Upgrade Express 4→5, fix wildcard routes, regenerate lock file

[Copilot]

Dependabot was flagging 30+ vulnerable transitive dependencies locked in the Express 4.x dependency tree. Upgrading to Express 5 and regenerating the lock file eliminates all known vulnerabilities (0 found after update).

Changes

• t/backend/package.json — bumps express from ^4.22.1 to ^5.0.0
• t/backend/index.js — fixes wildcard routes broken by Express 5's adoption of path-to-regexp v8, which requires named wildcards:

  // Before (throws "Missing parameter name" in Express 5)
  app.get('/*', handler)
  
  // After
  app.get('/{*path}', handler)

• t/backend/package-lock.json — fully regenerated via npm install; reflects Express 5.x transitive tree with no known vulnerabilities

Original prompt

Goal

Update all npm packages in t/backend/package.json to their latest stable versions and regenerate t/backend/package-lock.json to resolve all Dependabot alerts caused by outdated transitive dependencies.

Background

• t/backend/package.json currently only declares express: ^4.22.1 as a direct dependency.
• t/backend/package-lock.json contains the full resolved dependency tree (~30+ transitive packages from Express 4.x), many of which have known vulnerabilities flagged by Dependabot.
• There is an existing open PR ([WIP] Update express dependency to version ^5.2.1 #9) on branch copilot/update-express-dependency that only updates express to ^5.2.1 but does not yet update package-lock.json.

Required changes

Please work on the existing branch copilot/update-express-dependency and:

1. Update t/backend/package.json: Update express to the latest stable version (^5.2.1 or newer if available). Check if there are any other direct dependencies to add/update.

2. Regenerate t/backend/package-lock.json: Run npm install inside t/backend/ to produce a fresh lock file reflecting the updated dependencies and all their resolved transitive packages.

3. Check t/backend/index.js for any Express 4→5 breaking changes that need to be addressed:

   • Express 5 changed path-to-regexp behavior (no wildcard * in route paths without explicit param name)
   • res.json() / res.jsonp() no longer support non-object status codes
   • req.query parsing changes
   • Error handling in async routes
   • Update any affected code accordingly.

4. Ensure Node.js version requirement (≥18) is reflected if there is an .nvmrc, Dockerfile, or CI config in the t/ directory.

Notes

• Express 5.x requires Node.js 18 or higher.
• The goal is to eliminate as many Dependabot alerts as possible by having an up-to-date lock file with patched transitive dependencies.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: I want to update all node packages. not just express

Assistant: Looking at t/backend/package.json, express is actually the only dependency — there are no other packages to update:

{
  "dependencies": {
    "express": "^4.22.1"
  }
}

So the existing PR #9 already covers updating the only package in the file.

Would you like me to:

1. Check index.js to see if any additional packages are imported but not listed in package.json (and add them)?
2. Add devDependencies (e.g. a test runner like jest or mocha) while updating?
3. Something else entirely?

User: so why is dependabot listing so many?

Assistant: That's the answer! There's a package-lock.json in t/backend/ — and that's what Dependabot is scanning.

package.json only lists express as a direct dependency, but package-lock.json contains the full resolved dependency tree — all the transitive/indirect dependencies that express itself pulls in (things like body-parser, accepts, mime-types, qs, path-to-regexp, etc.). Express 4.x alone brings in ~30+ transitive packages.

Dependabot flags vulnerabilities in all packages in the lock file, not just the ones in package.json. So you're seeing alerts for those nested dependencies.

The fix: Updating express to v5.x (as PR #9 is doing) + regenerating package-lock.json will resolve most of them, since Express 5 has updated/dropped many of the vulnerable sub-dependencies. Would you like me to update the existing PR to also update the package-lock.json?

User: yes

Assistant: We're waiting for your response to the confirmation dialog to proceed with updating the PR to include all package updates and a regenerated package-lock.json.

This pull request was created from Copilot chat.