Update dependency body-parser to v1.20.3 [SECURITY] #314

renovate · 2024-09-23T05:45:26Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
body-parser	`1.9.0` -> `1.20.3`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser)

`v1.20.3`

Compare Source

===================

deps: qs@6.13.0
add depth option to customize the depth level in the parser
IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

`v1.20.2`

Compare Source

===================

Fix strict json error message on Node.js 19+
deps: content-type@~1.0.5
- perf: skip value escaping when unnecessary
deps: raw-body@2.5.2

`v1.20.1`

Compare Source

===================

deps: qs@6.11.0
perf: remove unnecessary object clone

`v1.20.0`

Compare Source

===================

Fix error message for json parse whitespace in strict
Fix internal error when inflated body exceeds limit
Prevent loss of async hooks context
Prevent hanging when request already read
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: http-errors@2.0.0
- deps: depd@2.0.0
- deps: statuses@2.0.1
deps: on-finished@2.4.1
deps: qs@6.10.3
deps: raw-body@2.5.1
- deps: http-errors@2.0.0

`v1.19.2`

Compare Source

===================

deps: bytes@3.1.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
deps: raw-body@2.4.3
- deps: bytes@3.1.2

`v1.19.1`

Compare Source

===================

deps: bytes@3.1.1
deps: http-errors@1.8.1
- deps: inherits@2.0.4
- deps: toidentifier@1.0.1
- deps: setprototypeof@1.2.0
deps: qs@6.9.6
deps: raw-body@2.4.2
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
deps: safe-buffer@5.2.1
deps: type-is@~1.6.18

`v1.19.0`

Compare Source

===================

deps: bytes@3.1.0
- Add petabyte (pb) support
deps: http-errors@1.7.2
- Set constructor name when possible
- deps: setprototypeof@1.1.1
- deps: statuses@'>= 1.5.0 < 2'
deps: iconv-lite@0.4.24
- Added encoding MIK
deps: qs@6.7.0
- Fix parsing array brackets after index
deps: raw-body@2.4.0
- deps: bytes@3.1.0
- deps: http-errors@1.7.2
- deps: iconv-lite@0.4.24
deps: type-is@~1.6.17
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

`v1.18.3`

Compare Source

===================

Fix stack trace for strict json parse error
deps: depd@~1.1.2
- perf: remove argument reassignment
deps: http-errors@~1.6.3
- deps: depd@~1.1.2
- deps: setprototypeof@1.1.0
- deps: statuses@'>= 1.3.1 < 2'
deps: iconv-lite@0.4.23
- Fix loading encoding with year appended
- Fix deprecation warnings on Node.js 10+
deps: qs@6.5.2
deps: raw-body@2.3.3
- deps: http-errors@1.6.3
- deps: iconv-lite@0.4.23
deps: type-is@~1.6.16
- deps: mime-types@~2.1.18

`v1.18.2`

Compare Source

===================

deps: debug@2.6.9
perf: remove argument reassignment

`v1.18.1`

Compare Source

===================

deps: content-type@~1.0.4
- perf: remove argument reassignment
- perf: skip parameter parsing when no parameters
deps: iconv-lite@0.4.19
- Fix ISO-8859-1 regression
- Update Windows-1255
deps: qs@6.5.1
- Fix parsing & compacting very deep objects
deps: raw-body@2.3.2
- deps: iconv-lite@0.4.19

`v1.18.0`

Compare Source

===================

Fix JSON strict violation error to match native parse error
Include the body property on verify errors
Include the type property on all generated errors
Use http-errors to set status code on errors
deps: bytes@3.0.0
deps: debug@2.6.8
deps: depd@~1.1.1
- Remove unnecessary Buffer loading
deps: http-errors@~1.6.2
- deps: depd@1.1.1
deps: iconv-lite@0.4.18
- Add support for React Native
- Add a warning if not loaded as utf-8
- Fix CESU-8 decoding in Node.js 8
- Improve speed of ISO-8859-1 encoding
deps: qs@6.5.0
deps: raw-body@2.3.1
- Use http-errors for standard emitted errors
- deps: bytes@3.0.0
- deps: iconv-lite@0.4.18
- perf: skip buffer decoding on overage chunk
perf: prevent internal throw when missing charset

`v1.17.2`

Compare Source

===================

deps: debug@2.6.7
- Fix DEBUG_MAX_ARRAY_LENGTH
- deps: ms@2.0.0
deps: type-is@~1.6.15
- deps: mime-types@~2.1.15

`v1.17.1`

Compare Source

===================

deps: qs@6.4.0
- Fix regression parsing keys starting with [

`v1.17.0`

Compare Source

===================

deps: http-errors@~1.6.1
- Make message property enumerable for HttpErrors
- deps: setprototypeof@1.0.3
deps: qs@6.3.1
- Fix compacting nested arrays

`v1.16.1`

Compare Source

===================

deps: debug@2.6.1
- Fix deprecation messages in WebStorm and other editors
- Undeprecate DEBUG_FD set to 1 or 2

`v1.16.0`

Compare Source

===================

deps: debug@2.6.0
- Allow colors in workers
- Deprecated DEBUG_FD environment variable
- Fix error when running under React Native
- Use same color for same namespace
- deps: ms@0.7.2
deps: http-errors@~1.5.1
- deps: inherits@2.0.3
- deps: setprototypeof@1.0.2
- deps: statuses@'>= 1.3.1 < 2'
deps: iconv-lite@0.4.15
- Added encoding MS-31J
- Added encoding MS-932
- Added encoding MS-936
- Added encoding MS-949
- Added encoding MS-950
- Fix GBK/GB18030 handling of Euro character
deps: qs@6.2.1
- Fix array parsing from skipping empty values
deps: raw-body@~2.2.0
- deps: iconv-lite@0.4.15
deps: type-is@~1.6.14
- deps: mime-types@~2.1.13

`v1.15.2`

Compare Source

===================

deps: bytes@2.4.0
deps: content-type@~1.0.2
- perf: enable strict mode
deps: http-errors@~1.5.0
- Use setprototypeof module to replace __proto__ setting
- deps: statuses@'>= 1.3.0 < 2'
- perf: enable strict mode
deps: qs@6.2.0
deps: raw-body@~2.1.7
- deps: bytes@2.4.0
- perf: remove double-cleanup on happy path
deps: type-is@~1.6.13
- deps: mime-types@~2.1.11

`v1.15.1`

Compare Source

===================

deps: bytes@2.3.0
- Drop partial bytes on all parsed units
- Fix parsing byte string that looks like hex
deps: raw-body@~2.1.6
- deps: bytes@2.3.0
deps: type-is@~1.6.12
- deps: mime-types@~2.1.10

`v1.15.0`

Compare Source

===================

deps: http-errors@~1.4.0
- Add HttpError export, for err instanceof createError.HttpError
- deps: inherits@2.0.1
- deps: statuses@'>= 1.2.1 < 2'
deps: qs@6.1.0
deps: type-is@~1.6.11
- deps: mime-types@~2.1.9

`v1.14.2`

Compare Source

===================

deps: bytes@2.2.0
deps: iconv-lite@0.4.13
deps: qs@5.2.0
deps: raw-body@~2.1.5
- deps: bytes@2.2.0
- deps: iconv-lite@0.4.13
deps: type-is@~1.6.10
- deps: mime-types@~2.1.8

`v1.14.1`

Compare Source

===================

Fix issue where invalid charset results in 400 when verify used
deps: iconv-lite@0.4.12
- Fix CESU-8 decoding in Node.js 4.x
deps: raw-body@~2.1.4
- Fix masking critical errors from iconv-lite
- deps: iconv-lite@0.4.12
deps: type-is@~1.6.9
- deps: mime-types@~2.1.7

