Skip to content

Comments

Update dependency body-parser to ~1.20.3 [SECURITY]#23

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-body-parser-vulnerability
Open

Update dependency body-parser to ~1.20.3 [SECURITY]#23
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-body-parser-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 22, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
body-parser ~1.13.2~1.20.3 age confidence

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: qs@​6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

v1.20.2

Compare Source

===================

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@​2.5.2

v1.20.1

Compare Source

===================

  • deps: qs@​6.11.0
  • perf: remove unnecessary object clone

v1.20.0

Compare Source

===================

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@​2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@​2.0.0
    • deps: depd@​2.0.0
    • deps: statuses@​2.0.1
  • deps: on-finished@​2.4.1
  • deps: qs@​6.10.3
  • deps: raw-body@​2.5.1
    • deps: http-errors@​2.0.0

v1.19.2

Compare Source

===================

  • deps: bytes@​3.1.2
  • deps: qs@​6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@​2.4.3
    • deps: bytes@​3.1.2

v1.19.1

Compare Source

===================

  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
    • deps: inherits@​2.0.4
    • deps: toidentifier@​1.0.1
    • deps: setprototypeof@​1.2.0
  • deps: qs@​6.9.6
  • deps: raw-body@​2.4.2
    • deps: bytes@​3.1.1
    • deps: http-errors@​1.8.1
  • deps: safe-buffer@​5.2.1
  • deps: type-is@~1.6.18

v1.19.0

Compare Source

===================

  • deps: bytes@​3.1.0
    • Add petabyte (pb) support
  • deps: http-errors@​1.7.2
    • Set constructor name when possible
    • deps: setprototypeof@​1.1.1
    • deps: statuses@'>= 1.5.0 < 2'
  • deps: iconv-lite@​0.4.24
    • Added encoding MIK
  • deps: qs@​6.7.0
    • Fix parsing array brackets after index
  • deps: raw-body@​2.4.0
    • deps: bytes@​3.1.0
    • deps: http-errors@​1.7.2
    • deps: iconv-lite@​0.4.24
  • deps: type-is@~1.6.17
    • deps: mime-types@~2.1.24
    • perf: prevent internal throw on invalid type

v1.18.3

Compare Source

===================

  • Fix stack trace for strict json parse error
  • deps: depd@~1.1.2
    • perf: remove argument reassignment
  • deps: http-errors@~1.6.3
    • deps: depd@~1.1.2
    • deps: setprototypeof@​1.1.0
    • deps: statuses@'>= 1.3.1 < 2'
  • deps: iconv-lite@​0.4.23
    • Fix loading encoding with year appended
    • Fix deprecation warnings on Node.js 10+
  • deps: qs@​6.5.2
  • deps: raw-body@​2.3.3
    • deps: http-errors@​1.6.3
    • deps: iconv-lite@​0.4.23
  • deps: type-is@~1.6.16
    • deps: mime-types@~2.1.18

v1.18.2

Compare Source

===================

  • deps: debug@​2.6.9
  • perf: remove argument reassignment

v1.18.1

Compare Source

===================

  • deps: content-type@~1.0.4
    • perf: remove argument reassignment
    • perf: skip parameter parsing when no parameters
  • deps: iconv-lite@​0.4.19
    • Fix ISO-8859-1 regression
    • Update Windows-1255
  • deps: qs@​6.5.1
    • Fix parsing & compacting very deep objects
  • deps: raw-body@​2.3.2
    • deps: iconv-lite@​0.4.19

v1.18.0

Compare Source

===================

  • Fix JSON strict violation error to match native parse error
  • Include the body property on verify errors
  • Include the type property on all generated errors
  • Use http-errors to set status code on errors
  • deps: bytes@​3.0.0
  • deps: debug@​2.6.8
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading
  • deps: http-errors@~1.6.2
    • deps: depd@​1.1.1
  • deps: iconv-lite@​0.4.18
    • Add support for React Native
    • Add a warning if not loaded as utf-8
    • Fix CESU-8 decoding in Node.js 8
    • Improve speed of ISO-8859-1 encoding
  • deps: qs@​6.5.0
  • deps: raw-body@​2.3.1
    • Use http-errors for standard emitted errors
    • deps: bytes@​3.0.0
    • deps: iconv-lite@​0.4.18
    • perf: skip buffer decoding on overage chunk
  • perf: prevent internal throw when missing charset

v1.17.2

Compare Source

===================

  • deps: debug@​2.6.7
    • Fix DEBUG_MAX_ARRAY_LENGTH
    • deps: ms@​2.0.0
  • deps: type-is@~1.6.15
    • deps: mime-types@~2.1.15

v1.17.1

Compare Source

===================

  • deps: qs@​6.4.0
    • Fix regression parsing keys starting with [

v1.17.0

Compare Source

===================

  • deps: http-errors@~1.6.1
    • Make message property enumerable for HttpErrors
    • deps: setprototypeof@​1.0.3
  • deps: qs@​6.3.1
    • Fix compacting nested arrays

v1.16.1

Compare Source

===================

  • deps: debug@​2.6.1
    • Fix deprecation messages in WebStorm and other editors
    • Undeprecate DEBUG_FD set to 1 or 2

v1.16.0

Compare Source

===================

  • deps: debug@​2.6.0
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable
    • Fix error when running under React Native
    • Use same color for same namespace
    • deps: ms@​0.7.2
  • deps: http-errors@~1.5.1
    • deps: inherits@​2.0.3
    • deps: setprototypeof@​1.0.2
    • deps: statuses@'>= 1.3.1 < 2'
  • deps: iconv-lite@​0.4.15
    • Added encoding MS-31J
    • Added encoding MS-932
    • Added encoding MS-936
    • Added encoding MS-949
    • Added encoding MS-950
    • Fix GBK/GB18030 handling of Euro character
  • deps: qs@​6.2.1
    • Fix array parsing from skipping empty values
  • deps: raw-body@~2.2.0
    • deps: iconv-lite@​0.4.15
  • deps: type-is@~1.6.14
    • deps: mime-types@~2.1.13

