Skip to content

fix(deps): update dependency body-parser to ~1.20.3 [security]#28

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-body-parser-vulnerability
Open

fix(deps): update dependency body-parser to ~1.20.3 [security]#28
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-body-parser-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Sep 22, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
body-parser ~1.13.2~1.20.3 age confidence

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: qs@​6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

v1.20.2

Compare Source

===================

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@​2.5.2

v1.20.1

Compare Source

===================

  • deps: qs@​6.11.0
  • perf: remove unnecessary object clone

v1.20.0

Compare Source

===================

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@​2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@​2.0.0
    • deps: depd@​2.0.0
    • deps: statuses@​2.0.1
  • deps: on-finished@​2.4.1
  • deps: qs@​6.10.3
  • deps: raw-body@​2.5.1
    • deps: http-errors@​2.0.0

v1.19.2

Compare Source

===================

  • deps: bytes@​3.1.2
  • deps: qs@​6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@​2.4.3
    • deps: bytes@​3.1.2

v1.19.1

Compare Source

===================

  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
    • deps: inherits@​2.0.4
    • deps: toidentifier@​1.0.1
    • deps: setprototypeof@​1.2.0
  • deps: qs@​6.9.6
  • deps: raw-body@​2.4.2
    • deps: bytes@​3.1.1
    • deps: http-errors@​1.8.1
  • deps: safe-buffer@​5.2.1
  • deps: type-is@~1.6.18

v1.19.0

Compare Source

===================

  • deps: bytes@​3.1.0
    • Add petabyte (pb) support
  • deps: http-errors@​1.7.2
    • Set constructor name when possible
    • deps: setprototypeof@​1.1.1
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: iconv-lite@​0.4.24
    • Added encoding MIK
  • deps: qs@​6.7.0
    • Fix parsing array brackets after index
  • deps: raw-body@​2.4.0
    • deps: bytes@​3.1.0
    • deps: http-errors@​1.7.2
    • deps: iconv-lite@​0.4.24
  • deps: type-is@~1.6.17
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

v1.18.3

Compare Source

===================

  • Fix stack trace for strict json parse error
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
  • deps: http-errors@~1.6.3
    • deps: depd@~1.1.2
    • deps: setprototypeof@​1.1.0
    • deps: statuses@'>= 1.3.1 < 2'
  • deps: iconv-lite@​0.4.23
    • Fix loading encoding with year appended
    • Fix deprecation warnings on Node.js 10+
  • deps: qs@​6.5.2
  • deps: raw-body@​2.3.3
    • deps: http-errors@​1.6.3
    • deps: iconv-lite@​0.4.23
  • deps: type-is@~1.6.16
    • deps: mime-types@~2.1.18

v1.18.2

Compare Source

===================

  • deps: debug@​2.6.9
  • perf: remove argument reassignment

v1.18.1

Compare Source

===================

  • deps: content-type@~1.0.4
    • perf: remove argument reassignment
    • perf: skip parameter parsing when no parameters
  • deps: iconv-lite@​0.4.19
    • Fix ISO-8859-1 regression
    • Update Windows-1255
  • deps: qs@​6.5.1
    • Fix parsing & compacting very deep objects
  • deps: raw-body@​2.3.2
    • deps: iconv-lite@​0.4.19

v1.18.0

Compare Source

===================

  • Fix JSON strict violation error to match native parse error
  • Include the body property on verify errors
  • Include the type property on all generated errors
  • Use http-errors to set status code on errors
  • deps: bytes@​3.0.0
  • deps: debug@​2.6.8
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading
  • deps: http-errors@~1.6.2
    • deps: depd@​1.1.1
  • deps: iconv-lite@​0.4.18
    • Add support for React Native
    • Add a warning if not loaded as utf-8
    • Fix CESU-8 decoding in Node.js 8
    • Improve speed of ISO-8859-1 encoding
  • deps: qs@​6.5.0
  • deps: raw-body@​2.3.1
    • Use http-errors for standard emitted errors
    • deps: bytes@​3.0.0
    • deps: iconv-lite@​0.4.18
    • perf: skip buffer decoding on overage chunk
  • perf: prevent internal throw when missing charset

v1.17.2

Compare Source

===================

  • deps: debug@​2.6.7
    • Fix DEBUG_MAX_ARRAY_LENGTH
    • deps: ms@​2.0.0
  • deps: type-is@~1.6.15
    • deps: mime-types@~2.1.15

v1.17.1

Compare Source

===================

  • deps: qs@​6.4.0
    • Fix regression parsing keys starting with [

v1.17.0

Compare Source

===================

  • deps: http-errors@~1.6.1
    • Make message property enumerable for HttpErrors
    • deps: setprototypeof@​1.0.3
  • deps: qs@​6.3.1
    • Fix compacting nested arrays

v1.16.1

Compare Source

===================

  • deps: debug@​2.6.1
    • Fix deprecation messages in WebStorm and other editors
    • Undeprecate DEBUG_FD set to 1 or 2

v1.16.0

Compare Source

===================

  • deps: debug@​2.6.0
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable
    • Fix error when running under React Native
    • Use same color for same namespace
    • deps: ms@​0.7.2
  • deps: http-errors@~1.5.1
    • deps: inherits@​2.0.3
    • deps: setprototypeof@​1.0.2
    • deps: statuses@'>= 1.3.1 < 2'
  • deps: iconv-lite@​0.4.15
    • Added encoding MS-31J
    • Added encoding MS-932
    • Added encoding MS-936
    • Added encoding MS-949
    • Added encoding MS-950
    • Fix GBK/GB18030 handling of Euro character
  • deps: qs@​6.2.1
    • Fix array parsing from skipping empty values
  • deps: raw-body@~2.2.0
    • deps: iconv-lite@​0.4.15
  • deps: type-is@~1.6.14
    • deps: mime-types@~2.1.13

v1.15.2

Compare Source

===================

  • deps: bytes@​2.4.0
  • deps: content-type@~1.0.2
    • perf: enable strict mode
  • deps: http-errors@~1.5.0
    • Use setprototypeof module to replace __proto__ setting
    • deps: statuses@'>= 1.3.0 < 2'
    • perf: enable strict mode
  • deps: qs@​6.2.0
  • deps: raw-body@~2.1.7
    • deps: bytes@​2.4.0
    • perf: remove double-cleanup on happy path
  • deps: type-is@~1.6.13
    • deps: mime-types@~2.1.11

v1.15.1

Compare Source

===================

  • deps: bytes@​2.3.0
    • Drop partial bytes on all parsed units
    • Fix parsing byte string that looks like hex
  • deps: raw-body@~2.1.6
    • deps: bytes@​2.3.0
  • deps: type-is@~1.6.12
    • deps: mime-types@~2.1.10

v1.15.0

Compare Source

===================

  • deps: http-errors@~1.4.0
    • Add HttpError export, for err instanceof createError.HttpError
    • deps: inherits@​2.0.1
    • deps: statuses@'>= 1.2.1 < 2'
  • deps: qs@​6.1.0
  • deps: type-is@~1.6.11
    • deps: mime-types@~2.1.9

v1.14.2

Compare Source

===================

  • deps: bytes@​2.2.0
  • deps: iconv-lite@​0.4.13
  • deps: qs@​5.2.0
  • deps: raw-body@~2.1.5
    • deps: bytes@​2.2.0
    • deps: iconv-lite@​0.4.13
  • deps: type-is@~1.6.10
    • deps: mime-types@~2.1.8

v1.14.1

Compare Source

===================

  • Fix issue where invalid charset results in 400 when verify used
  • deps: iconv-lite@​0.4.12
    • Fix CESU-8 decoding in Node.js 4.x
  • deps: raw-body@~2.1.4
    • Fix masking critical errors from iconv-lite
    • deps: iconv-lite@​0.4.12
  • deps: type-is@~1.6.9
    • deps: mime-types@~2.1.7

v1.14.0

Compare Source

===================

  • Fix JSON strict parse error to match syntax errors
  • Provide static require analysis in urlencoded parser
  • deps: depd@~1.1.0
    • Support web browser loading
  • deps: qs@​5.1.0
  • deps: raw-body@~2.1.3
    • Fix sync callback when attaching data listener causes sync read
  • deps: type-is@~1.6.8
    • Fix type error when given invalid type to match against
    • deps: mime-types@~2.1.6

v1.13.3

Compare Source

===================

  • deps: type-is@~1.6.6
    • deps: mime-types@~2.1.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sourcery-ai[bot]
sourcery-ai bot reviewed Sep 22, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 086787f to f9b7c50 Compare October 10, 2024 05:27
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Oct 10, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from f9b7c50 to 7d17b9a Compare October 13, 2024 10:52
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Oct 13, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 7d17b9a to d48e5da Compare October 30, 2024 08:44
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Oct 30, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from d48e5da to e23778c Compare October 31, 2024 20:52
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Oct 31, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e23778c to 7c6f8a7 Compare December 4, 2024 05:20
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 4, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 7c6f8a7 to e75f0f8 Compare December 6, 2024 08:46
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 6, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e75f0f8 to 698efa6 Compare December 21, 2024 15:00
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 21, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 698efa6 to 0fcdca4 Compare December 22, 2024 02:26
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 22, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 0fcdca4 to 417721c Compare December 24, 2024 14:55
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 24, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 417721c to 3a67e84 Compare December 25, 2024 14:27
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 25, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 3a67e84 to d7ce466 Compare January 16, 2025 03:30
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Jan 16, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from d7ce466 to 2a505b0 Compare January 17, 2025 16:07
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 17, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2a505b0 to e0af1f8 Compare January 25, 2025 03:57
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Jan 25, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e0af1f8 to 2f46d5d Compare January 26, 2025 06:12
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 26, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2f46d5d to aa5e2cd Compare January 31, 2025 15:35
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Nov 20, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from bbef5d1 to e355d5c Compare December 4, 2025 11:46
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 4, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e355d5c to 2736f8a Compare December 6, 2025 00:05
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 6, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2736f8a to ce6b1d9 Compare December 30, 2025 10:56
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 30, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from ce6b1d9 to bfe7c20 Compare January 2, 2026 07:37
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 2, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from bfe7c20 to 604e8d5 Compare January 9, 2026 03:41
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Jan 9, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 604e8d5 to 6d80bfd Compare January 10, 2026 03:56
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 10, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 6d80bfd to 204f46f Compare January 20, 2026 06:49
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Jan 20, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 204f46f to 008793f Compare January 21, 2026 15:57
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 21, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 008793f to d8e4a78 Compare February 3, 2026 03:50
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Feb 3, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from d8e4a78 to 32d4905 Compare February 4, 2026 07:56
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Feb 4, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 32d4905 to f0d8d3a Compare February 13, 2026 08:06
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Feb 13, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from f0d8d3a to 720a9e9 Compare February 14, 2026 11:32
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Feb 14, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 720a9e9 to 7bb739b Compare February 18, 2026 03:54
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Feb 18, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 7bb739b to 77229bc Compare February 19, 2026 19:54
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Feb 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants