors@2.0.0
-    - deps: on-finished@2.4.1
-    - deps: statuses@2.0.1
-  * deps: serve-static@1.15.0
-    - deps: send@0.18.0
-  * deps: statuses@2.0.1
-    - Remove code 306
-    - Rename `425 Unordered Collection` to standard `425 Too Early`
-
-4.17.3 / 2022-02-16
-===================
-
-  * deps: accepts@~1.3.8
-    - deps: mime-types@~2.1.34
-    - deps: negotiator@0.6.3
-  * deps: body-parser@1.19.2
-    - deps: bytes@3.1.2
-    - deps: qs@6.9.7
-    - deps: raw-body@2.4.3
-  * deps: cookie@0.4.2
-  * deps: qs@6.9.7
-    * Fix handling of `__proto__` keys
-  * pref: remove unnecessary regexp for trust proxy
-
-4.17.2 / 2021-12-16
-===================
-
-  * Fix handling of `undefined` in `res.jsonp`
-  * Fix handling of `undefined` when `"json escape"` is enabled
-  * Fix incorrect middleware execution with unanchored `RegExp`s
-  * Fix `res.jsonp(obj, status)` deprecation message
-  * Fix typo in `res.is` JSDoc
-  * deps: body-parser@1.19.1
-    - deps: bytes@3.1.1
-    - deps: http-errors@1.8.1
-    - deps: qs@6.9.6
-    - deps: raw-body@2.4.2
-    - deps: safe-buffer@5.2.1
-    - deps: type-is@~1.6.18
-  * deps: content-disposition@0.5.4
-    - deps: safe-buffer@5.2.1
-  * deps: cookie@0.4.1
-    - Fix `maxAge` option to reject invalid values
-  * deps: proxy-addr@~2.0.7
-    - Use `req.socket` over deprecated `req.connection`
-    - deps: forwarded@0.2.0
-    - deps: ipaddr.js@1.9.1
-  * deps: qs@6.9.6
-  * deps: safe-buffer@5.2.1
-  * deps: send@0.17.2
-    - deps: http-errors@1.8.1
-    - deps: ms@2.1.3
-    - pref: ignore empty http tokens
-  * deps: serve-static@1.14.2
-    - deps: send@0.17.2
-  * deps: setprototypeof@1.2.0
-
-4.17.1 / 2019-05-25
-===================
-
-  * Revert "Improve error message for `null`/`undefined` to `res.status`"
-
-4.17.0 / 2019-05-16
-===================
-
-  * Add `express.raw` to parse bodies into `Buffer`
-  * Add `express.text` to parse bodies into string
-  * Improve error message for non-strings to `res.sendFile`
-  * Improve error message for `null`/`undefined` to `res.status`
-  * Support multiple hosts in `X-Forwarded-Host`
-  * deps: accepts@~1.3.7
-  * deps: body-parser@1.19.0
-    - Add encoding MIK
-    - Add petabyte (`pb`) support
-    - Fix parsing array brackets after index
-    - deps: bytes@3.1.0
-    - deps: http-errors@1.7.2
-    - deps: iconv-lite@0.4.24
-    - deps: qs@6.7.0
-    - deps: raw-body@2.4.0
-    - deps: type-is@~1.6.17
-  * deps: content-disposition@0.5.3
-  * deps: cookie@0.4.0
-    - Add `SameSite=None` support
-  * deps: finalhandler@~1.1.2
-    - Set stricter `Content-Security-Policy` header
-    - deps: parseurl@~1.3.3
-    - deps: statuses@~1.5.0
-  * deps: parseurl@~1.3.3
-  * deps: proxy-addr@~2.0.5
-    - deps: ipaddr.js@1.9.0
-  * deps: qs@6.7.0
-    - Fix parsing array brackets after index
-  * deps: range-parser@~1.2.1
-  * deps: send@0.17.1
-    - Set stricter CSP header in redirect & error responses
-    - deps: http-errors@~1.7.2
-    - deps: mime@1.6.0
-    - deps: ms@2.1.1
-    - deps: range-parser@~1.2.1
-    - deps: statuses@~1.5.0
-    - perf: remove redundant `path.normalize` call
-  * deps: serve-static@1.14.1
-    - Set stricter CSP header in redirect response
-    - deps: parseurl@~1.3.3
-    - deps: send@0.17.1
-  * deps: setprototypeof@1.1.1
-  * deps: statuses@~1.5.0
-    - Add `103 Early Hints`
-  * deps: type-is@~1.6.18
-    - deps: mime-types@~2.1.24
-    - perf: prevent internal `throw` on invalid type
-
-4.16.4 / 2018-10-10
-===================
-
-  * Fix issue where `"Request aborted"` may be logged in `res.sendfile`
-  * Fix JSDoc for `Router` constructor
-  * deps: body-parser@1.18.3
-    - Fix deprecation warnings on Node.js 10+
-    - Fix stack trace for strict json parse error
-    - deps: depd@~1.1.2
-    - deps: http-errors@~1.6.3
-    - deps: iconv-lite@0.4.23
-    - deps: qs@6.5.2
-    - deps: raw-body@2.3.3
-    - deps: type-is@~1.6.16
-  * deps: proxy-addr@~2.0.4
-    - deps: ipaddr.js@1.8.0
-  * deps: qs@6.5.2
-  * deps: safe-buffer@5.1.2
-
-4.16.3 / 2018-03-12
-===================
-
-  * deps: accepts@~1.3.5
-    - deps: mime-types@~2.1.18
-  * deps: depd@~1.1.2
-    - perf: remove argument reassignment
-  * deps: encodeurl@~1.0.2
-    - Fix encoding `%` as last character
-  * deps: finalhandler@1.1.1
-    - Fix 404 output for bad / missing pathnames
-    - deps: encodeurl@~1.0.2
-    - deps: statuses@~1.4.0
-  * deps: proxy-addr@~2.0.3
-    - deps: ipaddr.js@1.6.0
-  * deps: send@0.16.2
-    - Fix incorrect end tag in default error & redirects
-    - deps: depd@~1.1.2
-    - deps: encodeurl@~1.0.2
-    - deps: statuses@~1.4.0
-  * deps: serve-static@1.13.2
-    - Fix incorrect end tag in redirects
-    - deps: encodeurl@~1.0.2
-    - deps: send@0.16.2
-  * deps: statuses@~1.4.0
-  * deps: type-is@~1.6.16
-    - deps: mime-types@~2.1.18
-
 4.16.2 / 2017-10-09
 ===================
 
@@ -731,7 +247,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
     - Fix including type extensions in parameters in `Accept` parsing
     - Fix parsing `Accept` parameters with quoted equals
     - Fix parsing `Accept` parameters with quoted semicolons
-    - Many performance improvements
+    - Many performance improvments
     - deps: mime-types@~2.1.11
     - deps: negotiator@0.6.1
   * deps: content-type@~1.0.2
@@ -746,7 +262,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
     - perf: enable strict mode
     - perf: hoist regular expression
     - perf: use for loop in parse
-    - perf: use string concatenation for serialization
+    - perf: use string concatination for serialization
   * deps: finalhandler@0.5.0
     - Change invalid or non-numeric status code to 500
     - Overwrite status message to match set status code
@@ -756,7 +272,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
   * deps: proxy-addr@~1.1.2
     - Fix accepting various invalid netmasks
     - Fix IPv6-mapped IPv4 validation edge cases
-    - IPv4 netmasks must be contiguous
+    - IPv4 netmasks must be contingous
     - IPv6 addresses cannot be used as a netmask
     - deps: ipaddr.js@1.1.1
   * deps: qs@6.2.0
@@ -1534,13 +1050,13 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
    - deps: negotiator@0.4.6
  * deps: debug@1.0.2
  * deps: send@0.4.3
-   - Do not throw uncatchable error on file open race condition
+   - Do not throw un-catchable error on file open race condition
    - Use `escape-html` for HTML escaping
    - deps: debug@1.0.2
    - deps: finished@1.2.2
    - deps: fresh@0.2.2
  * deps: serve-static@1.2.3
-   - Do not throw uncatchable error on file open race condition
+   - Do not throw un-catchable error on file open race condition
    - deps: send@0.4.3
 
 4.4.2 / 2014-06-09
@@ -2381,7 +1897,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
  * deps: connect@2.21.0
    - deprecate `connect(middleware)` -- use `app.use(middleware)` instead
    - deprecate `connect.createServer()` -- use `connect()` instead
-   - fix `res.setHeader()` patch to work with get -> append -> set pattern
+   - fix `res.setHeader()` patch to work with with get -> append -> set pattern
    - deps: compression@~1.0.8
    - deps: errorhandler@~1.1.1
    - deps: express-session@~1.5.0
@@ -2420,7 +1936,7 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
    - deps: serve-static@1.2.3
  * deps: debug@1.0.2
  * deps: send@0.4.3
-   - Do not throw uncatchable error on file open race condition
+   - Do not throw un-catchable error on file open race condition
    - Use `escape-html` for HTML escaping
    - deps: debug@1.0.2
    - deps: finished@1.2.2
@@ -3592,8 +3108,8 @@ Shaw]
   * Added node v0.1.97 compatibility
   * Added support for deleting cookies via Request#cookie('key', null)
   * Updated haml submodule
-  * Fixed not-found page, now using charset utf-8
-  * Fixed show-exceptions page, now using charset utf-8
+  * Fixed not-found page, now using using charset utf-8
+  * Fixed show-exceptions page, now using using charset utf-8
   * Fixed view support due to fs.readFile Buffers
   * Changed; mime.type() no longer accepts ".type" due to node extname() changes
 
@@ -3605,7 +3121,7 @@ Shaw]
   * Updated haml submodule
   * Changed ETag; removed inode, modified time only
   * Fixed LF to CRLF for setting multiple cookies
-  * Fixed cookie compilation; values are now urlencoded
+  * Fixed cookie complation; values are now urlencoded
   * Fixed cookies parsing; accepts quoted values and url escaped cookies
 
 0.11.0 / 2010-05-06
@@ -3628,7 +3144,7 @@ Shaw]
 ==================
 
   * Added charset support via Request#charset (automatically assigned to 'UTF-8' when respond()'s
-    encoding is set to 'utf8' or 'utf-8').
+    encoding is set to 'utf8' or 'utf-8'.
   * Added "encoding" option to Request#render(). Closes #299
   * Added "dump exceptions" setting, which is enabled by default.
   * Added simple ejs template engine support
@@ -3667,7 +3183,7 @@ Shaw]
   * Added [haml.js](http://github.com/visionmedia/haml.js) submodule; removed haml-js
   * Added callback function support to Request#halt() as 3rd/4th arg
   * Added preprocessing of route param wildcards using param(). Closes #251
-  * Added view partial support (with collections etc.)
+  * Added view partial support (with collections etc)
   * Fixed bug preventing falsey params (such as ?page=0). Closes #286
   * Fixed setting of multiple cookies. Closes #199
   * Changed; view naming convention is now NAME.TYPE.ENGINE (for example page.html.haml)
@@ -3800,7 +3316,7 @@ Shaw]
 
   * Added "plot" format option for Profiler (for gnuplot processing)
   * Added request number to Profiler plugin
-  * Fixed binary encoding for multipart file uploads, was previously defaulting to UTF8
+  * Fixed binary encoding for multi-part file uploads, was previously defaulting to UTF8
   * Fixed issue with routes not firing when not files are present. Closes #184
   * Fixed process.Promise -> events.Promise
 
@@ -3846,7 +3362,7 @@ Shaw]
   * Updated sample chat app to show messages on load
   * Updated libxmljs parseString -> parseHtmlString
   * Fixed `make init` to work with older versions of git
-  * Fixed specs can now run independent specs for those who can't build deps. Closes #127
+  * Fixed specs can now run independent specs for those who cant build deps. Closes #127
   * Fixed issues introduced by the node url module changes. Closes 126.
   * Fixed two assertions failing due to Collection#keys() returning strings
   * Fixed faulty Collection#toArray() spec due to keys() returning strings

Readme-Guide.md

@@ -0,0 +1,125 @@
+# README guidelines
+
+Every module in the expressjs, pillarjs, and jshttp organizations should have
+a README file named `README.md`. The purpose of the README is to:
+
+- Explain the purpose of the module and how to use it.
+- Act as a landing page (both on GitHub and npmjs.com) for the module to help
+  people find it via search. Middleware module READMEs are also incorporated
+  into https://expressjs.com/en/resources/middleware.html.
+- Encourage community contributions and participation.
+
+Use the [README template](https://github.com/expressjs/express/wiki/README-template)
+to quickly create a new README file.
+
+## Top-level items
+
+**Badges** (optional): At the very top (with no subheading), include any
+applicable badges, such as npm version/downloads, build status, test coverage,
+and so on. Badges should resolve properly (not display a broken image).
+
+Possible badges include:
+- npm version: `[![NPM Version][npm-image]][npm-url]`
+- npm downloads: `[![NPM Downloads][downloads-image]][downloads-url]`
+- Build status: `[![Build Status][travis-image]][travis-url]`
+- Test coverage: `[![Test Coverage][coveralls-image]][coveralls-url]`
+- Tips: `[![Gratipay][gratipay-image]][gratipay-url]`
+
+**Summary**: Following badges, provide a one- or two-sentence description of
+what the module does. This should be the same as the npmjs.org blurb (which
+comes from the description property of `package.json`). Since npm doesn't
+handle markdown for the blurb, avoid using markdown in the summary sentence.
+
+**TOC** (Optional): For longer READMEs, provide a table of contents that has
+a relative link to each section. A tool such as
+[doctoc](https://www.npmjs.com/package/doctoc) makes it very easy to generate
+a TOC.
+
+## Overview
+
+Optionally, include a section of one or two paragraphs with more high-level
+information on what the module does, what problems it solves, why one would
+use it and how.  Don't just repeat what's in the summary.
+
+## Installation
+
+Required. This section is typically just:
+
+```sh
+$ npm install module-name
+```
+
+But include any other steps or requirements.
+
+NOTE: Use the `sh` code block to make the shell command display properly on
+the website.
+
+## Basic use
+
+- Provide a general description of how to use the module with code sample.
+  Include any important caveats or restrictions.
+- Explain the most common use cases.
+- Optional: a simple "hello world" type example (where applicable). This
+  example is in addition to the more comprehensive [example section](#examples)
+  later.
+
+## API
+
+Provide complete API documentation.
+
+Formatting conventions: Each function is listed in a 3rd-level heading (`###`),
+like this:
+
+```
+### Function_name(arg, options [, optional_arg]  ... )
+```
+
+**Options objects**
+
+For arguments that are objects (for example, options object), describe the
+properties in a table, as follows. This matches the formatting used in the
+[Express API docs](https://expressjs.com/en/4x/api.html).
+
+|Property | Description | Type | Default|
+|----------|-----------|------------|-------------|
+|Name of the property in `monospace`. | Brief description | String, Number, Boolean, etc. | If applicable.|
+
+If all the properties are required (i.e. there are no defaults), then you
+can omit the default column.
+
+Instead of very lengthy descriptions, link out to subsequent paragraphs for
+more detailed explanation of specific cases (e.g. "When this property is set
+to 'foobar', xyz happens; see <link to following section >.)
+
+If there are options properties that are themselves options, use additional
+tables. See [`trust proxy` and `etag` properties](https://expressjs.com/en/4x/api.html#app.settings.table).
+
+## Examples
+
+Every README should have at least one example; ideally more.  For code samples,
+be sure to use the `js` code block, for proper display in the website, e.g.:
+
+```js
+var csurf = require('csurf')
+...
+```
+
+## Tests
+
+What tests are included.
+
+How to run them.
+
+The convention for running tests is `npm test`. All our projects should follow
+this convention.
+
+## Contributors
+
+Names of module "owners" (lead developers) and other developers who have
+contributed.
+
+## License
+
+Link to the license, with a short description of what it is, e.g. "MIT" or
+whatever. Ideally, avoid putting the license text directly in the README; link
+to it instead.