v1.15.2

Compare Source

===================

  • deps: bytes@​2.4.0
  • deps: content-type@~1.0.2
    • perf: enable strict mode
  • deps: http-errors@~1.5.0
    • Use setprototypeof module to replace __proto__ setting
    • deps: statuses@'>= 1.3.0 < 2'
    • perf: enable strict mode
  • deps: qs@​6.2.0
  • deps: raw-body@~2.1.7
    • deps: bytes@​2.4.0
    • perf: remove double-cleanup on happy path
  • deps: type-is@~1.6.13
    • deps: mime-types@~2.1.11

v1.15.1

Compare Source

===================

  • deps: bytes@​2.3.0
    • Drop partial bytes on all parsed units
    • Fix parsing byte string that looks like hex
  • deps: raw-body@~2.1.6
    • deps: bytes@​2.3.0
  • deps: type-is@~1.6.12
    • deps: mime-types@~2.1.10

v1.15.0

Compare Source

===================

  • deps: http-errors@~1.4.0
    • Add HttpError export, for err instanceof createError.HttpError
    • deps: inherits@​2.0.1
    • deps: statuses@'>= 1.2.1 < 2'
  • deps: qs@​6.1.0
  • deps: type-is@~1.6.11
    • deps: mime-types@~2.1.9

v1.14.2

Compare Source

===================

  • deps: bytes@​2.2.0
  • deps: iconv-lite@​0.4.13
  • deps: qs@​5.2.0
  • deps: raw-body@~2.1.5
    • deps: bytes@​2.2.0
    • deps: iconv-lite@​0.4.13
  • deps: type-is@~1.6.10
    • deps: mime-types@~2.1.8

v1.14.1

Compare Source

===================

  • Fix issue where invalid charset results in 400 when verify used
  • deps: iconv-lite@​0.4.12
    • Fix CESU-8 decoding in Node.js 4.x
  • deps: raw-body@~2.1.4
    • Fix masking critical errors from iconv-lite
    • deps: iconv-lite@​0.4.12
  • deps: type-is@~1.6.9
    • deps: mime-types@~2.1.7

v1.14.0

Compare Source

===================

  • Fix JSON strict parse error to match syntax errors
  • Provide static require analysis in urlencoded parser
  • deps: depd@~1.1.0
    • Support web browser loading
  • deps: qs@​5.1.0
  • deps: raw-body@~2.1.3
    • Fix sync callback when attaching data listener causes sync read
  • deps: type-is@~1.6.8
    • Fix type error when given invalid type to match against
    • deps: mime-types@~2.1.6

v1.13.3

Compare Source

===================

  • deps: type-is@~1.6.6
    • deps: mime-types@~2.1.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coderabbitai
Copy link

coderabbitai bot commented Sep 22, 2024
edited
Loading

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from c478e45 to 6ceb66b Compare October 9, 2024 08:04
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Oct 9, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 6ceb66b to e8947cb Compare October 9, 2024 10:31
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Oct 9, 2024
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Oct 28, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from e8947cb to d61c1d8 Compare October 28, 2024 17:46
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Oct 28, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from d61c1d8 to 91cd91e Compare October 28, 2024 19:10
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 91cd91e to 77ba671 Compare November 14, 2024 22:08
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Nov 14, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 77ba671 to 517df0f Compare November 15, 2024 00:20
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Nov 15, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 517df0f to d32b12f Compare November 17, 2024 16:42
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Nov 17, 2024
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Nov 17, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from d32b12f to 232d6ae Compare November 17, 2024 18:45
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 232d6ae to b5f437b Compare December 2, 2024 09:17
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Dec 2, 2024
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Dec 2, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from b5f437b to 1b23b25 Compare December 2, 2024 15:06
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-body-parser-vulnerability branch December 8, 2024 18:45
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] - autoclosed Update dependency body-parser to ~1.20.3 [SECURITY] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 1c02475 to 1b23b25 Compare December 8, 2024 21:57
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 1b23b25 to 441d9f4 Compare December 17, 2024 20:29
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Dec 17, 2024
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Dec 17, 2024
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Dec 30, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from f96e9a1 to 2b01629 Compare December 31, 2025 13:47
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Dec 31, 2025
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 2b01629 to 1014aa6 Compare December 31, 2025 20:44
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Dec 31, 2025
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Jan 8, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from 877d29f to 33009b3 Compare January 8, 2026 22:26
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Jan 8, 2026
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Jan 19, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 33009b3 to 53bb71b Compare January 19, 2026 19:46
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Jan 19, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 53bb71b to 673db0e Compare January 19, 2026 20:49
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Feb 2, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from 388d7b4 to 2e41527 Compare February 3, 2026 00:56
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Feb 3, 2026
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Feb 12, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from 09b063e to 3f4e7a6 Compare February 12, 2026 20:08
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Feb 12, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from 3f4e7a6 to e429bf8 Compare February 16, 2026 14:07
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Feb 16, 2026
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Feb 16, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from 50bb1e9 to ff947c9 Compare February 17, 2026 15:05
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.3 [SECURITY] Update dependency body-parser to ~1.20.0 [SECURITY] Feb 17, 2026
@renovate renovate bot force-pushed the renovate/npm-body-parser-vulnerability branch from ff947c9 to 28057c1 Compare February 17, 2026 19:35
@renovate renovate bot changed the title Update dependency body-parser to ~1.20.0 [SECURITY] Update dependency body-parser to ~1.20.3 [SECURITY] Feb 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants