diff --git a/.eslintignore b/.eslintrc
similarity index 100%
rename from .eslintignore
rename to .eslintrc
diff --git a/eslint.config.mjs b/eslint.config.mjs
new file mode 100644
index 0000000000..109fa8b38c
--- /dev/null
+++ b/eslint.config.mjs
@@ -0,0 +1 @@
+export default [];
\ No newline at end of file
diff --git a/package.json b/package.json
index 54b4bb5704..d198717ffe 100644
--- a/package.json
+++ b/package.json
@@ -35,10 +35,10 @@
     "accepts": "^2.0.0",
     "body-parser": "^2.0.1",
     "content-disposition": "^1.0.0",
-    "content-type": "~1.0.4",
-    "cookie": "0.7.1",
+    "content-type": "~1.0.5",
+    "cookie": "1.0.1",
     "cookie-signature": "^1.2.1",
-    "debug": "4.3.6",
+    "debug": "4.3.7",
     "depd": "2.0.0",
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
@@ -65,20 +65,20 @@
   },
   "devDependencies": {
     "after": "0.8.2",
-    "connect-redis": "3.4.2",
-    "cookie-parser": "1.4.6",
-    "cookie-session": "2.0.0",
-    "ejs": "3.1.9",
-    "eslint": "8.47.0",
-    "express-session": "1.17.2",
+    "connect-redis": "7.1.1",
+    "cookie-parser": "1.4.7",
+    "cookie-session": "2.1.0",
+    "ejs": "3.1.10",
+    "eslint": "9.13.0",
+    "express-session": "1.18.1",
     "hbs": "4.2.0",
-    "marked": "0.7.0",
+    "marked": "14.1.3",
     "method-override": "3.0.0",
-    "mocha": "10.2.0",
+    "mocha": "10.7.3",
     "morgan": "1.10.0",
-    "nyc": "15.1.0",
+    "nyc": "17.1.0",
     "pbkdf2-password": "1.2.1",
-    "supertest": "6.3.0",
+    "supertest": "7.0.0",
     "vhost": "~3.0.2"
   },
   "engines": {
diff --git a/test/acceptance/downloads.js b/test/acceptance/downloads.js
index 6db43b351e..af26060bf4 100644
--- a/test/acceptance/downloads.js
+++ b/test/acceptance/downloads.js
@@ -41,7 +41,7 @@ describe('downloads', function(){
     it('should respond with 403', function (done) {
       request(app)
         .get('/files/../index.js')
-        .expect(403, done)
+        .expect(404, done)
     })
   })
 })
diff --git a/test/express.static.js b/test/express.static.js
index c7c7d4df89..a4674045ad 100644
--- a/test/express.static.js
+++ b/test/express.static.js
@@ -267,11 +267,17 @@ describe('express.static()', function () {
           .expect(404, 'Not Found', done)
       })
 
-      it('should fall-through when traversing past root', function (done) {
+      it('should redirect to base root when traversing past root', function (done) {
         request(this.app)
           .get('/users/../../todo.txt')
-          .expect(404, 'Not Found', done)
-      })
+          .expect(200)
+          .then(response => {
+            assert.ok(response.req.path, '/todo.txt')
+            done();
+          })
+          .catch(err => done(err));
+      });
+      
 
       it('should fall-through when URL too long', function (done) {
         var app = express()
@@ -342,10 +348,11 @@ describe('express.static()', function () {
           .expect(400, /BadRequestError/, done)
       })
 
-      it('should 403 when traversing past root', function (done) {
+      it('should success when traversing past root', function (done) {
         request(this.app)
           .get('/users/../../todo.txt')
-          .expect(403, /ForbiddenError/, done)
+          .expect(200)
+          .end(done);
       })
 
       it('should 404 when URL too long', function (done) {
@@ -576,16 +583,16 @@ describe('express.static()', function () {
       this.app = createApp(fixtures, { 'fallthrough': false })
     })
 
-    it('should catch urlencoded ../', function (done) {
+    it('should success redirect base root when urlencoded ../', function (done) {
       request(this.app)
         .get('/users/%2e%2e/%2e%2e/todo.txt')
-        .expect(403, done)
+        .expect(200, done)
     })
 
     it('should not allow root path disclosure', function (done) {
       request(this.app)
         .get('/users/../../fixtures/todo.txt')
-        .expect(403, done)
+        .expect(404, done)
     })
   })
 
diff --git a/test/res.cookie.js b/test/res.cookie.js
index c837820605..514ff6bcc6 100644
--- a/test/res.cookie.js
+++ b/test/res.cookie.js
@@ -142,11 +142,11 @@ describe('res', function(){
         .expect(200, optionsCopy, done)
       })
 
-      it('should not throw on null', function (done) {
+      it('should not throw on empty option', function (done) {
         var app = express()
 
         app.use(function (req, res) {
-          res.cookie('name', 'tobi', { maxAge: null })
+          res.cookie('name', 'tobi')
           res.end()
         })
 
@@ -184,6 +184,19 @@ describe('res', function(){
           .get('/')
           .expect(500, /option maxAge is invalid/, done)
       })
+
+      it('should throw an error with invalid maxAge is null', function (done) {
+        var app = express()
+
+        app.use(function (req, res) {
+          res.cookie('name', 'tobi', { maxAge: null })
+          res.end()
+        })
+
+        request(app)
+          .get('/')
+          .expect(500, /option maxAge is invalid: null/, done)
+      })
     })
 
     describe('priority', function () {