Readme.md

@@ -1,48 +1,22 @@
-[![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](https://expressjs.com/)
+[![Express Logo](https://i.cloudup.com/zfY6lL7eFa-3000x3000.png)](http://expressjs.com/)
 
-**Fast, unopinionated, minimalist web framework for [Node.js](https://nodejs.org).**
-
-**This project has a [Code of Conduct].**
-
-## Table of contents
-
-- [Table of contents](#table-of-contents)
-- [Installation](#installation)
-- [Features](#features)
-- [Docs \& Community](#docs--community)
-- [Quick Start](#quick-start)
-- [Philosophy](#philosophy)
-- [Examples](#examples)
-- [Contributing](#contributing)
-  - [Security Issues](#security-issues)
-  - [Running Tests](#running-tests)
-- [Current project team members](#current-project-team-members)
-  - [TC (Technical Committee)](#tc-technical-committee)
-    - [TC emeriti members](#tc-emeriti-members)
-  - [Triagers](#triagers)
-    - [Emeritus Triagers](#emeritus-triagers)
-- [License](#license)
-
-
-[![NPM Version][npm-version-image]][npm-url]
-[![NPM Downloads][npm-downloads-image]][npm-downloads-url]
-[![Linux Build][github-actions-ci-image]][github-actions-ci-url]
-[![Test Coverage][coveralls-image]][coveralls-url]
-[![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]
+  Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
 
+  [![NPM Version][npm-image]][npm-url]
+  [![NPM Downloads][downloads-image]][downloads-url]
+  [![Linux Build][travis-image]][travis-url]
+  [![Windows Build][appveyor-image]][appveyor-url]
+  [![Test Coverage][coveralls-image]][coveralls-url]
 
 ```js
-import express from 'express'
+var express = require('express')
+var app = express()
 
-const app = express()
-
-app.get('/', (req, res) => {
+app.get('/', function (req, res) {
   res.send('Hello World')
 })
 
-app.listen(3000, () => {
-  console.log('Server is running on http://localhost:3000')
-})
+app.listen(3000)
 ```
 
 ## Installation
@@ -51,19 +25,16 @@ This is a [Node.js](https://nodejs.org/en/) module available through the
 [npm registry](https://www.npmjs.com/).
 
 Before installing, [download and install Node.js](https://nodejs.org/en/download/).
-Node.js 18 or higher is required.
-
-If this is a brand new project, make sure to create a `package.json` first with
-the [`npm init` command](https://docs.npmjs.com/creating-a-package-json-file).
+Node.js 0.10 or higher is required.
 
 Installation is done using the
 [`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):
 
 ```bash
-npm install express
+$ npm install express
 ```
 
-Follow [our installing guide](https://expressjs.com/en/starter/installing.html)
+Follow [our installing guide](http://expressjs.com/en/starter/installing.html)
 for more information.
 
 ## Features
@@ -78,11 +49,18 @@ for more information.
 
 ## Docs & Community
 
-  * [Website and Documentation](https://expressjs.com/) - [[website repo](https://github.com/expressjs/expressjs.com)]
+  * [Website and Documentation](http://expressjs.com/) - [[website repo](https://github.com/expressjs/expressjs.com)]
+  * [#express](https://webchat.freenode.net/?channels=express) on freenode IRC
   * [GitHub Organization](https://github.com/expressjs) for Official Middleware & Modules
-  * [Github Discussions](https://github.com/expressjs/discussions) for discussion on the development and usage of Express
+  * Visit the [Wiki](https://github.com/expressjs/express/wiki)
+  * [Google Group](https://groups.google.com/group/express-js) for discussion
+  * [Gitter](https://gitter.im/expressjs/express) for support and discussion
 
-**PROTIP** Be sure to read the [migration guide to v5](https://expressjs.com/en/guide/migrating-5)
+**PROTIP** Be sure to read [Migrating from 3.x to 4.x](https://github.com/expressjs/express/wiki/Migrating-from-3.x-to-4.x) as well as [New features in 4.x](https://github.com/expressjs/express/wiki/New-features-in-4.x).
+
+### Security Issues
+
+If you discover a security vulnerability in Express, please see [Security Policies and Procedures](Security.md).
 
 ## Quick Start
 
@@ -91,185 +69,85 @@ for more information.
   Install the executable. The executable's major version will match Express's:
 
 ```bash
-npm install -g express-generator@4
+$ npm install -g express-generator@4
 ```
 
   Create the app:
 
 ```bash
-express /tmp/foo && cd /tmp/foo
+$ express /tmp/foo && cd /tmp/foo
 ```
 
   Install dependencies:
 
 ```bash
-npm install
+$ npm install
 ```
 
   Start the server:
 
 ```bash
-npm start
+$ npm start
 ```
 
-  View the website at: http://localhost:3000
-
 ## Philosophy
 
   The Express philosophy is to provide small, robust tooling for HTTP servers, making
-  it a great solution for single page applications, websites, hybrids, or public
+  it a great solution for single page applications, web sites, hybrids, or public
   HTTP APIs.
 
   Express does not force you to use any specific ORM or template engine. With support for over
-  14 template engines via [@ladjs/consolidate](https://github.com/ladjs/consolidate),
+  14 template engines via [Consolidate.js](https://github.com/tj/consolidate.js),
   you can quickly craft your perfect framework.
 
 ## Examples
 
-  To view the examples, clone the Express repository:
+  To view the examples, clone the Express repo and install the dependencies:
 
 ```bash
-git clone https://github.com/expressjs/express.git --depth 1 && cd express
-```
-
-  Then install the dependencies:
-
-```bash
-npm install
+$ git clone git://github.com/expressjs/express.git --depth 1
+$ cd express
+$ npm install
 ```
 
   Then run whichever example you want:
 
 ```bash
-node examples/content-negotiation
+$ node examples/content-negotiation
 ```
 
-## Contributing
+## Tests
 
-The Express.js project welcomes all constructive contributions. Contributions take many forms,
-from code for bug fixes and enhancements, to additions and fixes to documentation, additional
-tests, triaging incoming pull requests and issues, and more!
-
-See the [Contributing Guide] for more technical details on contributing.
-
-### Security Issues
-
-If you discover a security vulnerability in Express, please see [Security Policies and Procedures](SECURITY.md).
-
-### Running Tests
-
-To run the test suite, first install the dependencies:
+  To run the test suite, first install the dependencies, then run `npm test`:
 
 ```bash
-npm install
+$ npm install
+$ npm test
 ```
 
-Then run `npm test`:
+## People
 
-```bash
-npm test
-```
+The original author of Express is [TJ Holowaychuk](https://github.com/tj) [![TJ's Gratipay][gratipay-image-visionmedia]][gratipay-url-visionmedia]
 
-## Current project team members
-
-For information about the governance of the express.js project, see [GOVERNANCE.md](https://github.com/expressjs/discussions/blob/HEAD/docs/GOVERNANCE.md).
-
-The original author of Express is [TJ Holowaychuk](https://github.com/tj)
+The current lead maintainer is [Douglas Christopher Wilson](https://github.com/dougwilson) [![Doug's Gratipay][gratipay-image-dougwilson]][gratipay-url-dougwilson]
 
 [List of all contributors](https://github.com/expressjs/express/graphs/contributors)
 
-### TC (Technical Committee)
-
-* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him)
-* [jonchurch](https://github.com/jonchurch) - **Jon Church**
-* [wesleytodd](https://github.com/wesleytodd) - **Wes Todd**
-* [LinusU](https://github.com/LinusU) - **Linus Unnebäck**
-* [blakeembrey](https://github.com/blakeembrey) - **Blake Embrey**
-* [sheplu](https://github.com/sheplu) - **Jean Burellier**
-* [crandmck](https://github.com/crandmck) - **Rand McKinney**
-* [ctcpip](https://github.com/ctcpip) - **Chris de Almeida**
-
-<details>
-<summary>TC emeriti members</summary>
-
-#### TC emeriti members
-
-  * [dougwilson](https://github.com/dougwilson) - **Douglas Wilson**
-  * [hacksparrow](https://github.com/hacksparrow) - **Hage Yaapa**
-  * [jonathanong](https://github.com/jonathanong) - **jongleberry**
-  * [niftylettuce](https://github.com/niftylettuce) - **niftylettuce**
-  * [troygoode](https://github.com/troygoode) - **Troy Goode**
-</details>
-
-
-### Triagers
-
-* [aravindvnair99](https://github.com/aravindvnair99) - **Aravind Nair**
-* [bjohansebas](https://github.com/bjohansebas) - **Sebastian Beltran**
-* [carpasse](https://github.com/carpasse) - **Carlos Serrano**
-* [CBID2](https://github.com/CBID2) - **Christine Belzie**
-* [dpopp07](https://github.com/dpopp07) - **Dustin Popp**
-* [UlisesGascon](https://github.com/UlisesGascon) - **Ulises Gascón** (he/him)
-* [3imed-jaberi](https://github.com/3imed-jaberi) - **Imed Jaberi**
-* [IamLizu](https://github.com/IamLizu) - **S M Mahmudul Hasan** (he/him)
-* [Phillip9587](https://github.com/Phillip9587) - **Phillip Barta**
-* [Sushmeet](https://github.com/Sushmeet) - **Sushmeet Sunger**
-* [rxmarbles](https://github.com/rxmarbles) **Rick Markins** (He/him)
-
-<details>
-<summary>Triagers emeriti members</summary>
-
-#### Emeritus Triagers
-
-  * [AuggieH](https://github.com/AuggieH) - **Auggie Hudak**
-  * [G-Rath](https://github.com/G-Rath) - **Gareth Jones**
-  * [MohammadXroid](https://github.com/MohammadXroid) - **Mohammad Ayashi**
-  * [NawafSwe](https://github.com/NawafSwe) - **Nawaf Alsharqi**
-  * [NotMoni](https://github.com/NotMoni) - **Moni**
-  * [VigneshMurugan](https://github.com/VigneshMurugan) - **Vignesh Murugan**
-  * [davidmashe](https://github.com/davidmashe) - **David Ashe**
-  * [digitaIfabric](https://github.com/digitaIfabric) - **David**
-  * [e-l-i-s-e](https://github.com/e-l-i-s-e) - **Elise Bonner**
-  * [fed135](https://github.com/fed135) - **Frederic Charette**
-  * [firmanJS](https://github.com/firmanJS) - **Firman Abdul Hakim**
-  * [getspooky](https://github.com/getspooky) - **Yasser Ameur**
-  * [ghinks](https://github.com/ghinks) - **Glenn**
-  * [ghousemohamed](https://github.com/ghousemohamed) - **Ghouse Mohamed**
-  * [gireeshpunathil](https://github.com/gireeshpunathil) - **Gireesh Punathil**
-  * [jake32321](https://github.com/jake32321) - **Jake Reed**
-  * [jonchurch](https://github.com/jonchurch) - **Jon Church**
-  * [lekanikotun](https://github.com/lekanikotun) - **Troy Goode**
-  * [marsonya](https://github.com/marsonya) - **Lekan Ikotun**
-  * [mastermatt](https://github.com/mastermatt) - **Matt R. Wilson**
-  * [maxakuru](https://github.com/maxakuru) - **Max Edell**
-  * [mlrawlings](https://github.com/mlrawlings) - **Michael Rawlings**
-  * [rodion-arr](https://github.com/rodion-arr) - **Rodion Abdurakhimov**
-  * [sheplu](https://github.com/sheplu) - **Jean Burellier**
-  * [tarunyadav1](https://github.com/tarunyadav1) - **Tarun yadav**
-  * [tunniclm](https://github.com/tunniclm) - **Mike Tunnicliffe**
-  * [enyoghasim](https://github.com/enyoghasim) - **David Enyoghasim**
-  * [0ss](https://github.com/0ss) - **Salah**
-  * [import-brain](https://github.com/import-brain) - **Eric Cheng** (he/him)
-  * [dakshkhetan](https://github.com/dakshkhetan) - **Daksh Khetan** (he/him)
-  * [lucasraziel](https://github.com/lucasraziel) - **Lucas Soares Do Rego**
-  * [mertcanaltin](https://github.com/mertcanaltin) - **Mert Can Altin**
-
-</details>
-
-
 ## License
 
   [MIT](LICENSE)
 
-[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/express/master
-[coveralls-url]: https://coveralls.io/r/expressjs/express?branch=master
-[github-actions-ci-image]: https://badgen.net/github/checks/expressjs/express/master?label=CI
-[github-actions-ci-url]: https://github.com/expressjs/express/actions/workflows/ci.yml
-[npm-downloads-image]: https://badgen.net/npm/dm/express
-[npm-downloads-url]: https://npmcharts.com/compare/express?minimal=true
+[npm-image]: https://img.shields.io/npm/v/express.svg
 [npm-url]: https://npmjs.org/package/express
-[npm-version-image]: https://badgen.net/npm/v/express
-[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/express/badge
-[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/express
-[Code of Conduct]: https://github.com/expressjs/.github/blob/HEAD/CODE_OF_CONDUCT.md
-[Contributing Guide]: https://github.com/expressjs/.github/blob/HEAD/CONTRIBUTING.md
+[downloads-image]: https://img.shields.io/npm/dm/express.svg
+[downloads-url]: https://npmjs.org/package/express
+[travis-image]: https://img.shields.io/travis/expressjs/express/master.svg?label=linux
+[travis-url]: https://travis-ci.org/expressjs/express
+[appveyor-image]: https://img.shields.io/appveyor/ci/dougwilson/express/master.svg?label=windows
+[appveyor-url]: https://ci.appveyor.com/project/dougwilson/express
+[coveralls-image]: https://img.shields.io/coveralls/expressjs/express/master.svg
+[coveralls-url]: https://coveralls.io/r/expressjs/express?branch=master
+[gratipay-image-visionmedia]: https://img.shields.io/gratipay/visionmedia.svg
+[gratipay-url-visionmedia]: https://gratipay.com/visionmedia/
+[gratipay-image-dougwilson]: https://img.shields.io/gratipay/dougwilson.svg
+[gratipay-url-dougwilson]: https://gratipay.com/dougwilson/

Release-Process.md

@@ -0,0 +1,186 @@
+# Express Release Process
+
+This document contains the technical aspects of the Express release process. The
+intended audience is those who have been authorized by the Express Technical
+Committee (TC) to create, promote and sign official release builds for Express,
+as npm packages hosted on https://npmjs.com/package/express.
+
+## Who can make releases?
+
+Release authorization is given by the Express TC. Once authorized, an individual
+must have the following access permissions:
+
+### 1. Github release access
+
+The individual making the release will need to be a member of the
+expressjs/express team with Write permission level so they are able to tag the
+release commit and push changes to the expressjs/express repository
+(see Steps 4 and 5).
+
+### 2. npmjs.com release access
+
+The individual making the release will need to be made an owner on the
+`express` package on npmjs.com so they are able to publish the release
+(see Step 6).
+
+## How to publish a release
+
+Before publishing, the following preconditions should be met:
+
+- A release proposal issue or tracking pull request (see "Proposal branch"
+  below) will exist documenting:
+  - the proposed changes
+  - the type of release: patch, minor or major
+  - the version number (according to semantic versioning - http://semver.org)
+- The proposed changes should be complete.
+
+There are two main release flows: patch and non-patch.
+
+The patch flow is for making **patch releases**. As per semantic versioning,
+patch releases are for simple changes, eg: typo fixes, patch dependency updates,
+and simple/low-risk bug fixes. Every other type of change is made via the
+non-patch flow.
+
+### Branch terminology
+
+"Master branch"
+
+- There is a branch in git used for the current major version of Express, named
+  `master`.
+- This branch contains the completed commits for the next patch release of the
+  current major version.
+- Releases for the current major version are published from this branch.
+
+"Version branch"
+
+- For any given major version of Express (current, previous or next) there is
+  a branch in git for that release named `<major-version>.x` (eg: `4.x`).
+- This branch points to the commit of the latest tag for the given major version.
+
+"Release branch"
+
+- For any given major version of Express, there is a branch used for publishing
+  releases.
+- For the current major version of Express, the release branch is the
+  "Master branch" named `master`.
+- For all other major versions of Express, the release branch is the
+  "Version branch" named `<major-version>.x`.
+
+"Proposal branch"
+
+- A branch in git representing a proposed new release of Express. This can be a
+  minor or major release, named `<major-version>.0` for a major release,
+  `<major-version>.<minor-version>` for a minor release.
+- A tracking pull request should exist to document the proposed release,
+  targeted at the appropriate release branch. Prior to opening the tracking
+  pull request the content of the release may have be discussed in an issue.
+- This branch contains the commits accepted so far that implement the proposal
+  in the tracking pull request.
+
+### Patch flow
+
+In the patch flow, simple changes are committed to the release branch which
+acts as an ever-present branch for the next patch release of the associated
+major version of Express.
+
+The release branch is usually kept in a state where it is ready to release.
+Releases are made when sufficient time or change has been made to warrant it.
+This is usually proposed and decided using a github issue.
+
+### Non-patch flow
+
+In the non-patch flow, changes are committed to a temporary proposal branch
+created specifically for that release proposal. The branch is based on the
+most recent release of the major version of Express that the release targets.
+
+Releases are made when all the changes on a proposal branch are complete and
+approved. This is done by merging the proposal branch into the release branch
+(using a fast-forward merge), tagging it with the new version number and
+publishing the release package to npmjs.com.
+
+### Flow
+
+Below is a detailed description of the steps to publish a release.
+
+#### Step 1. Check the release is ready to publish
+
+Check any relevant information to ensure the release is ready, eg: any
+milestone, label, issue or tracking pull request for the release. The release
+is ready when all proposed code, tests and documentation updates are complete
+(either merged, closed or re-targeted to another release).
+
+#### Step 2. (Non-patch flow only) Merge the proposal branch into the release branch
+
+In the patch flow: skip this step.
+
+In the non-patch flow:
+```sh
+$ git checkout <release-branch>
+$ git merge --ff-only <proposal-branch>
+```
+
+<release-branch> - see "Release branch" of "Branches" above.
+<proposal-branch> - see "Proposal branch" of "Non-patch flow" above.
+
+**NOTE:** You may need to rebase the proposal branch to allow a fast-forward
+          merge. Using a fast-forward merge keeps the history clean as it does
+          not introduce merge commits.
+
+### Step 3. Update the History.md and package.json to the new version number
+
+The changes so far for the release should already be documented under the
+"unreleased" section at the top of the History.md file, as per the usual
+development practice. Change "unreleased" to the new release version / date.
+Example diff fragment:
+
+```diff
+-unreleased
+-==========
++4.13.3 / 2015-08-02
++===================
+```
+
+The version property in the package.json should already contain the version of
+the previous release. Change it to the new release version.
+
+Commit these changes together under a single commit with the message set to
+the new release version (eg: `4.13.3`):
+
+```sh
+$ git checkout <release-branch>
+<..edit files..>
+$ git add History.md package.json
+$ git commit -m '<version-number>'
+```
+
+### Step 4. Identify and tag the release commit with the new release version
+
+Create a lightweight tag (rather than an annotated tag) named after the new
+release version (eg: `4.13.3`).
+
+```sh
+$ git tag <version-number>
+```
+
+### Step 5. Push the release branch changes and tag to github
+
+The branch and tag should be pushed directly to the main repository
+(https://github.com/expressjs/express).
+
+```sh
+$ git push origin <release-branch>
+$ git push origin <version-number>
+```
+
+### Step 6. Publish to npmjs.com
+
+Ensure your local working copy is completely clean (no extra or changed files).
+You can use `git status` for this purpose.
+
+```sh
+$ npm login <npm-username>
+$ npm publish
+```
+
+**NOTE:** The version number to publish will be picked up automatically from
+          package.json.

Security.md

@@ -14,11 +14,7 @@ Thank you for improving the security of Express. We appreciate your efforts and
 responsible disclosure and will make every effort to acknowledge your
 contributions.
 
-Report security bugs by emailing `express-security@lists.openjsf.org`.
-
-To ensure the timely response to your report, please ensure that the entirety
-of the report is contained within the email body and not solely behind a web
-link or an attachment.
+Report security bugs by emailing the lead maintainer in the Readme.md file.
 
 The lead maintainer will acknowledge your email within 48 hours, and will send a
 more detailed response within 48 hours indicating the next steps in handling
@@ -27,13 +23,8 @@ endeavor to keep you informed of the progress towards a fix and full
 announcement, and may ask for additional information or guidance.
 
 Report security bugs in third-party modules to the person or team maintaining
-the module.
-
-## Pre-release Versions
-
-Alpha and Beta releases are unstable and **not suitable for production use**.
-Vulnerabilities found in pre-releases should be reported according to the [Reporting a Bug](#reporting-a-bug) section.
-Due to the unstable nature of the branch it is not guaranteed that any fixes will be released in the next pre-release.
+the module. You can also report a vulnerability through the
+[Node Security Project](https://nodesecurity.io/report).
 
 ## Disclosure Policy
 
@@ -46,10 +37,6 @@ involving the following steps:
   * Prepare fixes for all releases still under maintenance. These fixes will be
     released as fast as possible to npm.
 
-## The Express Threat Model
-
-We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md)
-
 ## Comments on this Policy
 
 If you have suggestions on how this process could be improved please submit a

appveyor.yml

@@ -0,0 +1,28 @@
+environment:
+  matrix:
+    - nodejs_version: "0.10"
+    - nodejs_version: "0.12"
+    - nodejs_version: "1.8"
+    - nodejs_version: "2.5"
+    - nodejs_version: "3.3"
+    - nodejs_version: "4.8"
+    - nodejs_version: "5.12"
+    - nodejs_version: "6.11"
+    - nodejs_version: "7.10"
+    - nodejs_version: "8.4"
+cache:
+  - node_modules
+install:
+  - ps: Install-Product node $env:nodejs_version
+  - npm config set shrinkwrap false
+  - npm rm --save-dev connect-redis
+  - if exist node_modules npm prune
+  - if exist node_modules npm rebuild
+  - npm install
+build: off
+test_script:
+  - node --version
+  - npm --version
+  - npm run test-ci
+  - npm run lint
+version: "{build}"

benchmarks/Makefile

@@ -1,17 +1,13 @@
 
 all:
-	@./run 1 middleware 50
-	@./run 5 middleware 50
-	@./run 10 middleware 50
-	@./run 15 middleware 50
-	@./run 20 middleware 50
-	@./run 30 middleware 50
-	@./run 50 middleware 50
-	@./run 100 middleware 50
-	@./run 10 middleware 100
-	@./run 10 middleware 250
-	@./run 10 middleware 500
-	@./run 10 middleware 1000
+	@./run 1 middleware
+	@./run 5 middleware
+	@./run 10 middleware
+	@./run 15 middleware
+	@./run 20 middleware
+	@./run 30 middleware
+	@./run 50 middleware
+	@./run 100 middleware
 	@echo
 
 .PHONY: all

benchmarks/README.md

@@ -1,34 +0,0 @@
-# Express Benchmarks
-
-## Installation
-
-You will need to install [wrk](https://github.com/wg/wrk/blob/master/INSTALL) in order to run the benchmarks.
-
-## Running
-
-To run the benchmarks, first install the dependencies `npm i`, then run `make`
-
-The output will look something like this:
-
-```
-  50 connections
-  1 middleware
- 7.15ms
- 6784.01
-
- [...redacted...]
-
-  1000 connections
-  10 middleware
- 139.21ms
- 6155.19
-
-```
-
-### Tip: Include Node.js version in output
-
-You can use `make && node -v` to include the node.js version in the output.
-
-### Tip: Save the results to a file
-
-You can use `make > results.log` to save the results to a file `results.log`.

benchmarks/middleware.js

@@ -13,7 +13,7 @@ while (n--) {
   });
 }
 
-app.use(function(req, res){
+app.use(function(req, res, next){
   res.send('Hello World')
 });
 

benchmarks/run

@@ -4,15 +4,13 @@ echo
 MW=$1 node $2 &
 pid=$!
 
-echo "  $3 connections"
-
 sleep 2
 
 wrk 'http://localhost:3333/?foo[bar]=baz' \
   -d 3 \
-  -c $3 \
+  -c 50 \
   -t 8 \
-  | grep 'Requests/sec\|Latency' \
-  | awk '{ print " " $2 }'
+  | grep 'Requests/sec' \
+  | awk '{ print "  " $2 }'
 
 kill $pid

examples/README.md

@@ -1,29 +0,0 @@
-# Express examples
-
-This page contains list of examples using Express.
-
-- [auth](./auth) - Authentication with login and password
-- [content-negotiation](./content-negotiation) - HTTP content negotiation
-- [cookie-sessions](./cookie-sessions) - Working with cookie-based sessions
-- [cookies](./cookies) - Working with cookies
-- [downloads](./downloads) - Transferring files to client
-- [ejs](./ejs) - Working with Embedded JavaScript templating (ejs)
-- [error-pages](./error-pages) - Creating error pages
-- [error](./error) - Working with error middleware
-- [hello-world](./hello-world) - Simple request handler
-- [markdown](./markdown) - Markdown as template engine
-- [multi-router](./multi-router) - Working with multiple Express routers
-- [mvc](./mvc) - MVC-style controllers
-- [online](./online) - Tracking online user activity with `online` and `redis` packages
-- [params](./params) - Working with route parameters
-- [resource](./resource) - Multiple HTTP operations on the same resource
-- [route-map](./route-map) - Organizing routes using a map
-- [route-middleware](./route-middleware) - Working with route middleware
-- [route-separation](./route-separation) - Organizing routes per each resource
-- [search](./search) - Search API
-- [session](./session) - User sessions
-- [static-files](./static-files) - Serving static files
-- [vhost](./vhost) - Working with virtual hosts
-- [view-constructor](./view-constructor) - Rendering views dynamically
-- [view-locals](./view-locals) - Saving data in request object between middleware calls
-- [web-service](./web-service) - Simple API service

examples/auth/index.js

@@ -1,12 +1,10 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
 var hash = require('pbkdf2-password')()
-var path = require('node:path');
+var path = require('path');
 var session = require('express-session');
 
 var app = module.exports = express();
@@ -18,7 +16,7 @@ app.set('views', path.join(__dirname, 'views'));
 
