express
Fast, unopinionated, minimalist web framework
12
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
wesleytoddjonchurchctcpipulisesgasconsheplu
Keywords
expressframeworksinatrawebhttprestrestfulrouterappapi
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions (jonchurch, ctcpip) are consistent with legitimate governance transition for established framework. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of prior maintainers combined with new additions indicates normal handoff, not takeover; repo URL unchanged. | ai | |
| phantom-deps | phantom-dep:depd | AI (phantom-deps): depd is declared in package.json and used transitively in Express error handling; phantom-dep finding is a false positive for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): once, router, mime-types are established packages; dep changes are expected for the Express 4→5 major version transition. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change (ulisesgascon → wesleytodd) on 2025-03-31 aligns with documented maintainer transition; wesleytodd has established npm history. | ai | |
| provenance | no-provenance | AI (provenance): Express is a canonical, heavily-audited package; absence of Sigstore provenance is not a meaningful risk signal here. | ai | |
| dependencies | unvetted-dep:methods | AI (dependencies): methods is a standard HTTP methods utility; core to Express routing. | ai | |
| dependencies | unvetted-dep:utils-merge | AI (dependencies): utils-merge is a simple utility for merging objects; stable dependency for Express. | ai | |
| dependencies | unvetted-dep:serve-static | AI (dependencies): serve-static is Express's canonical static file middleware; core to the framework. | ai | |
| dependencies | unvetted-dep:qs | AI (dependencies): qs is a well-established query string parser; standard dependency for Express. | ai | |
| dependencies | unvetted-dep:send | AI (dependencies): send is the canonical static file serving module used by Express, maintained by the expressjs org. | ai | |
| dependencies | unvetted-dep:router | AI (dependencies): router is the Express routing module, maintained by the expressjs org. | ai | |
| dependencies | unvetted-dep:http-errors | AI (dependencies): http-errors is the canonical HTTP error utility; standard for Express error handling. | ai | |
| dependencies | unvetted-dep:finalhandler | AI (dependencies): finalhandler is Express's canonical final response handler; core to the framework. | ai | |
| dependencies | unvetted-dep:depd | AI (dependencies): depd is a standard deprecation utility; appropriate for Express's deprecation warnings. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in view.js loads template engines by name—legitimate Express pattern, not arbitrary code execution. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 5.2.1 | 28 / 16 | |
| 5.2.0 | 28 / 16 | |
| 5.1.0 | 27 / 16 | |
| 5.0.1 | 32 / 16 | |
| 5.0.0 | 32 / 16 | |
| 4.22.2 | 31 / 16 | |
| 4.22.1 | 31 / 16 | |
| 4.22.0 | 31 / 16 | |
| 4.21.2 | 31 / 16 | |
| 4.21.1 | 31 / 16 | |
| 4.21.0 | 31 / 16 | |
| 4.20.0 | 31 / 16 |
v4.22.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.