Skip to content

fix(deps): update dependency body-parser to ~1.20.3 [security] #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency body-parser to ~1.20.3 [security] #28

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Sep 22, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
body-parser ~1.13.2~1.20.3 age confidence

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: qs@​6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

v1.20.2

Compare Source

===================

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@​2.5.2

v1.20.1

Compare Source

===================

  • deps: qs@​6.11.0
  • perf: remove unnecessary object clone

v1.20.0

Compare Source

===================

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@​2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@​2.0.0
    • deps: depd@​2.0.0
    • deps: statuses@​2.0.1
  • deps: on-finished@​2.4.1
  • deps: qs@​6.10.3
  • deps: raw-body@​2.5.1
    • deps: http-errors@​2.0.0

v1.19.2

Compare Source

===================

  • deps: bytes@​3.1.2
  • deps: qs@​6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@​2.4.3
    • deps: bytes@​3.1.2

v1.19.1

Compare Source

===================

  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
    • deps: inherits@​2.0.4
    • deps: toidentifier@​1.0.1
    • deps: setprototypeof@​1.2.0
  • deps: qs@​6.9.6
  • deps: raw-body@​2.4.2
    • deps: bytes@​3.1.1
    • deps: http-errors@​1.8.1
  • deps: safe-buffer@​5.2.1
  • deps: type-is@~1.6.18

v1.19.0

Compare Source

===================

  • deps: bytes@​3.1.0
    • Add petabyte (pb) support
  • deps: http-errors@​1.7.2
    • Set constructor name when possible
    • deps: setprototypeof@​1.1.1
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: iconv-lite@​0.4.24
    • Added encoding MIK
  • deps: qs@​6.7.0
    • Fix parsing array brackets after index
  • deps: raw-body@​2.4.0
    • deps: bytes@​3.1.0
    • deps: http-errors@​1.7.2
    • deps: iconv-lite@​0.4.24
  • deps: type-is@~1.6.17
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

v1.18.3

Compare Source

===================

  • Fix stack trace for strict json parse error
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
  • deps: http-errors@~1.6.3
    • deps: depd@~1.1.2
    • deps: setprototypeof@​1.1.0
    • deps: statuses@'>= 1.3.1 < 2'
  • deps: iconv-lite@​0.4.23
    • Fix loading encoding with year appended
    • Fix deprecation warnings on Node.js 10+
  • deps: qs@​6.5.2
  • deps: raw-body@​2.3.3
    • deps: http-errors@​1.6.3
    • deps: iconv-lite@​0.4.23
  • deps: type-is@~1.6.16
    • deps: mime-types@~2.1.18

v1.18.2

Compare Source

===================

  • deps: debug@​2.6.9
  • perf: remove argument reassignment

v1.18.1

Compare Source

===================

  • deps: content-type@~1.0.4
    • perf: remove argument reassignment
    • perf: skip parameter parsing when no parameters
  • deps: iconv-lite@​0.4.19
    • Fix ISO-8859-1 regression
    • Update Windows-1255
  • deps: qs@​6.5.1
    • Fix parsing & compacting very deep objects
  • deps: raw-body@​2.3.2
    • deps: iconv-lite@​0.4.19

v1.18.0

Compare Source

===================

  • Fix JSON strict violation error to match native parse error
  • Include the body property on verify errors
  • Include the type property on all generated errors
  • Use http-errors to set status code on errors
  • deps: bytes@​3.0.0
  • deps: debug@​2.6.8
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading
  • deps: http-errors@~1.6.2
    • deps: depd@​1.1.1
  • deps: iconv-lite@​0.4.18
    • Add support for React Native
    • Add a warning if not loaded as utf-8
    • Fix CESU-8 decoding in Node.js 8
    • Improve speed of ISO-8859-1 encoding
  • deps: qs@​6.5.0
  • deps: raw-body@​2.3.1
    • Use http-errors for standard emitted errors
    • deps: bytes@​3.0.0
    • deps: iconv-lite@​0.4.18
    • perf: skip buffer decoding on overage chunk
  • perf: prevent internal throw when missing charset

v1.17.2

Compare Source

===================

  • deps: debug@​2.6.7
    • Fix DEBUG_MAX_ARRAY_LENGTH
    • deps: ms@​2.0.0
  • deps: type-is@~1.6.15
    • deps: mime-types@~2.1.15

v1.17.1

Compare Source

===================

  • deps: qs@​6.4.0
    • Fix regression parsing keys starting with [

v1.17.0

Compare Source

===================

  • deps: http-errors@~1.6.1
    • Make message property enumerable for HttpErrors
    • deps: setprototypeof@​1.0.3
  • deps: qs@​6.3.1
    • Fix compacting nested arrays

v1.16.1

Compare Source

===================

  • deps: debug@​2.6.1
    • Fix deprecation messages in WebStorm and other editors
    • Undeprecate DEBUG_FD set to 1 or 2

v1.16.0

Compare Source

===================

  • deps: debug@​2.6.0
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable
    • Fix error when running under React Native
    • Use same color for same namespace
    • deps: ms@​0.7.2
  • deps: http-errors@~1.5.1
    • deps: inherits@​2.0.3
    • deps: setprototypeof@​1.0.2
    • deps: statuses@'>= 1.3.1 < 2'
  • deps: iconv-lite@​0.4.15
    • Added encoding MS-31J
    • Added encoding MS-932
    • Added encoding MS-936
    • Added encoding MS-949
    • Added encoding MS-950
    • Fix GBK/GB18030 handling of Euro character
  • deps: qs@​6.2.1
    • Fix array parsing from skipping empty values
  • deps: raw-body@~2.2.0
    • deps: iconv-lite@​0.4.15
  • deps: type-is@~1.6.14
    • deps: mime-types@~2.1.13