 // middleware
 
-app.use(express.urlencoded())
+app.use(express.urlencoded({ extended: false }))
 app.use(session({
   resave: false, // don't save session if unmodified
   saveUninitialized: false, // don't create session until something stored
@@ -61,14 +59,14 @@ function authenticate(name, pass, fn) {
   if (!module.parent) console.log('authenticating %s:%s', name, pass);
   var user = users[name];
   // query the db for the given username
-  if (!user) return fn(null, null)
+  if (!user) return fn(new Error('cannot find user'));
   // apply the same algorithm to the POSTed password, applying
   // the hash against the pass / salt, if there is a match we
   // found the user
   hash({ password: pass, salt: user.salt }, function (err, pass, salt, hash) {
     if (err) return fn(err);
-    if (hash === user.hash) return fn(null, user)
-    fn(null, null)
+    if (hash == user.hash) return fn(null, user);
+    fn(new Error('invalid password'));
   });
 }
 
@@ -101,10 +99,8 @@ app.get('/login', function(req, res){
   res.render('login');
 });
 
-app.post('/login', function (req, res, next) {
-  if (!req.body) return res.sendStatus(400)
+app.post('/login', function(req, res){
   authenticate(req.body.username, req.body.password, function(err, user){
-    if (err) return next(err)
     if (user) {
       // Regenerate session when signing in
       // to prevent fixation
@@ -116,7 +112,7 @@ app.post('/login', function (req, res, next) {
         req.session.success = 'Authenticated as ' + user.name
           + ' click to <a href="/logout">logout</a>. '
           + ' You may now access <a href="/restricted">/restricted</a>.';
-        res.redirect(req.get('Referrer') || '/');
+        res.redirect('back');
       });
     } else {
       req.session.error = 'Authentication failed, please check your '

examples/auth/views/head.ejs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title><%= title %></title>
     <style>
       body {
@@ -10,7 +8,7 @@
         font: 13px Helvetica, Arial, sans-serif;
       }
       .error {
-          color: red;
+          color: red
       }
       .success {
           color: green;

examples/auth/views/login.ejs

@@ -1,21 +1,22 @@
 
-<%- include('head', { title: 'Authentication Example' }) -%>
+<% var title = 'Authentication Example' %>
+<% include head %>
 
 <h1>Login</h1>
 <%- message %>
 Try accessing <a href="/restricted">/restricted</a>, then authenticate with "tj" and "foobar".
 <form method="post" action="/login">
   <p>
-    <label for="username">Username:</label>
-    <input type="text" name="username" id="username">
+    <label>Username:</label>
+    <input type="text" name="username">
   </p>
   <p>
-    <label for="password">Password:</label>
-    <input type="text" name="password" id="password">
+    <label>Password:</label>
+    <input type="text" name="password">
   </p>
   <p>
     <input type="submit" value="Login">
   </p>
 </form>
 
-<%- include('foot') -%>
+<% include foot %>

examples/content-negotiation/db.js

@@ -1,5 +1,3 @@
-'use strict'
-
 var users = [];
 
 users.push({ name: 'Tobi' });

examples/content-negotiation/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 var express = require('../../');
 var app = module.exports = express();
 var users = require('./db');

examples/content-negotiation/users.js

@@ -1,4 +1,3 @@
-'use strict'
 
 var users = require('./db');
 

examples/cookie-sessions/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
@@ -13,10 +11,13 @@ var app = module.exports = express();
 app.use(cookieSession({ secret: 'manny is cool' }));
 
 // do something with the session
-app.get('/', function (req, res) {
+app.use(count);
+
+// custom middleware
+function count(req, res) {
   req.session.count = (req.session.count || 0) + 1
   res.send('viewed ' + req.session.count + ' times\n')
-})
+}
 
 /* istanbul ignore next */
 if (!module.parent) {

examples/cookies/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
@@ -10,7 +8,7 @@ var logger = require('morgan');
 var cookieParser = require('cookie-parser');
 
 // custom log format
-if (process.env.NODE_ENV !== 'test') app.use(logger(':method :url'))
+if ('test' != process.env.NODE_ENV) app.use(logger(':method :url'));
 
 // parses request cookies, populating
 // req.cookies and req.signedCookies
@@ -19,7 +17,7 @@ if (process.env.NODE_ENV !== 'test') app.use(logger(':method :url'))
 app.use(cookieParser('my secret here'));
 
 // parses x-www-form-urlencoded
-app.use(express.urlencoded())
+app.use(express.urlencoded({ extended: false }))
 
 app.get('/', function(req, res){
   if (req.cookies.remember) {
@@ -33,17 +31,13 @@ app.get('/', function(req, res){
 
 app.get('/forget', function(req, res){
   res.clearCookie('remember');
-  res.redirect(req.get('Referrer') || '/');
+  res.redirect('back');
 });
 
 app.post('/', function(req, res){
   var minute = 60000;
-
-  if (req.body && req.body.remember) {
-    res.cookie('remember', 1, { maxAge: minute })
-  }
-
-  res.redirect(req.get('Referrer') || '/');
+  if (req.body.remember) res.cookie('remember', 1, { maxAge: minute });
+  res.redirect('back');
 });
 
 /* istanbul ignore next */

examples/downloads/files/notes/groceries.txt

@@ -1,3 +0,0 @@
-* milk
-* eggs
-* bread

examples/downloads/index.js

@@ -1,32 +1,27 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../../');
-var path = require('node:path');
-
+var path = require('path');
 var app = module.exports = express();
 
-// path to where the files are stored on disk
-var FILES_DIR = path.join(__dirname, 'files')
-
 app.get('/', function(req, res){
-  res.send('<ul>' +
-    '<li>Download <a href="/files/notes/groceries.txt">notes/groceries.txt</a>.</li>' +
-    '<li>Download <a href="/files/amazing.txt">amazing.txt</a>.</li>' +
-    '<li>Download <a href="/files/missing.txt">missing.txt</a>.</li>' +
-    '<li>Download <a href="/files/CCTV大赛上海分赛区.txt">CCTV大赛上海分赛区.txt</a>.</li>' +
-    '</ul>')
+  res.send('<ul>'
+    + '<li>Download <a href="/files/amazing.txt">amazing.txt</a>.</li>'
+    + '<li>Download <a href="/files/missing.txt">missing.txt</a>.</li>'
+    + '<li>Download <a href="/files/CCTV大赛上海分赛区.txt">CCTV大赛上海分赛区.txt</a>.</li>'
+    + '</ul>');
 });
 
 // /files/* is accessed via req.params[0]
 // but here we name it :file
-app.get('/files/*file', function (req, res, next) {
-  res.download(req.params.file.join('/'), { root: FILES_DIR }, function (err) {
+app.get('/files/:file(*)', function(req, res, next){
+  var filePath = path.join(__dirname, 'files', req.params.file);
+
+  res.download(filePath, function (err) {
     if (!err) return; // file sent
-    if (err.status !== 404) return next(err); // non-404 error
+    if (err && err.status !== 404) return next(err); // non-404 error
     // file for download not found
     res.statusCode = 404;
     res.send('Cant find that file, sorry!');

examples/ejs/index.js

@@ -1,11 +1,9 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../../');
-var path = require('node:path');
+var path = require('path');
 
 var app = module.exports = express();
 

examples/ejs/public/stylesheets/style.css

@@ -1,4 +1,4 @@
 body {
   padding: 50px 80px;
-  font: 14px "Helvetica Neue", "Lucida Grande", Arial, sans-serif;
+  font: 14px "Helvetica Nueue", "Lucida Grande", Arial, sans-serif;
 }

examples/ejs/views/header.html

@@ -2,7 +2,6 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width,initial-scale=1">
   <title><%= title %></title>
   <link rel="stylesheet" href="/stylesheets/style.css">
 </head>

examples/ejs/views/users.html

@@ -1,4 +1,4 @@
-<%- include('header.html') -%>
+<% include header.html %>
 
 <h1>Users</h1>
 <ul id="users">
@@ -7,4 +7,4 @@
   <% }) %>
 </ul>
 
-<%- include('footer.html') -%>
+<% include footer.html %>

examples/error-pages/index.js

@@ -1,14 +1,12 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../../');
-var path = require('node:path');
+var path = require('path');
 var app = module.exports = express();
 var logger = require('morgan');
-var silent = process.env.NODE_ENV === 'test'
+var silent = 'test' == process.env.NODE_ENV;
 
 // general config
 app.set('views', path.join(__dirname, 'views'));
@@ -21,7 +19,7 @@ app.enable('verbose errors');
 
 // disable them in production
 // use $ NODE_ENV=production node examples/error-pages
-if (app.settings.env === 'production') app.disable('verbose errors')
+if ('production' == app.settings.env) app.disable('verbose errors');
 
 silent || app.use(logger('dev'));
 

examples/error-pages/views/404.ejs

@@ -1,3 +1,3 @@
-<%- include('error_header') -%>
+<% include error_header %>
 <h2>Cannot find <%= url %></h2>
-<%- include('footer') -%>
+<% include footer %>

examples/error-pages/views/500.ejs

@@ -1,8 +1,8 @@
-<%- include('error_header') -%>
+<% include error_header %>
 <h2>Error: <%= error.message %></h2>
 <% if (settings['verbose errors']) { %>
   <pre><%= error.stack %></pre>
 <% } else { %>
   <p>An error occurred!</p>
 <% } %>
-<%- include('footer') -%>
+<% include footer %>

examples/error-pages/views/error_header.ejs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Error</title>
 </head>
 

examples/error-pages/views/index.ejs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Custom Pages Example</title>
 </head>
 

examples/error/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
@@ -7,7 +5,7 @@
 var express = require('../../');
 var logger = require('morgan');
 var app = module.exports = express();
-var test = app.get('env') === 'test'
+var test = app.get('env') == 'test';
 
 if (!test) app.use(logger('dev'));
 
@@ -26,7 +24,7 @@ function error(err, req, res, next) {
   res.send('Internal Server Error');
 }
 
-app.get('/', function () {
+app.get('/', function(req, res){
   // Caught and passed down to the errorHandler middleware
   throw new Error('something broke!');
 });

examples/hello-world/index.js

@@ -1,8 +1,6 @@
-'use strict'
-
 var express = require('../../');
 
-var app = module.exports = express()
+var app = express();
 
 app.get('/', function(req, res){
   res.send('Hello World');

examples/markdown/index.js

@@ -1,14 +1,12 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var escapeHtml = require('escape-html');
 var express = require('../..');
-var fs = require('node:fs');
+var fs = require('fs');
 var marked = require('marked');
-var path = require('node:path');
+var path = require('path');
 
 var app = module.exports = express();
 
@@ -26,7 +24,7 @@ app.engine('md', function(path, options, fn){
 
 app.set('views', path.join(__dirname, 'views'));
 
-// make it the default, so we don't need .md
+// make it the default so we dont need .md
 app.set('view engine', 'md');
 
 app.get('/', function(req, res){

examples/multi-router/controllers/api_v1.js

@@ -1,5 +1,3 @@
-'use strict'
-
 var express = require('../../..');
 
 var apiv1 = express.Router();

examples/multi-router/controllers/api_v2.js

@@ -1,5 +1,3 @@
-'use strict'
-
 var express = require('../../..');
 
 var apiv2 = express.Router();

examples/multi-router/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 var express = require('../..');
 
 var app = module.exports = express();
@@ -8,7 +6,7 @@ app.use('/api/v1', require('./controllers/api_v1'));
 app.use('/api/v2', require('./controllers/api_v2'));
 
 app.get('/', function(req, res) {
-  res.send('Hello from root route.')
+  res.send('Hello form root route.');
 });
 
 /* istanbul ignore next */

examples/multipart/index.js

@@ -0,0 +1,60 @@
+/**
+ * Module dependencies.
+ */
+
+var express = require('../..');
+var multiparty = require('multiparty');
+var format = require('util').format;
+
+var app = module.exports = express();
+
+app.get('/', function(req, res){
+  res.send('<form method="post" enctype="multipart/form-data">'
+    + '<p>Title: <input type="text" name="title" /></p>'
+    + '<p>Image: <input type="file" name="image" /></p>'
+    + '<p><input type="submit" value="Upload" /></p>'
+    + '</form>');
+});
+
+app.post('/', function(req, res, next){
+  // create a form to begin parsing
+  var form = new multiparty.Form();
+  var image;
+  var title;
+
+  form.on('error', next);
+  form.on('close', function(){
+    res.send(format('\nuploaded %s (%d Kb) as %s'
+      , image.filename
+      , image.size / 1024 | 0
+      , title));
+  });
+
+  // listen on field event for title
+  form.on('field', function(name, val){
+    if (name !== 'title') return;
+    title = val;
+  });
+
+  // listen on part event for image file
+  form.on('part', function(part){
+    if (!part.filename) return;
+    if (part.name !== 'image') return part.resume();
+    image = {};
+    image.filename = part.filename;
+    image.size = 0;
+    part.on('data', function(buf){
+      image.size += buf.length;
+    });
+  });
+
+
+  // parse the form
+  form.parse(req);
+});
+
+/* istanbul ignore next */
+if (!module.parent) {
+  app.listen(4000);
+  console.log('Express started on port 4000');
+}

examples/mvc/controllers/main/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 exports.index = function(req, res){
   res.redirect('/users');
 };

examples/mvc/controllers/pet/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */

examples/mvc/controllers/pet/views/edit.ejs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
 <link rel="stylesheet" href="/style.css">
 <title>Edit <%= pet.name %></title>
 </head>

examples/mvc/controllers/pet/views/show.ejs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
 <link rel="stylesheet" href="/style.css">
 <title><%= pet.name %></title>
 </head>

examples/mvc/controllers/user-pet/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */

examples/mvc/controllers/user/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */

examples/mvc/controllers/user/views/edit.hbs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width,initial-scale=1">
   <link rel="stylesheet" href="/style.css">
   <title>Edit {{user.name}}</title>
 </head>

examples/mvc/controllers/user/views/list.hbs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width,initial-scale=1">
   <link rel="stylesheet" href="/style.css">
   <title>Users</title>
 </head>

examples/mvc/controllers/user/views/show.hbs

@@ -1,8 +1,6 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width,initial-scale=1">
   <link rel="stylesheet" href="/style.css">
   <title>{{user.name}}</title>
 </head>

examples/mvc/db.js

@@ -1,5 +1,3 @@
-'use strict'
-
 // faux database
 
 var pets = exports.pets = [];

examples/mvc/index.js

@@ -1,12 +1,10 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
 var logger = require('morgan');
-var path = require('node:path');
+var path = require('path');
 var session = require('express-session');
 var methodOverride = require('method-override');
 

examples/mvc/lib/boot.js

@@ -1,12 +1,10 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../../..');
-var fs = require('node:fs');
-var path = require('node:path');
+var fs = require('fs');
+var path = require('path');
 
 module.exports = function(parent, options){
   var dir = path.join(__dirname, '..', 'controllers');

examples/mvc/public/style.css

@@ -1,6 +1,6 @@
 body {
   padding: 50px;
-  font: 16px "Helvetica Neue", Helvetica, Arial, sans-serif;
+  font: 16px "Helvetica Neue", Helvetica, Arial;
 }
 a {
   color: #107aff;

examples/mvc/views/404.ejs

@@ -2,7 +2,6 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title>Not Found</title>
     <link rel="stylesheet" href="/style.css">
   </head>

examples/mvc/views/5xx.ejs

@@ -2,7 +2,6 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title>Internal Server Error</title>
     <link rel="stylesheet" href="/style.css">
   </head>

examples/online/index.js

@@ -1,4 +1,3 @@
-'use strict'
 
