Update dependency body-parser to v1.20.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
body-parser	1.17.2 → 1.20.3

---

body-parser vulnerable to denial of service when url encoding is enabled

CVE-2024-45590 / GHSA-qwcr-r2fm-qrc7

More information

Details

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7
• https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce
• https://nvd.nist.gov/vuln/detail/CVE-2024-45590
• https://github.com/advisories/GHSA-qwcr-r2fm-qrc7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

• deps: qs@​6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

v1.20.2

Compare Source

===================

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@​2.5.2

v1.20.1

Compare Source

===================

• deps: qs@​6.11.0
• perf: remove unnecessary object clone

v1.20.0

Compare Source

===================

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@​2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@​2.0.0
  • deps: depd@​2.0.0
  • deps: statuses@​2.0.1
• deps: on-finished@​2.4.1
• deps: qs@​6.10.3
• deps: raw-body@​2.5.1
  • deps: http-errors@​2.0.0

v1.19.2

Compare Source

===================

• deps: bytes@​3.1.2
• deps: qs@​6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@​2.4.3
  • deps: bytes@​3.1.2

v1.19.1

Compare Source

===================

• deps: bytes@​3.1.1
• deps: http-errors@​1.8.1
  • deps: inherits@​2.0.4
  • deps: toidentifier@​1.0.1
  • deps: setprototypeof@​1.2.0
• deps: qs@​6.9.6
• deps: raw-body@​2.4.2
  • deps: bytes@​3.1.1
  • deps: http-errors@​1.8.1
• deps: safe-buffer@​5.2.1
• deps: type-is@~1.6.18

v1.19.0

Compare Source

===================

• deps: bytes@​3.1.0
  • Add petabyte (pb) support
• deps: http-errors@​1.7.2
  • Set constructor name when possible
  • deps: setprototypeof@​1.1.1
  • deps: statuses@'>= 1.5.0 < 2'
• deps: iconv-lite@​0.4.24
  • Added encoding MIK
• deps: qs@​6.7.0
  • Fix parsing array brackets after index
• deps: raw-body@​2.4.0
  • deps: bytes@​3.1.0
  • deps: http-errors@​1.7.2
  • deps: iconv-lite@​0.4.24
• deps: type-is@~1.6.17
  • deps: mime-types@~2.1.24
  • perf: prevent internal throw on invalid type

v1.18.3

Compare Source

===================

• Fix stack trace for strict json parse error
• deps: depd@~1.1.2
  • perf: remove argument reassignment
• deps: http-errors@~1.6.3
  • deps: depd@~1.1.2
  • deps: setprototypeof@​1.1.0
  • deps: statuses@'>= 1.3.1 < 2'
• deps: iconv-lite@​0.4.23
  • Fix loading encoding with year appended
  • Fix deprecation warnings on Node.js 10+
• deps: qs@​6.5.2
• deps: raw-body@​2.3.3
  • deps: http-errors@​1.6.3
  • deps: iconv-lite@​0.4.23
• deps: type-is@~1.6.16
  • deps: mime-types@~2.1.18

v1.18.2

Compare Source

===================

• deps: debug@​2.6.9
• perf: remove argument reassignment

v1.18.1

Compare Source

===================

• deps: content-type@~1.0.4
  • perf: remove argument reassignment
  • perf: skip parameter parsing when no parameters
• deps: iconv-lite@​0.4.19
  • Fix ISO-8859-1 regression
  • Update Windows-1255
• deps: qs@​6.5.1
  • Fix parsing & compacting very deep objects
• deps: raw-body@​2.3.2
  • deps: iconv-lite@​0.4.19

v1.18.0

Compare Source

===================

• Fix JSON strict violation error to match native parse error
• Include the body property on verify errors
• Include the type property on all generated errors
• Use http-errors to set status code on errors
• deps: bytes@​3.0.0
• deps: debug@​2.6.8
• deps: depd@~1.1.1
  • Remove unnecessary Buffer loading
• deps: http-errors@~1.6.2
  • deps: depd@​1.1.1
• deps: iconv-lite@​0.4.18
  • Add support for React Native
  • Add a warning if not loaded as utf-8
  • Fix CESU-8 decoding in Node.js 8
  • Improve speed of ISO-8859-1 encoding
• deps: qs@​6.5.0
• deps: raw-body@​2.3.1
  • Use http-errors for standard emitted errors
  • deps: bytes@​3.0.0
  • deps: iconv-lite@​0.4.18
  • perf: skip buffer decoding on overage chunk
• perf: prevent internal throw when missing charset

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.