How to resolve breaking changes
This PR may introduce breaking changes that require manual intervention. In such cases, you will need to check out this branch, fix the cause of the breakage, and commit the fix to ensure a green CI build. To check out and update this PR, follow the steps below:
```sh
# Check out the PR branch
git checkout -b renovate/npm-body-parser-vulnerability main
git pull https://github.com/ampproject/amphtml.git renovate/npm-body-parser-vulnerability
# Directly make fixes and commit them
amp lint --fix # For lint errors in JS files
amp prettify --fix # For prettier errors in non-JS files
# Edit source code in case of new compiler warnings / errors
# Push the changes to the branch
git push git@github.com:ampproject/amphtml.git renovate/npm-body-parser-vulnerability:renovate/npm-body-parser-vulnerability
```
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
Release Notes
expressjs/body-parser (body-parser)
### [`v1.20.3`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1203--2024-09-10)
[Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.2...1.20.3)
\===================
- deps: qs@6.13.0
- add `depth` option to customize the depth level in the parser
- IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)
Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
1.20.2
->1.20.3
See all other Renovate PRs on the Dependency Dashboard
How to resolve breaking changes
This PR may introduce breaking changes that require manual intervention. In such cases, you will need to check out this branch, fix the cause of the breakage, and commit the fix to ensure a green CI build. To check out and update this PR, follow the steps below: ```sh # Check out the PR branch git checkout -b renovate/npm-body-parser-vulnerability main git pull https://github.com/ampproject/amphtml.git renovate/npm-body-parser-vulnerability # Directly make fixes and commit them amp lint --fix # For lint errors in JS files amp prettify --fix # For prettier errors in non-JS files # Edit source code in case of new compiler warnings / errors # Push the changes to the branch git push git@github.com:ampproject/amphtml.git renovate/npm-body-parser-vulnerability:renovate/npm-body-parser-vulnerability ```GitHub Vulnerability Alerts
CVE-2024-45590
Impact
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
Release Notes
expressjs/body-parser (body-parser)
### [`v1.20.3`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1203--2024-09-10) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.2...1.20.3) \=================== - deps: qs@6.13.0 - add `depth` option to customize the depth level in the parser - IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.