 // install redis first:
 // https://redis.io/

examples/params/index.js

@@ -1,23 +1,28 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
-var createError = require('http-errors')
 var express = require('../../');
 var app = module.exports = express();
 
 // Faux database
 
 var users = [
-  { name: 'tj' }
+    { name: 'tj' }
   , { name: 'tobi' }
   , { name: 'loki' }
   , { name: 'jane' }
   , { name: 'bandit' }
 ];
 
+// Create HTTP error
+
+function createError(status, message) {
+  var err = new Error(message);
+  err.status = status;
+  return err;
+}
+
 // Convert :to and :from to integers
 
 app.param(['to', 'from'], function(req, res, next, num, name){
@@ -32,8 +37,7 @@ app.param(['to', 'from'], function(req, res, next, num, name){
 // Load user by id
 
 app.param('user', function(req, res, next, id){
-  req.user = users[id]
-  if (req.user) {
+  if (req.user = users[id]) {
     next();
   } else {
     next(createError(404, 'failed to find user'));
@@ -52,7 +56,7 @@ app.get('/', function(req, res){
  * GET :user.
  */
 
-app.get('/user/:user', function (req, res) {
+app.get('/user/:user', function(req, res, next){
   res.send('user ' + req.user.name);
 });
 
@@ -60,7 +64,7 @@ app.get('/user/:user', function (req, res) {
  * GET users :from - :to.
  */
 
-app.get('/users/:from-:to', function (req, res) {
+app.get('/users/:from-:to', function(req, res, next){
   var from = req.params.from;
   var to = req.params.to;
   var names = users.map(function(user){ return user.name; });

examples/resource/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
@@ -12,7 +10,7 @@ var app = module.exports = express();
 
 app.resource = function(path, obj) {
   this.get(path, obj.index);
-  this.get(path + '/:a..:b{.:format}', function(req, res){
+  this.get(path + '/:a..:b.:format?', function(req, res){
     var a = parseInt(req.params.a, 10);
     var b = parseInt(req.params.b, 10);
     var format = req.params.format;
@@ -28,7 +26,7 @@ app.resource = function(path, obj) {
 // Fake records
 
 var users = [
-  { name: 'tj' }
+    { name: 'tj' }
   , { name: 'ciaran' }
   , { name: 'aaron' }
   , { name: 'guillermo' }

examples/route-map/index.js

@@ -1,13 +1,10 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
-var escapeHtml = require('escape-html')
 var express = require('../../lib/express');
 
-var verbose = process.env.NODE_ENV !== 'test'
+var verbose = process.env.NODE_ENV != 'test';
 
 var app = module.exports = express();
 
@@ -34,7 +31,7 @@ var users = {
   },
 
   get: function(req, res){
-    res.send('user ' +  escapeHtml(req.params.uid))
+    res.send('user ' + req.params.uid);
   },
 
   delete: function(req, res){
@@ -44,11 +41,11 @@ var users = {
 
 var pets = {
   list: function(req, res){
-    res.send('user ' + escapeHtml(req.params.uid) + '\'s pets')
+    res.send('user ' + req.params.uid + '\'s pets');
   },
 
   delete: function(req, res){
-    res.send('delete ' + escapeHtml(req.params.uid) + '\'s pet ' + escapeHtml(req.params.pid))
+    res.send('delete ' + req.params.uid + '\'s pet ' + req.params.pid);
   }
 };
 

examples/route-middleware/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
@@ -17,7 +15,7 @@ var app = express();
 
 // Dummy users
 var users = [
-  { id: 0, name: 'tj', email: 'tj@vision-media.ca', role: 'member' }
+    { id: 0, name: 'tj', email: 'tj@vision-media.ca', role: 'member' }
   , { id: 1, name: 'ciaran', email: 'ciaranj@gmail.com', role: 'member' }
   , { id: 2, name: 'aaron', email: 'aaron.heckmann+github@gmail.com', role: 'admin' }
 ];
@@ -36,7 +34,7 @@ function loadUser(req, res, next) {
 function andRestrictToSelf(req, res, next) {
   // If our authenticated user is the user we are viewing
   // then everything is fine :)
-  if (req.authenticatedUser.id === req.user.id) {
+  if (req.authenticatedUser.id == req.user.id) {
     next();
   } else {
     // You may want to implement specific exceptions
@@ -49,7 +47,7 @@ function andRestrictToSelf(req, res, next) {
 
 function andRestrictTo(role) {
   return function(req, res, next) {
-    if (req.authenticatedUser.role === role) {
+    if (req.authenticatedUser.role == role) {
       next();
     } else {
       next(new Error('Unauthorized'));

examples/route-separation/index.js

@@ -1,11 +1,9 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
-var path = require('node:path');
+var path = require('path');
 var app = express();
 var logger = require('morgan');
 var cookieParser = require('cookie-parser');
@@ -38,7 +36,7 @@ app.get('/', site.index);
 // User
 
 app.get('/users', user.list);
-app.all('/user/:id{/:op}', user.load);
+app.all('/user/:id/:op?', user.load);
 app.get('/user/:id', user.view);
 app.get('/user/:id/view', user.view);
 app.get('/user/:id/edit', user.edit);

examples/route-separation/post.js

@@ -1,5 +1,3 @@
-'use strict'
-
 // Fake posts database
 
 var posts = [

examples/route-separation/site.js

@@ -1,5 +1,3 @@
-'use strict'
-
 exports.index = function(req, res){
   res.render('index', { title: 'Route Separation Example' });
 };

examples/route-separation/user.js

@@ -1,5 +1,3 @@
-'use strict'
-
 // Fake user database
 
 var users = [
@@ -43,5 +41,5 @@ exports.update = function(req, res){
   var user = req.body.user;
   req.user.name = user.name;
   req.user.email = user.email;
-  res.redirect(req.get('Referrer') || '/');
+  res.redirect('back');
 };

examples/route-separation/views/header.ejs

@@ -2,7 +2,6 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width,initial-scale=1">
   <title><%= title %></title>
   <link rel="stylesheet" href="/style.css">
 </head>

examples/route-separation/views/index.ejs

@@ -1,4 +1,4 @@
-<%- include('header') -%>
+<% include header %>
 
 <h1><%= title %></h1>
 
@@ -7,4 +7,4 @@
   <li>Visit the <a href="/posts">posts</a> page.</li>
 </ul>
 
-<%- include('footer') -%>
+<% include footer %>

examples/route-separation/views/posts/index.ejs

@@ -1,4 +1,4 @@
-<%- include('../header') -%>
+<% include ../header %>
 
 <h1>Posts</h1>
 
@@ -9,4 +9,4 @@
   <% }) %>
 </dl>
 
-<%- include('../footer') -%>
+<% include ../footer %>

examples/route-separation/views/users/edit.ejs

@@ -1,9 +1,9 @@
-<%- include('../header') -%>
+<% include ../header %>
 
 <h1>Editing <%= user.name %></h1>
 
 <div id="user">
-  <form action="?_method=put" method="post">
+  <form action="?_method=put", method="post">
     <p>
       Name:
       <input type="text" value="<%= user.name %>" name="user[name]" />
@@ -20,4 +20,4 @@
   </form>
 </div>
 
-<%- include('../footer') -%>
+<% include ../footer %>

examples/route-separation/views/users/index.ejs

@@ -1,4 +1,4 @@
-<%- include('../header') -%>
+<% include ../header %>
 
 <h1><%= title %></h1>
 
@@ -11,4 +11,4 @@
   <% }) %>
 </div>
 
-<%- include('../footer') -%>
+<% include ../footer %>

examples/route-separation/views/users/view.ejs

@@ -1,4 +1,4 @@
-<%- include('../header') -%>
+<% include ../header %>
 
 <h1><%= user.name %></h1>
 
@@ -6,4 +6,4 @@
   <p>Email: <%= user.email %></p>
 </div>
 
-<%- include('../footer') -%>
+<% include ../footer %>

examples/search/index.js

@@ -1,4 +1,3 @@
-'use strict'
 
 // install redis first:
 // https://redis.io/
@@ -12,7 +11,7 @@
  */
 
 var express = require('../..');
-var path = require('node:path');
+var path = require('path');
 var redis = require('redis');
 
 var db = redis.createClient();
@@ -35,10 +34,10 @@ db.sadd('cat', 'luna');
  * GET search for :query.
  */
 
-app.get('/search/:query?', function(req, res, next){
+app.get('/search/:query?', function(req, res){
   var query = req.params.query;
   db.smembers(query, function(err, vals){
-    if (err) return next(err);
+    if (err) return res.send(500);
     res.send(vals);
   });
 });

examples/search/public/client.js

@@ -1,5 +1,3 @@
-'use strict'
-
 var search = document.querySelector('[type=search]');
 var code = document.querySelector('pre');
 
@@ -7,7 +5,7 @@ search.addEventListener('keyup', function(){
   var xhr = new XMLHttpRequest;
   xhr.open('GET', '/search/' + search.value, true);
   xhr.onreadystatechange = function(){
-    if (xhr.readyState === 4) {
+    if (4 == xhr.readyState) {
       code.textContent = xhr.responseText;
     }
   };

examples/search/public/index.html

@@ -2,9 +2,8 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width,initial-scale=1">
   <title>Search example</title>
-  <style>
+  <style type="text/css">
     body {
       font: 14px "Helvetica Neue", Helvetica;
       padding: 50px;
@@ -15,7 +14,7 @@
   <h2>Search</h2>
   <p>Try searching for "ferret" or "cat".</p>
   <input type="search" name="search" value="" />
-  <pre></pre>
+  <pre />
   <script src="/client.js" charset="utf-8"></script>
 </body>
 </html>

examples/session/index.js

@@ -1,4 +1,3 @@
-'use strict'
 
 // install redis first:
 // https://redis.io/

examples/session/redis.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */

examples/static-files/index.js

@@ -1,12 +1,10 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
 var logger = require('morgan');
-var path = require('node:path');
+var path = require('path');
 var app = express();
 
 // log requests

examples/static-files/public/js/app.js

@@ -1 +1 @@
-// foo
+foo

examples/vhost/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */

examples/view-constructor/github-view.js

@@ -1,11 +1,9 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
-var https = require('node:https');
-var path = require('node:path');
+var https = require('https');
+var path = require('path');
 var extname = path.extname;
 
 /**

examples/view-constructor/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */

examples/view-locals/index.js

@@ -1,11 +1,9 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
 
 var express = require('../..');
-var path = require('node:path');
+var path = require('path');
 var User = require('./user');
 var app = express();
 
@@ -15,7 +13,7 @@ app.set('view engine', 'ejs');
 // filter ferrets only
 
 function ferrets(user) {
-  return user.species === 'ferret'
+  return user.species == 'ferret';
 }
 
 // naive nesting approach,
@@ -61,7 +59,7 @@ function users(req, res, next) {
   })
 }
 
-app.get('/middleware', count, users, function (req, res) {
+app.get('/middleware', count, users, function(req, res, next){
   res.render('index', {
     title: 'Users',
     count: req.count,
@@ -99,7 +97,7 @@ function users2(req, res, next) {
   })
 }
 
-app.get('/middleware-locals', count2, users2, function (req, res) {
+app.get('/middleware-locals', count2, users2, function(req, res, next){
   // you can see now how we have much less
   // to pass to res.render(). If we have
   // several routes related to users this

examples/view-locals/user.js

@@ -1,5 +1,3 @@
-'use strict'
-
 module.exports = User;
 
 // faux model

examples/view-locals/views/index.ejs

@@ -2,7 +2,6 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width,initial-scale=1">
     <title><%= title %></title>
     <style media="screen">
       body {

examples/web-service/index.js

@@ -1,5 +1,3 @@
-'use strict'
-
 /**
  * Module dependencies.
  */
@@ -10,7 +8,7 @@ var app = module.exports = express();
 
 // create an error with .status. we
 // can then use the property in our
-// custom error handler (Connect respects this prop as well)
+// custom error handler (Connect repects this prop as well)
 
 function error(status, msg) {
   var err = new Error(msg);
@@ -34,7 +32,7 @@ app.use('/api', function(req, res, next){
   if (!key) return next(error(400, 'api key required'));
 
   // key is invalid
-  if (apiKeys.indexOf(key) === -1) return next(error(401, 'invalid api key'))
+  if (!~apiKeys.indexOf(key)) return next(error(401, 'invalid api key'));
 
   // all good, store req.key for route access
   req.key = key;
@@ -51,13 +49,13 @@ var apiKeys = ['foo', 'bar', 'baz'];
 // these two objects will serve as our faux database
 
 var repos = [
-  { name: 'express', url: 'https://github.com/expressjs/express' },
-  { name: 'stylus', url: 'https://github.com/learnboost/stylus' },
-  { name: 'cluster', url: 'https://github.com/learnboost/cluster' }
+    { name: 'express', url: 'http://github.com/expressjs/express' }
+  , { name: 'stylus', url: 'http://github.com/learnboost/stylus' }
+  , { name: 'cluster', url: 'http://github.com/learnboost/cluster' }
 ];
 
 var users = [
-  { name: 'tobi' }
+    { name: 'tobi' }
   , { name: 'loki' }
   , { name: 'jane' }
 ];
@@ -71,17 +69,14 @@ var userRepos = {
 // we now can assume the api key is valid,
 // and simply expose the data
 
-// example: http://localhost:3000/api/users/?api-key=foo
-app.get('/api/users', function (req, res) {
+app.get('/api/users', function(req, res, next){
   res.send(users);
 });
 
-// example: http://localhost:3000/api/repos/?api-key=foo
-app.get('/api/repos', function (req, res) {
+app.get('/api/repos', function(req, res, next){
   res.send(repos);
 });
 
-// example: http://localhost:3000/api/user/tobi/repos/?api-key=foo
 app.get('/api/user/:name/repos', function(req, res, next){
   var name = req.params.name;
   var user = userRepos[name];
@@ -107,7 +102,7 @@ app.use(function(err, req, res, next){
 // invoke next() and do not respond.
 app.use(function(req, res){
   res.status(404);
-  res.send({ error: "Sorry, can't find that" })
+  res.send({ error: "Lame, can't find that" });
 });
 
 /* istanbul ignore next */

lib/application.js

@@ -14,24 +14,22 @@
  */
 
 var finalhandler = require('finalhandler');
+var Router = require('./router');
+var methods = require('methods');
+var middleware = require('./middleware/init');
+var query = require('./middleware/query');
 var debug = require('debug')('express:application');
 var View = require('./view');
-var http = require('node:http');
-var methods = require('./utils').methods;
+var http = require('http');
 var compileETag = require('./utils').compileETag;
 var compileQueryParser = require('./utils').compileQueryParser;
 var compileTrust = require('./utils').compileTrust;
-var resolve = require('node:path').resolve;
-var once = require('once')
-var Router = require('router');
-
-/**
- * Module variables.
- * @private
- */
-
+var deprecate = require('depd')('express');
+var flatten = require('array-flatten');
+var merge = require('utils-merge');
+var resolve = require('path').resolve;
+var setPrototypeOf = require('setprototypeof')
 var slice = Array.prototype.slice;
-var flatten = Array.prototype.flat;
 
 /**
  * Application prototype.
@@ -57,29 +55,11 @@ var trustProxyDefaultSymbol = '@@symbol:trust_proxy_default';
  */
 
 app.init = function init() {
-  var router = null;
-
-  this.cache = Object.create(null);
-  this.engines = Object.create(null);
-  this.settings = Object.create(null);
+  this.cache = {};
+  this.engines = {};
+  this.settings = {};
 
   this.defaultConfiguration();
-
-  // Setup getting to lazily add base router
-  Object.defineProperty(this, 'router', {
-    configurable: true,
-    enumerable: true,
-    get: function getrouter() {
-      if (router === null) {
-        router = new Router({
-          caseSensitive: this.enabled('case sensitive routing'),
-          strict: this.enabled('strict routing')
-        });
-      }
-
-      return router;
-    }
-  });
 };
 
 /**
@@ -94,7 +74,7 @@ app.defaultConfiguration = function defaultConfiguration() {
   this.enable('x-powered-by');
   this.set('etag', 'weak');
   this.set('env', env);
-  this.set('query parser', 'simple')
+  this.set('query parser', 'extended');
   this.set('subdomain offset', 2);
   this.set('trust proxy', false);
 
@@ -115,10 +95,10 @@ app.defaultConfiguration = function defaultConfiguration() {
     }
 
     // inherit protos
-    Object.setPrototypeOf(this.request, parent.request)
-    Object.setPrototypeOf(this.response, parent.response)
-    Object.setPrototypeOf(this.engines, parent.engines)
-    Object.setPrototypeOf(this.settings, parent.settings)
+    setPrototypeOf(this.request, parent.request)
+    setPrototypeOf(this.response, parent.response)
+    setPrototypeOf(this.engines, parent.engines)
+    setPrototypeOf(this.settings, parent.settings)
   });
 
   // setup locals
@@ -138,6 +118,32 @@ app.defaultConfiguration = function defaultConfiguration() {
   if (env === 'production') {
     this.enable('view cache');
   }
+
+  Object.defineProperty(this, 'router', {
+    get: function() {
+      throw new Error('\'app.router\' is deprecated!\nPlease see the 3.x to 4.x migration guide for details on how to update your app.');
+    }
+  });
+};
+
+/**
+ * lazily adds the base router if it has not yet been added.
+ *
+ * We cannot add the base router in the defaultConfiguration because
+ * it reads app settings which might be set after that has run.
+ *
+ * @private
+ */
+app.lazyrouter = function lazyrouter() {
+  if (!this._router) {
+    this._router = new Router({
+      caseSensitive: this.enabled('case sensitive routing'),
+      strict: this.enabled('strict routing')
+    });
+
+    this._router.use(query(this.get('query parser fn')));
+    this._router.use(middleware.init(this));
+  }
 };
 
 /**
@@ -150,31 +156,22 @@ app.defaultConfiguration = function defaultConfiguration() {
  */
 
 app.handle = function handle(req, res, callback) {
+  var router = this._router;
+
   // final handler
   var done = callback || finalhandler(req, res, {
     env: this.get('env'),
     onerror: logerror.bind(this)
   });
 
-  // set powered by header
-  if (this.enabled('x-powered-by')) {
-    res.setHeader('X-Powered-By', 'Express');
+  // no routes
+  if (!router) {
+    debug('no routes defined on app');
+    done();
+    return;
   }
 
-  // set circular references
-  req.res = res;
-  res.req = req;
-
-  // alter the prototypes
-  Object.setPrototypeOf(req, this.request)
-  Object.setPrototypeOf(res, this.response)
-
-  // setup locals
-  if (!res.locals) {
-    res.locals = Object.create(null);
-  }
-
-  this.router.handle(req, res, done);
+  router.handle(req, res, done);
 };
 
 /**
@@ -207,14 +204,15 @@ app.use = function use(fn) {
     }
   }
 
-  var fns = flatten.call(slice.call(arguments, offset), Infinity);
+  var fns = flatten(slice.call(arguments, offset));
 
   if (fns.length === 0) {
     throw new TypeError('app.use() requires a middleware function')
   }
 
-  // get router
-  var router = this.router;
+  // setup router
+  this.lazyrouter();
+  var router = this._router;
 
   fns.forEach(function (fn) {
     // non-express app
@@ -230,8 +228,8 @@ app.use = function use(fn) {
     router.use(path, function mounted_app(req, res, next) {
       var orig = req.app;
       fn.handle(req, res, function (err) {
-        Object.setPrototypeOf(req, orig.request)
-        Object.setPrototypeOf(res, orig.response)
+        setPrototypeOf(req, orig.request)
+        setPrototypeOf(res, orig.response)
         next(err);
       });
     });
@@ -254,7 +252,8 @@ app.use = function use(fn) {
  */
 
 app.route = function route(path) {
-  return this.router.route(path);
+  this.lazyrouter();
+  return this._router.route(path);
 };
 
 /**
@@ -277,7 +276,7 @@ app.route = function route(path) {
  * In this case EJS provides a `.renderFile()` method with
  * the same signature that Express expects: `(path, options, callback)`,
  * though note that it aliases this method as `ejs.__express` internally
- * so if you're using ".ejs" extensions you don't need to do anything.
+ * so if you're using ".ejs" extensions you dont need to do anything.
  *
  * Some template engines do not follow this convention, the
  * [Consolidate.js](https://github.com/tj/consolidate.js)
@@ -320,6 +319,8 @@ app.engine = function engine(ext, fn) {
  */
 
 app.param = function param(name, fn) {
+  this.lazyrouter();
+
   if (Array.isArray(name)) {
     for (var i = 0; i < name.length; i++) {
       this.param(name[i], fn);
@@ -328,7 +329,7 @@ app.param = function param(name, fn) {
     return this;
   }
 
-  this.router.param(name, fn);
+  this._router.param(name, fn);
 
   return this;
 };
@@ -468,14 +469,16 @@ app.disable = function disable(setting) {
  * Delegate `.VERB(...)` calls to `router.VERB(...)`.
  */
 
-methods.forEach(function (method) {
-  app[method] = function (path) {
+methods.forEach(function(method){
+  app[method] = function(path){
     if (method === 'get' && arguments.length === 1) {
       // app.get(setting)
       return this.set(path);
     }
 
-    var route = this.route(path);
+    this.lazyrouter();
+
+    var route = this._router.route(path);
     route[method].apply(route, slice.call(arguments, 1));
     return this;
   };
@@ -492,7 +495,9 @@ methods.forEach(function (method) {
  */
 
 app.all = function all(path) {
-  var route = this.route(path);
+  this.lazyrouter();
+
+  var route = this._router.route(path);
   var args = slice.call(arguments, 1);
 
   for (var i = 0; i < methods.length; i++) {
@@ -502,6 +507,10 @@ app.all = function all(path) {
   return this;
 };
 
+// del -> delete alias
+
+app.del = deprecate.function(app.delete, 'app.del: Use app.delete instead');
+
 /**
  * Render the given view `name` name with `options`
  * and a callback accepting an error and the
@@ -524,6 +533,7 @@ app.render = function render(name, options, callback) {
   var done = callback;
   var engines = this.engines;
   var opts = options;
+  var renderOptions = {};
   var view;
 
   // support callback function as second arg
@@ -532,8 +542,16 @@ app.render = function render(name, options, callback) {
     opts = {};
   }
 
+  // merge app.locals
+  merge(renderOptions, this.locals);
+
+  // merge options._locals
+  if (opts._locals) {
+    merge(renderOptions, opts._locals);
+  }
+
   // merge options
-  var renderOptions = { ...this.locals, ...opts._locals, ...opts };
+  merge(renderOptions, opts);
 
   // set .cache unless explicitly provided
   if (renderOptions.cache == null) {
@@ -583,8 +601,8 @@ app.render = function render(name, options, callback) {
  * and HTTPS server you may do so with the "http"
  * and "https" modules as shown here:
  *
- *    var http = require('node:http')
- *      , https = require('node:https')
+ *    var http = require('http')
+ *      , https = require('https')
  *      , express = require('express')
  *      , app = express();
  *
@@ -596,14 +614,9 @@ app.render = function render(name, options, callback) {
  */
 
 app.listen = function listen() {
-  var server = http.createServer(this)
-  var args = Array.prototype.slice.call(arguments)
-  if (typeof args[args.length - 1] === 'function') {
-    var done = args[args.length - 1] = once(args[args.length - 1])
-    server.once('error', done)
-  }
-  return server.listen.apply(server, args)
-}
+  var server = http.createServer(this);
+  return server.listen.apply(server, arguments);
+};
 
 /**
  * Log error using console.error.

lib/express.js

@@ -13,10 +13,11 @@
  */
 
 var bodyParser = require('body-parser')
-var EventEmitter = require('node:events').EventEmitter;
+var EventEmitter = require('events').EventEmitter;
 var mixin = require('merge-descriptors');
 var proto = require('./application');
-var Router = require('router');
+var Route = require('./router/route');
+var Router = require('./router');
 var req = require('./request');
 var res = require('./response');
 
@@ -67,7 +68,7 @@ exports.response = res;
  * Expose constructors.
  */
 
-exports.Route = Router.Route;
+exports.Route = Route;
 exports.Router = Router;
 
 /**
@@ -75,7 +76,37 @@ exports.Router = Router;
  */
 
 exports.json = bodyParser.json
-exports.raw = bodyParser.raw
+exports.query = require('./middleware/query');
 exports.static = require('serve-static');
-exports.text = bodyParser.text
 exports.urlencoded = bodyParser.urlencoded
+
+/**
+ * Replace removed middleware with an appropriate error message.
+ */
+
+;[
+  'bodyParser',
+  'compress',
+  'cookieSession',
+  'session',
+  'logger',
+  'cookieParser',
+  'favicon',
+  'responseTime',
+  'errorHandler',
+  'timeout',
+  'methodOverride',
+  'vhost',
+  'csrf',
+  'directory',
+  'limit',
+  'multipart',
+  'staticCache',
+].forEach(function (name) {
+  Object.defineProperty(exports, name, {
+    get: function () {
+      throw new Error('Most middleware (like ' + name + ') is no longer bundled with Express and must be installed separately. Please see https://github.com/senchalabs/connect#middleware.');
+    },
+    configurable: true
+  });
+});

lib/middleware/init.js

@@ -0,0 +1,43 @@
+/*!
+ * express
+ * Copyright(c) 2009-2013 TJ Holowaychuk
+ * Copyright(c) 2013 Roman Shtylman
+ * Copyright(c) 2014-2015 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ * @private
+ */
+
+var setPrototypeOf = require('setprototypeof')
+
+/**
+ * Initialization middleware, exposing the
+ * request and response to each other, as well
+ * as defaulting the X-Powered-By header field.
+ *
+ * @param {Function} app
+ * @return {Function}
+ * @api private
+ */
+
+exports.init = function(app){
+  return function expressInit(req, res, next){
+    if (app.enabled('x-powered-by')) res.setHeader('X-Powered-By', 'Express');
+    req.res = res;
+    res.req = req;
+    req.next = next;
+
+    setPrototypeOf(req, app.request)
+    setPrototypeOf(res, app.response)
+
+    res.locals = res.locals || Object.create(null);
+
+    next();
+  };
+};
+

lib/middleware/query.js

@@ -0,0 +1,47 @@
+/*!
+ * express
+ * Copyright(c) 2009-2013 TJ Holowaychuk
+ * Copyright(c) 2013 Roman Shtylman
+ * Copyright(c) 2014-2015 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+'use strict';
+
+/**
+ * Module dependencies.
+ */
+
+var merge = require('utils-merge')
+var parseUrl = require('parseurl');
+var qs = require('qs');
+
+/**
+ * @param {Object} options
+ * @return {Function}
+ * @api public
+ */
+
+module.exports = function query(options) {
+  var opts = merge({}, options)
+  var queryparse = qs.parse;
+
+  if (typeof options === 'function') {
+    queryparse = options;
+    opts = undefined;
+  }
+
+  if (opts !== undefined && opts.allowPrototypes === undefined) {
+    // back-compat for qs module
+    opts.allowPrototypes = true;
+  }
+
+  return function query(req, res, next){
+    if (!req.query) {
+      var val = parseUrl(req).query;
+      req.query = queryparse(val, opts);
+    }
+
+    next();
+  };
+};

lib/request.js

@@ -14,9 +14,10 @@
  */
 
 var accepts = require('accepts');
-var isIP = require('node:net').isIP;
+var deprecate = require('depd')('express');
+var isIP = require('net').isIP;
 var typeis = require('type-is');
-var http = require('node:http');
+var http = require('http');
 var fresh = require('fresh');
 var parseRange = require('range-parser');
 var parse = require('parseurl');
@@ -146,6 +147,9 @@ req.acceptsEncodings = function(){
   return accept.encodings.apply(accept, arguments);
 };
 
+req.acceptsEncoding = deprecate.function(req.acceptsEncodings,
+  'req.acceptsEncoding: Use acceptsEncodings instead');
+
 /**
  * Check if the given `charset`s are acceptable,
  * otherwise you should respond with 406 "Not Acceptable".
@@ -160,6 +164,9 @@ req.acceptsCharsets = function(){
   return accept.charsets.apply(accept, arguments);
 };
 
+req.acceptsCharset = deprecate.function(req.acceptsCharsets,
+  'req.acceptsCharset: Use acceptsCharsets instead');
+
 /**
  * Check if the given `lang`s are acceptable,
  * otherwise you should respond with 406 "Not Acceptable".
@@ -169,10 +176,14 @@ req.acceptsCharsets = function(){
  * @public
  */
 
-req.acceptsLanguages = function(...languages) {
-  return accepts(this).languages(...languages);
+req.acceptsLanguages = function(){
+  var accept = accepts(this);
+  return accept.languages.apply(accept, arguments);
 };
 
+req.acceptsLanguage = deprecate.function(req.acceptsLanguages,
+  'req.acceptsLanguage: Use acceptsLanguages instead');
+
 /**
  * Parse Range header field, capping to the given `size`.
  *
@@ -205,31 +216,42 @@ req.range = function range(size, options) {
 };
 
 /**
- * Parse the query string of `req.url`.
+ * Return the value of param `name` when present or `defaultValue`.
  *
- * This uses the "query parser" setting to parse the raw
- * string into an object.
+ *  - Checks route placeholders, ex: _/user/:id_
+ *  - Checks body params, ex: id=12, {"id":12}
+ *  - Checks query string params, ex: ?id=12
  *
+ * To utilize request bodies, `req.body`
+ * should be an object. This can be done by using
+ * the `bodyParser()` middleware.
+ *
+ * @param {String} name
+ * @param {Mixed} [defaultValue]
  * @return {String}
- * @api public
+ * @public
  */
 
-defineGetter(req, 'query', function query(){
-  var queryparse = this.app.get('query parser fn');
+req.param = function param(name, defaultValue) {
+  var params = this.params || {};
+  var body = this.body || {};
+  var query = this.query || {};
 
-  if (!queryparse) {
-    // parsing is disabled
-    return Object.create(null);
-  }
+  var args = arguments.length === 1
+    ? 'name'
+    : 'name, default';
+  deprecate('req.param(' + args + '): Use req.params, req.body, or req.query instead');
 
-  var querystring = parse(this).query;
+  if (null != params[name] && params.hasOwnProperty(name)) return params[name];
+  if (null != body[name]) return body[name];
+  if (null != query[name]) return query[name];
 
-  return queryparse(querystring);
-});
+  return defaultValue;
+};
 
 /**
  * Check if the incoming request contains the "Content-Type"
- * header field, and it contains the given mime `type`.
+ * header field, and it contains the give mime `type`.
  *
  * Examples:
  *
@@ -282,12 +304,12 @@ req.is = function is(types) {
  */
 
 defineGetter(req, 'protocol', function protocol(){
-  var proto = this.socket.encrypted
+  var proto = this.connection.encrypted
     ? 'https'
     : 'http';
   var trust = this.app.get('trust proxy fn');
 
-  if (!trust(this.socket.remoteAddress, 0)) {
+  if (!trust(this.connection.remoteAddress, 0)) {
     return proto;
   }
 
@@ -392,7 +414,7 @@ defineGetter(req, 'path', function path() {
 });
 
 /**
- * Parse the "Host" header field to a host.
+ * Parse the "Host" header field to a hostname.
  *
  * When the "trust proxy" setting trusts the socket
  * address, the "X-Forwarded-Host" header field will
@@ -402,34 +424,13 @@ defineGetter(req, 'path', function path() {
  * @public
  */
 
-defineGetter(req, 'host', function host(){
-  var trust = this.app.get('trust proxy fn');
-  var val = this.get('X-Forwarded-Host');
-
-  if (!val || !trust(this.socket.remoteAddress, 0)) {
-    val = this.get('Host');
-  } else if (val.indexOf(',') !== -1) {
-    // Note: X-Forwarded-Host is normally only ever a
-    //       single value, but this is to be safe.
-    val = val.substring(0, val.indexOf(',')).trimRight()
-  }
-
-  return val || undefined;
-});
-
-/**
- * Parse the "Host" header field to a hostname.
- *
- * When the "trust proxy" setting trusts the socket
- * address, the "X-Forwarded-Host" header field will
- * be trusted.
- *
- * @return {String}
- * @api public
- */
-
 defineGetter(req, 'hostname', function hostname(){
-  var host = this.host;
+  var trust = this.app.get('trust proxy fn');
+  var host = this.get('X-Forwarded-Host');
+
+  if (!host || !trust(this.connection.remoteAddress, 0)) {
+    host = this.get('Host');
+  }
 
   if (!host) return;
 
@@ -444,9 +445,15 @@ defineGetter(req, 'hostname', function hostname(){
     : host;
 });
 
+// TODO: change req.host to return host in next major
+
+defineGetter(req, 'host', deprecate.function(function host(){
+  return this.hostname;
+}, 'req.host: Use req.hostname instead'));
+
 /**
  * Check if the request is fresh, aka
- * Last-Modified or the ETag
+ * Last-Modified and/or the ETag
  * still match.
  *
  * @return {Boolean}

lib/response.js

@@ -12,17 +12,17 @@
  * @private
  */
 
+var Buffer = require('safe-buffer').Buffer
 var contentDisposition = require('content-disposition');
-var createError = require('http-errors')
 var deprecate = require('depd')('express');
 var encodeUrl = require('encodeurl');
 var escapeHtml = require('escape-html');
-var http = require('node:http');
+var http = require('http');
+var isAbsolute = require('./utils').isAbsolute;
 var onFinished = require('on-finished');
-var mime = require('mime-types')
-var path = require('node:path');
-var pathIsAbsolute = require('node:path').isAbsolute;
+var path = require('path');
 var statuses = require('statuses')
+var merge = require('utils-merge');
 var sign = require('cookie-signature').sign;
 var normalizeType = require('./utils').normalizeType;
 var normalizeTypes = require('./utils').normalizeTypes;
@@ -30,9 +30,9 @@ var setCharset = require('./utils').setCharset;
 var cookie = require('cookie');
 var send = require('send');
 var extname = path.extname;
+var mime = send.mime;
 var resolve = path.resolve;
 var vary = require('vary');
-const { Buffer } = require('node:buffer');
 
 /**
  * Response prototype.
@@ -49,28 +49,21 @@ var res = Object.create(http.ServerResponse.prototype)
 module.exports = res
 
 /**
- * Set the HTTP status code for the response.
+ * Module variables.
+ * @private
+ */
+
+var charsetRegExp = /;\s*charset\s*=/;
+
+/**
+ * Set status `code`.
  *
- * Expects an integer value between 100 and 999 inclusive.
- * Throws an error if the provided status code is not an integer or if it's outside the allowable range.
- *
- * @param {number} code - The HTTP status code to set.
- * @return {ServerResponse} - Returns itself for chaining methods.
- * @throws {TypeError} If `code` is not an integer.
- * @throws {RangeError} If `code` is outside the range 100 to 999.
+ * @param {Number} code
+ * @return {ServerResponse}
  * @public
  */
 
 res.status = function status(code) {
-  // Check if the status code is not an integer
-  if (!Number.isInteger(code)) {
-    throw new TypeError(`Invalid status code: ${JSON.stringify(code)}. Status code must be an integer.`);
-  }
-  // Check if the status code is outside of Node's valid range
-  if (code < 100 || code > 999) {
-    throw new RangeError(`Invalid status code: ${JSON.stringify(code)}. Status code must be greater than 99 and less than 1000.`);
-  }
-
   this.statusCode = code;
   return this;
 };
@@ -82,11 +75,7 @@ res.status = function status(code) {
  *
  *    res.links({
  *      next: 'http://api.example.com/users?page=2',
- *      last: 'http://api.example.com/users?page=5',
- *      pages: [
- *        'http://api.example.com/users?page=1',
- *        'http://api.example.com/users?page=2'
- *      ]
+ *      last: 'http://api.example.com/users?page=5'
  *    });
  *
  * @param {Object} links
@@ -94,18 +83,11 @@ res.status = function status(code) {
  * @public
  */
 
-res.links = function(links) {
+res.links = function(links){
   var link = this.get('Link') || '';
   if (link) link += ', ';
-  return this.set('Link', link + Object.keys(links).map(function(rel) {
-    // Allow multiple links if links[rel] is an array
-    if (Array.isArray(links[rel])) {
-      return links[rel].map(function (singleLink) {
-        return `<${singleLink}>; rel="${rel}"`;
-      }).join(', ');
-    } else {
-      return `<${links[rel]}>; rel="${rel}"`;
-    }
+  return this.set('Link', link + Object.keys(links).map(function(rel){
+    return '<' + links[rel] + '>; rel="' + rel + '"';
   }).join(', '));
 };
 
@@ -131,6 +113,31 @@ res.send = function send(body) {
   // settings
   var app = this.app;
 
+  // allow status / body
+  if (arguments.length === 2) {
+    // res.send(body, status) backwards compat
+    if (typeof arguments[0] !== 'number' && typeof arguments[1] === 'number') {
+      deprecate('res.send(body, status): Use res.status(status).send(body) instead');
+      this.statusCode = arguments[1];
+    } else {
+      deprecate('res.send(status, body): Use res.status(status).send(body) instead');
+      this.statusCode = arguments[0];
+      chunk = arguments[1];
+    }
+  }
+
+  // disambiguate res.send(status) and res.send(status, num)
+  if (typeof chunk === 'number' && arguments.length === 1) {
+    // res.send(status) will set status message as text string
+    if (!this.get('Content-Type')) {
+      this.type('txt');
+    }
+
+    deprecate('res.send(status): Use res.sendStatus(status) instead');
+    this.statusCode = chunk;
+    chunk = statuses[chunk]
+  }
+
   switch (typeof chunk) {
     // string defaulting to html
     case 'string':
@@ -143,7 +150,7 @@ res.send = function send(body) {
     case 'object':
       if (chunk === null) {
         chunk = '';
-      } else if (ArrayBuffer.isView(chunk)) {
+      } else if (Buffer.isBuffer(chunk)) {
         if (!this.get('Content-Type')) {
           this.type('bin');
         }
@@ -196,7 +203,7 @@ res.send = function send(body) {
   }
 
   // freshness
-  if (req.fresh) this.status(304);
+  if (req.fresh) this.statusCode = 304;
 
   // strip irrelevant headers
   if (204 === this.statusCode || 304 === this.statusCode) {
@@ -206,13 +213,6 @@ res.send = function send(body) {
     chunk = '';
   }
 
-  // alter headers for 205
-  if (this.statusCode === 205) {
-    this.set('Content-Length', '0')
-    this.removeHeader('Transfer-Encoding')
-    chunk = ''
-  }
-
   if (req.method === 'HEAD') {
     // skip body for HEAD
     this.end();
@@ -237,12 +237,27 @@ res.send = function send(body) {
  */
 
 res.json = function json(obj) {
+  var val = obj;
+
+  // allow status / body
+  if (arguments.length === 2) {
+    // res.json(body, status) backwards compat
+    if (typeof arguments[1] === 'number') {
+      deprecate('res.json(obj, status): Use res.status(status).json(obj) instead');
+      this.statusCode = arguments[1];
+    } else {
+      deprecate('res.json(status, obj): Use res.status(status).json(obj) instead');
+      this.statusCode = arguments[0];
+      val = arguments[1];
+    }
+  }
+
   // settings
   var app = this.app;
   var escape = app.get('json escape')
   var replacer = app.get('json replacer');
   var spaces = app.get('json spaces');
-  var body = stringify(obj, replacer, spaces, escape)
+  var body = stringify(val, replacer, spaces, escape)
 
   // content-type
   if (!this.get('Content-Type')) {
@@ -265,12 +280,27 @@ res.json = function json(obj) {
  */
 
 res.jsonp = function jsonp(obj) {
+  var val = obj;
+
+  // allow status / body
+  if (arguments.length === 2) {
+    // res.json(body, status) backwards compat
+    if (typeof arguments[1] === 'number') {
+      deprecate('res.jsonp(obj, status): Use res.status(status).json(obj) instead');
+      this.statusCode = arguments[1];
+    } else {
+      deprecate('res.jsonp(status, obj): Use res.status(status).jsonp(obj) instead');
+      this.statusCode = arguments[0];
+      val = arguments[1];
+    }
+  }
+
   // settings
   var app = this.app;
   var escape = app.get('json escape')
   var replacer = app.get('json replacer');
   var spaces = app.get('json spaces');
-  var body = stringify(obj, replacer, spaces, escape)
+  var body = stringify(val, replacer, spaces, escape)
   var callback = this.req.query[app.get('jsonp callback name')];
 
   // content-type
@@ -292,15 +322,10 @@ res.jsonp = function jsonp(obj) {
     // restrict callback charset
     callback = callback.replace(/[^\[\]\w$.]/g, '');
 
-    if (body === undefined) {
-      // empty argument
-      body = ''
-    } else if (typeof body === 'string') {
-      // replace chars not allowed in JavaScript that are in JSON
-      body = body
-        .replace(/\u2028/g, '\\u2028')
-        .replace(/\u2029/g, '\\u2029')
-    }
+    // replace chars not allowed in JavaScript that are in JSON
+    body = body
+      .replace(/\u2028/g, '\\u2028')
+      .replace(/\u2029/g, '\\u2029');
 
     // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse"
     // the typeof check is just to reduce client error noise
@@ -326,9 +351,9 @@ res.jsonp = function jsonp(obj) {
  */
 
 res.sendStatus = function sendStatus(statusCode) {
-  var body = statuses.message[statusCode] || String(statusCode)
+  var body = statuses[statusCode] || String(statusCode)
 
-  this.status(statusCode);
+  this.statusCode = statusCode;
   this.type('txt');
 
   return this.send(body);
@@ -339,7 +364,7 @@ res.sendStatus = function sendStatus(statusCode) {
  *
  * Automatically sets the _Content-Type_ response header field.
  * The callback `callback(err)` is invoked when the transfer is complete
- * or when an error occurs. Be sure to check `res.headersSent`
+ * or when an error occurs. Be sure to check `res.sentHeader`
  * if you wish to attempt responding, as the header and some data
  * may have already been transferred.
  *
@@ -386,25 +411,18 @@ res.sendFile = function sendFile(path, options, callback) {
     throw new TypeError('path argument is required to res.sendFile');
   }
 
-  if (typeof path !== 'string') {
-    throw new TypeError('path must be a string to res.sendFile')
-  }
-
   // support function as second arg
   if (typeof options === 'function') {
     done = options;
     opts = {};
   }
 
-  if (!opts.root && !pathIsAbsolute(path)) {
+  if (!opts.root && !isAbsolute(path)) {
     throw new TypeError('path must be absolute or specify root to res.sendFile');
   }
 
   // create file stream
   var pathname = encodeURI(path);
-
-  // wire application etag option to send
-  opts.etag = this.app.enabled('etag');
   var file = send(req, pathname, opts);
 
   // transfer
@@ -419,13 +437,85 @@ res.sendFile = function sendFile(path, options, callback) {
   });
 };
 
+/**
+ * Transfer the file at the given `path`.
+ *
+ * Automatically sets the _Content-Type_ response header field.
+ * The callback `callback(err)` is invoked when the transfer is complete
+ * or when an error occurs. Be sure to check `res.sentHeader`
+ * if you wish to attempt responding, as the header and some data
+ * may have already been transferred.
+ *
+ * Options:
+ *
+ *   - `maxAge`   defaulting to 0 (can be string converted by `ms`)
+ *   - `root`     root directory for relative filenames
+ *   - `headers`  object of headers to serve with file
+ *   - `dotfiles` serve dotfiles, defaulting to false; can be `"allow"` to send them
+ *
+ * Other options are passed along to `send`.
+ *
+ * Examples:
+ *
+ *  The following example illustrates how `res.sendfile()` may
+ *  be used as an alternative for the `static()` middleware for
+ *  dynamic situations. The code backing `res.sendfile()` is actually
+ *  the same code, so HTTP cache support etc is identical.
+ *
+ *     app.get('/user/:uid/photos/:file', function(req, res){
+ *       var uid = req.params.uid
+ *         , file = req.params.file;
+ *
+ *       req.user.mayViewFilesFrom(uid, function(yes){
+ *         if (yes) {
+ *           res.sendfile('/uploads/' + uid + '/' + file);
+ *         } else {
+ *           res.send(403, 'Sorry! you cant see that.');
+ *         }
+ *       });
+ *     });
+ *
+ * @public
+ */
+
+res.sendfile = function (path, options, callback) {
+  var done = callback;
+  var req = this.req;
+  var res = this;
+  var next = req.next;
+  var opts = options || {};
+
+  // support function as second arg
+  if (typeof options === 'function') {
+    done = options;
+    opts = {};
+  }
+
+  // create file stream
+  var file = send(req, path, opts);
+
+  // transfer
+  sendfile(res, file, opts, function (err) {
+    if (done) return done(err);
+    if (err && err.code === 'EISDIR') return next();
+
+    // next() all but write errors
+    if (err && err.code !== 'ECONNABORT' && err.syscall !== 'write') {
+      next(err);
+    }
+  });
+};
+
+res.sendfile = deprecate.function(res.sendfile,
+  'res.sendfile: Use res.sendFile instead');
+
 /**
  * Transfer the file at the given `path` as an attachment.
  *
  * Optionally providing an alternate attachment `filename`,
  * and optional callback `callback(err)`. The callback is invoked
  * when the data transfer is complete, or when an error has
- * occurred. Be sure to check `res.headersSent` if you plan to respond.
+ * ocurred. Be sure to check `res.headersSent` if you plan to respond.
  *
  * Optionally providing an `options` object to use with `res.sendFile()`.
  * This function will set the `Content-Disposition` header, overriding
@@ -452,13 +542,6 @@ res.download = function download (path, filename, options, callback) {
     opts = null
   }
 
-  // support optional filename, where options may be in it's place
-  if (typeof filename === 'object' &&
-    (typeof options === 'function' || options === undefined)) {
-    name = null
-    opts = filename
-  }
-
   // set Content-Disposition when file is sent
   var headers = {
     'Content-Disposition': contentDisposition(name || path)
@@ -480,19 +563,15 @@ res.download = function download (path, filename, options, callback) {
   opts.headers = headers
 
   // Resolve the full path for sendFile
-  var fullPath = !opts.root
-    ? resolve(path)
-    : path
+  var fullPath = resolve(path);
 
   // send file
   return this.sendFile(fullPath, opts, done)
 };
 
 /**
- * Set _Content-Type_ response header with `type` through `mime.contentType()`
+ * Set _Content-Type_ response header with `type` through `mime.lookup()`
  * when it does not contain "/", or set the Content-Type to `type` otherwise.
- * When no mapping is found though `mime.contentType()`, the type is set to
- * "application/octet-stream".
  *
  * Examples:
  *
@@ -510,7 +589,7 @@ res.download = function download (path, filename, options, callback) {
 res.contentType =
 res.type = function contentType(type) {
   var ct = type.indexOf('/') === -1
-    ? (mime.contentType(type) || 'application/octet-stream')
+    ? mime.lookup(type)
     : type;
 
   return this.set('Content-Type', ct);
@@ -540,7 +619,7 @@ res.type = function contentType(type) {
  *        res.send('<p>hey</p>');
  *      },
  *
- *      'application/json': function () {
+ *      'appliation/json': function(){
  *        res.send({ message: 'hey' });
  *      }
  *    });
@@ -577,8 +656,9 @@ res.format = function(obj){
   var req = this.req;
   var next = req.next;
 
-  var keys = Object.keys(obj)
-    .filter(function (v) { return v !== 'default' })
+  var fn = obj.default;
+  if (fn) delete obj.default;
+  var keys = Object.keys(obj);
 
   var key = keys.length > 0
     ? req.accepts(keys)
@@ -589,12 +669,13 @@ res.format = function(obj){
   if (key) {
     this.set('Content-Type', normalizeType(key).value);
     obj[key](req, this, next);
-  } else if (obj.default) {
-    obj.default(req, this, next)
+  } else if (fn) {
+    fn();
   } else {
-    next(createError(406, {
-      types: normalizeTypes(keys).map(function (o) { return o.value })
-    }))
+    var err = new Error('Not Acceptable');
+    err.status = err.statusCode = 406;
+    err.types = normalizeTypes(keys).map(function(o){ return o.value });
+    next(err);
   }
 
   return this;
@@ -641,7 +722,7 @@ res.append = function append(field, val) {
     // concat the new and prev vals
     value = Array.isArray(prev) ? prev.concat(val)
       : Array.isArray(val) ? [prev].concat(val)
-        : [prev, val]
+      : [prev, val];
   }
 
   return this.set(field, value);
@@ -659,9 +740,6 @@ res.append = function append(field, val) {
  *
  * Aliased as `res.header()`.
  *
- * When the set header is "Content-Type", the type is expanded to include
- * the charset if not present using `mime.contentType()`.
- *
  * @param {String|Object} field
  * @param {String|Array} val
  * @return {ServerResponse} for chaining
@@ -680,7 +758,10 @@ res.header = function header(field, val) {
       if (Array.isArray(value)) {
         throw new TypeError('Content-Type cannot be set to an Array');
       }
-      value = mime.contentType(value)
+      if (!charsetRegExp.test(value)) {
+        var charset = mime.charsets.lookup(value.split(';')[0]);
+        if (charset) value += '; charset=' + charset.toLowerCase();
+      }
     }
 
     this.setHeader(field, value);
@@ -714,10 +795,7 @@ res.get = function(field){
  */
 
 res.clearCookie = function clearCookie(name, options) {
-  // Force cookie expiration by setting expires to the past
-  const opts = { path: '/', ...options, expires: new Date(1)};
-  // ensure maxAge is not passed
-  delete opts.maxAge
+  var opts = merge({ expires: new Date(1), path: '/' }, options);
 
   return this.cookie(name, '', opts);
 };
@@ -736,7 +814,7 @@ res.clearCookie = function clearCookie(name, options) {
  *    // "Remember Me" for 15 minutes
  *    res.cookie('rememberme', '1', { expires: new Date(Date.now() + 900000), httpOnly: true });
  *
- *    // same as above
+ *    // save as above
  *    res.cookie('rememberme', '1', { maxAge: 900000, httpOnly: true })
  *
  * @param {String} name
@@ -747,7 +825,7 @@ res.clearCookie = function clearCookie(name, options) {
  */
 
 res.cookie = function (name, value, options) {
-  var opts = { ...options };
+  var opts = merge({}, options);
   var secret = this.req.secret;
   var signed = opts.signed;
 
@@ -763,13 +841,9 @@ res.cookie = function (name, value, options) {
     val = 's:' + sign(val, secret);
   }
 
-  if (opts.maxAge != null) {
-    var maxAge = opts.maxAge - 0
-
-    if (!isNaN(maxAge)) {
-      opts.expires = new Date(Date.now() + maxAge)
-      opts.maxAge = Math.floor(maxAge / 1000)
-    }
+  if ('maxAge' in opts) {
+    opts.expires = new Date(Date.now() + opts.maxAge);
+    opts.maxAge /= 1000;
   }
 
   if (opts.path == null) {
@@ -799,13 +873,25 @@ res.cookie = function (name, value, options) {
  */
 
 res.location = function location(url) {
-  return this.set('Location', encodeUrl(url));
+  var loc = url;
+
+  // "back" is an alias for the referrer
+  if (url === 'back') {
+    loc = this.req.get('Referrer') || '/';
+  }
+
+  // set location
+  return this.set('Location', encodeUrl(loc));
 };
 
 /**
  * Redirect to the given `url` with optional response `status`
  * defaulting to 302.
  *
+ * The resulting `url` is determined by `res.location()`, so
+ * it will play nicely with mounted apps, relative paths,
+ * `"back"` etc.
+ *
  * Examples:
  *
  *    res.redirect('/foo/bar');
@@ -823,20 +909,13 @@ res.redirect = function redirect(url) {
 
   // allow status / url
   if (arguments.length === 2) {
-    status = arguments[0]
-    address = arguments[1]
-  }
-
-  if (!address) {
-    deprecate('Provide a url argument');
-  }
-
-  if (typeof address !== 'string') {
-    deprecate('Url must be a string');
-  }
-
-  if (typeof status !== 'number') {
-    deprecate('Status must be a number');
+    if (typeof arguments[0] === 'number') {
+      status = arguments[0];
+      address = arguments[1];
+    } else {
+      deprecate('res.redirect(url, status): Use res.redirect(status, url) instead');
+      status = arguments[1];
+    }
   }
 
   // Set location header
@@ -845,12 +924,12 @@ res.redirect = function redirect(url) {
   // Support text/{plain,html} by default
   this.format({
     text: function(){
-      body = statuses.message[status] + '. Redirecting to ' + address
+      body = statuses[status] + '. Redirecting to ' + address
     },
 
     html: function(){
       var u = escapeHtml(address);
-      body = '<p>' + statuses.message[status] + '. Redirecting to ' + u + '</p>'
+      body = '<p>' + statuses[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
     },
 
     default: function(){
@@ -859,7 +938,7 @@ res.redirect = function redirect(url) {
   });
 
   // Respond
-  this.status(status);
+  this.statusCode = status;
   this.set('Content-Length', Buffer.byteLength(body));
 
   if (this.req.method === 'HEAD') {
@@ -879,6 +958,12 @@ res.redirect = function redirect(url) {
  */
 
 res.vary = function(field){
+  // checks for back-compat
+  if (!field || (Array.isArray(field) && !field.length)) {
+    deprecate('res.vary(): Provide a field name');
+    return this;
+  }
+
   vary(this, field);
 
   return this;
@@ -1019,7 +1104,7 @@ function sendfile(res, file, options, callback) {
  * ability to escape characters that can trigger HTML sniffing.
  *
  * @param {*} value
- * @param {function} replacer
+ * @param {function} replaces
  * @param {number} spaces
  * @param {boolean} escape
  * @returns {string}
@@ -1033,7 +1118,7 @@ function stringify (value, replacer, spaces, escape) {
     ? JSON.stringify(value, replacer, spaces)
     : JSON.stringify(value);
 
-  if (escape && typeof json === 'string') {
+  if (escape) {
     json = json.replace(/[<>&]/g, function (c) {
       switch (c.charCodeAt(0)) {
         case 0x3c:
@@ -1042,7 +1127,6 @@ function stringify (value, replacer, spaces, escape) {
           return '\\u003e'
         case 0x26:
           return '\\u0026'
-        /* istanbul ignore next: unreachable default */
         default:
           return c
       }