diff --git a/History.md b/History.md
index 887a38f182d..178e718fc36 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,12 @@
+4.21.0 / 2024-09-11
+==========
+
+  * Deprecate `res.location("back")` and `res.redirect("back")` magic string
+  * deps: serve-static@1.16.2
+    * includes send@0.19.0
+  * deps: finalhandler@1.3.1
+  * deps: qs@6.13.0
+
 4.20.0 / 2024-09-10
 ==========
   * deps: serve-static@0.16.0
diff --git a/lib/response.js b/lib/response.js
index 76b6b54a3b8..2b654f4c662 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -916,6 +916,7 @@ res.location = function location(url) {
 
   // "back" is an alias for the referrer
   if (url === 'back') {
+    deprecate('res.location("back"): use res.location(req.get("Referrer") || "/") and refer to https://dub.sh/security-redirect for best practices');
     loc = this.req.get('Referrer') || '/';
   } else {
     loc = String(url);
diff --git a/package.json b/package.json
index bffa70a6f1c..f9b43a69e5a 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.20.0",
+  "version": "4.21.0",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -40,7 +40,7 @@
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
     "etag": "~1.8.1",
-    "finalhandler": "1.2.0",
+    "finalhandler": "1.3.1",
     "fresh": "0.5.2",
     "http-errors": "2.0.0",
     "merge-descriptors": "1.0.3",
@@ -49,11 +49,11 @@
     "parseurl": "~1.3.3",
     "path-to-regexp": "0.1.10",
     "proxy-addr": "~2.0.7",
-    "qs": "6.11.0",
+    "qs": "6.13.0",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
     "send": "0.19.0",
-    "serve-static": "1.16.0",
+    "serve-static": "1.16.2",
     "setprototypeof": "1.2.0",
     "statuses": "2.0.1",
     "type-is": "~1.6.18",