`v1.14.0`

Compare Source

===================

Fix JSON strict parse error to match syntax errors
Provide static require analysis in urlencoded parser
deps: depd@~1.1.0
- Support web browser loading
deps: qs@5.1.0
deps: raw-body@~2.1.3
- Fix sync callback when attaching data listener causes sync read
deps: type-is@~1.6.8
- Fix type error when given invalid type to match against
- deps: mime-types@~2.1.6

`v1.13.3`

Compare Source

===================

deps: type-is@~1.6.6
- deps: mime-types@~2.1.4

`v1.13.2`

Compare Source

===================

deps: iconv-lite@0.4.11
deps: qs@4.0.0
- Fix dropping parameters like hasOwnProperty
- Fix user-visible incompatibilities from 3.1.0
- Fix various parsing edge cases
deps: raw-body@~2.1.2
- Fix error stack traces to skip makeError
- deps: iconv-lite@0.4.11
deps: type-is@~1.6.4
- deps: mime-types@~2.1.2
- perf: enable strict mode
- perf: remove argument reassignment

`v1.13.1`

Compare Source

===================

deps: qs@2.4.2
- Downgraded from 3.1.0 because of user-visible incompatibilities

`v1.13.0`

Compare Source

===================

Add statusCode property on Errors, in addition to status
Change type default to application/json for JSON parser
Change type default to application/x-www-form-urlencoded for urlencoded parser
Provide static require analysis
Use the http-errors module to generate errors
deps: bytes@2.1.0
- Slight optimizations
deps: iconv-lite@0.4.10
- The encoding UTF-16 without BOM now defaults to UTF-16LE when detection fails
- Leading BOM is now removed when decoding
deps: on-finished@~2.3.0
- Add defined behavior for HTTP CONNECT requests
- Add defined behavior for HTTP Upgrade requests
- deps: ee-first@1.1.1
deps: qs@3.1.0
- Fix dropping parameters like hasOwnProperty
- Fix various parsing edge cases
- Parsed object now has null prototype
deps: raw-body@~2.1.1
- Use unpipe module for unpiping requests
- deps: iconv-lite@0.4.10
deps: type-is@~1.6.3
- deps: mime-types@~2.1.1
- perf: reduce try block size
- perf: remove bitwise operations
perf: enable strict mode
perf: remove argument reassignment
perf: remove delete call

`v1.12.4`

Compare Source

===================

deps: debug@~2.2.0
deps: qs@2.4.2
- Fix allowing parameters like constructor
deps: on-finished@~2.2.1
deps: raw-body@~2.0.1
- Fix a false-positive when unpiping in Node.js 0.8
- deps: bytes@2.0.1
deps: type-is@~1.6.2
- deps: mime-types@~2.0.11

`v1.12.3`

Compare Source

===================

Slight efficiency improvement when not debugging
deps: depd@~1.0.1
deps: iconv-lite@0.4.8
- Add encoding alias UNICODE-1-1-UTF-7
deps: raw-body@1.3.4
- Fix hanging callback if request aborts during read
- deps: iconv-lite@0.4.8

`v1.12.2`

Compare Source

===================

deps: qs@2.4.1
- Fix error when parameter hasOwnProperty is present

`v1.12.1`

Compare Source

===================

deps: debug@~2.1.3
- Fix high intensity foreground color for bold
- deps: ms@0.7.0
deps: type-is@~1.6.1
- deps: mime-types@~2.0.10

`v1.12.0`

Compare Source

===================

add debug messages
accept a function for the type option
use content-type to parse Content-Type headers
deps: iconv-lite@0.4.7
- Gracefully support enumerables on Object.prototype
deps: raw-body@1.3.3
- deps: iconv-lite@0.4.7
deps: type-is@~1.6.0
- fix argument reassignment
- fix false-positives in hasBody Transfer-Encoding check
- support wildcard for both type and subtype (*/*)
- deps: mime-types@~2.0.9