v1.15.2

Compare Source

===================

  • deps: bytes@​2.4.0
  • deps: content-type@~1.0.2
    • perf: enable strict mode
  • deps: http-errors@~1.5.0
    • Use setprototypeof module to replace __proto__ setting
    • deps: statuses@'>= 1.3.0 < 2'
    • perf: enable strict mode
  • deps: qs@​6.2.0
  • deps: raw-body@~2.1.7
    • deps: bytes@​2.4.0
    • perf: remove double-cleanup on happy path
  • deps: type-is@~1.6.13
    • deps: mime-types@~2.1.11

v1.15.1

Compare Source

===================

  • deps: bytes@​2.3.0
    • Drop partial bytes on all parsed units
    • Fix parsing byte string that looks like hex
  • deps: raw-body@~2.1.6
    • deps: bytes@​2.3.0
  • deps: type-is@~1.6.12
    • deps: mime-types@~2.1.10

v1.15.0

Compare Source

===================

  • deps: http-errors@~1.4.0
    • Add HttpError export, for err instanceof createError.HttpError
    • deps: inherits@​2.0.1
    • deps: statuses@'>= 1.2.1 < 2'
  • deps: qs@​6.1.0
  • deps: type-is@~1.6.11
    • deps: mime-types@~2.1.9

v1.14.2

Compare Source

===================

  • deps: bytes@​2.2.0
  • deps: iconv-lite@​0.4.13
  • deps: qs@​5.2.0
  • deps: raw-body@~2.1.5
    • deps: bytes@​2.2.0
    • deps: iconv-lite@​0.4.13
  • deps: type-is@~1.6.10
    • deps: mime-types@~2.1.8

v1.14.1

Compare Source

===================

  • Fix issue where invalid charset results in 400 when verify used
  • deps: iconv-lite@​0.4.12
    • Fix CESU-8 decoding in Node.js 4.x
  • deps: raw-body@~2.1.4
    • Fix masking critical errors from iconv-lite
    • deps: iconv-lite@​0.4.12
  • deps: type-is@~1.6.9
    • deps: mime-types@~2.1.7

v1.14.0

Compare Source

===================

  • Fix JSON strict parse error to match syntax errors
  • Provide static require analysis in urlencoded parser
  • deps: depd@~1.1.0
    • Support web browser loading
  • deps: qs@​5.1.0
  • deps: raw-body@~2.1.3
    • Fix sync callback when attaching data listener causes sync read
  • deps: type-is@~1.6.8
    • Fix type error when given invalid type to match against
    • deps: mime-types@~2.1.6

v1.13.3

Compare Source

===================

  • deps: type-is@~1.6.6
    • deps: mime-types@~2.1.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sourcery-ai[bot]
sourcery-ai bot reviewed Sep 22, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 086787f to f9b7c50 Compare October 10, 2024 05:27
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Oct 10, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from f9b7c50 to 7d17b9a Compare October 13, 2024 10:52
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Oct 13, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 7d17b9a to d48e5da Compare October 30, 2024 08:44
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Oct 30, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from d48e5da to e23778c Compare October 31, 2024 20:52
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Oct 31, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e23778c to 7c6f8a7 Compare December 4, 2024 05:20
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 4, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 7c6f8a7 to e75f0f8 Compare December 6, 2024 08:46
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 6, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e75f0f8 to 698efa6 Compare December 21, 2024 15:00
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 21, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 698efa6 to 0fcdca4 Compare December 22, 2024 02:26
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 22, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 0fcdca4 to 417721c Compare December 24, 2024 14:55
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 24, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 417721c to 3a67e84 Compare December 25, 2024 14:27
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 25, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 3a67e84 to d7ce466 Compare January 16, 2025 03:30
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Jan 16, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from d7ce466 to 2a505b0 Compare January 17, 2025 16:07
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 17, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2a505b0 to e0af1f8 Compare January 25, 2025 03:57
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Jan 25, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e0af1f8 to 2f46d5d Compare January 26, 2025 06:12
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 26, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2f46d5d to aa5e2cd Compare January 31, 2025 15:35
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Aug 24, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from f0bd059 to 58b81f5 Compare September 1, 2025 10:22
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Sep 1, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 58b81f5 to c7d9c41 Compare September 2, 2025 15:52
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Sep 2, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from c7d9c41 to 3d172d0 Compare September 27, 2025 03:00
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Sep 27, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 3d172d0 to 332f7ee Compare September 28, 2025 06:49
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Sep 28, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 332f7ee to 8f5814c Compare October 23, 2025 19:56
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Oct 23, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 8f5814c to fd44111 Compare October 26, 2025 04:03
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Oct 26, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from fd44111 to b3728f4 Compare November 16, 2025 16:11
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Nov 16, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from b3728f4 to bbef5d1 Compare November 20, 2025 11:30
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Nov 20, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from bbef5d1 to e355d5c Compare December 4, 2025 11:46
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 4, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e355d5c to 2736f8a Compare December 6, 2025 00:05
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Dec 6, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2736f8a to ce6b1d9 Compare December 30, 2025 10:56
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Dec 30, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from ce6b1d9 to bfe7c20 Compare January 2, 2026 07:37
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 2, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from bfe7c20 to 604e8d5 Compare January 9, 2026 03:41
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.3 [security] fix(deps): update dependency body-parser to ~1.20.0 [security] Jan 9, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 604e8d5 to 6d80bfd Compare January 10, 2026 03:56
@renovate renovate bot changed the title fix(deps): update dependency body-parser to ~1.20.0 [security] fix(deps): update dependency body-parser to ~1.20.3 [security] Jan 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant