Skip to content
This repository was archived by the owner on Jul 8, 2025. It is now read-only.

[renovate] Update dependency body-parser to v1.20.3 [SECURITY] #134

Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[renovate] Update dependency body-parser to v1.20.3 [SECURITY] #134

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Sep 11, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
body-parser 1.19.0 -> 1.20.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

v1.20.2

Compare Source

===================

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2

v1.20.1

Compare Source

===================

  • deps: qs@6.11.0
  • perf: remove unnecessary object clone

v1.20.0

Compare Source

===================

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0

v1.19.2

Compare Source

===================

  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2

v1.19.1

Compare Source

===================

  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
    • deps: inherits@2.0.4
    • deps: toidentifier@1.0.1
    • deps: setprototypeof@1.2.0
  • deps: qs@6.9.6
  • deps: raw-body@2.4.2
    • deps: bytes@3.1.1
    • deps: http-errors@1.8.1
  • deps: safe-buffer@5.2.1
  • deps: type-is@~1.6.18

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.
@renovate renovate bot added the renovate label Sep 11, 2024
@renovate renovate bot force-pushed the fix/renovate/npm-body-parser-vulnerability branch from 0236d74 to db66d41 Compare December 2, 2024 08:48
@renovate renovate bot force-pushed the fix/renovate/npm-body-parser-vulnerability branch from db66d41 to f706804 Compare January 23, 2025 17:16
@renovate renovate bot force-pushed the fix/renovate/npm-body-parser-vulnerability branch from f706804 to 5dc043f Compare February 9, 2025 12:46
@renovate renovate bot force-pushed the fix/renovate/npm-body-parser-vulnerability branch from 5dc043f to 4bcd664 Compare March 3, 2025 18:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

renovate

1 participant