Skip to content

Update dependency body-parser to v1.20.3 [SECURITY] #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency body-parser to v1.20.3 [SECURITY] #186

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 11, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
body-parser 1.19.0 -> 1.20.3 age confidence

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: qs@​6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

v1.20.2

Compare Source

===================

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@​2.5.2

v1.20.1

Compare Source

===================

  • deps: qs@​6.11.0
  • perf: remove unnecessary object clone

v1.20.0

Compare Source

===================

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@​2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@​2.0.0
    • deps: depd@​2.0.0
    • deps: statuses@​2.0.1
  • deps: on-finished@​2.4.1
  • deps: qs@​6.10.3
  • deps: raw-body@​2.5.1
    • deps: http-errors@​2.0.0

v1.19.2

Compare Source

===================

  • deps: bytes@​3.1.2
  • deps: qs@​6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@​2.4.3
    • deps: bytes@​3.1.2

v1.19.1

Compare Source

===================

  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
    • deps: inherits@​2.0.4
    • deps: toidentifier@​1.0.1
    • deps: setprototypeof@​1.2.0
  • deps: qs@​6.9.6
  • deps: raw-body@​2.4.2
    • deps: bytes@​3.1.1
    • deps: http-errors@​1.8.1
  • deps: safe-buffer@​5.2.1
  • deps: type-is@~1.6.18

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate-approve[bot]
renovate-approve bot previously approved these changes Sep 11, 2024
View reviewed changes
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 5964fbe to 2a6309c Compare January 23, 2025 21:25
renovate-approve[bot]
renovate-approve bot previously approved these changes Jan 23, 2025
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2a6309c to 32eaecc Compare February 9, 2025 12:43
renovate-approve[bot]
renovate-approve bot previously approved these changes Feb 9, 2025
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 32eaecc to eba63c5 Compare February 19, 2025 15:29
renovate-approve[bot]
renovate-approve bot previously approved these changes Feb 19, 2025
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from eba63c5 to 1dc3e3f Compare March 3, 2025 16:58
renovate-approve[bot]
renovate-approve bot previously approved these changes Mar 3, 2025
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 1dc3e3f to 2b7fca2 Compare March 11, 2025 12:59
renovate-approve[bot]
renovate-approve bot previously approved these changes Mar 11, 2025
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2b7fca2 to 72d9e76 Compare August 10, 2025 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@CLAassistant