search

noopkat / electric-io

⚡️🌋🌔 The cutest IoT dashboard of your dreams ☁️
MIT License
284 stars 37 forks source link

fix(deps): update dependency body-parser to v1.20.3 [security] #289

Open renovate[bot] opened 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
body-parser 1.19.0 -> 1.20.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser) ### [`v1.20.3`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1203--2024-09-10) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.2...1.20.3) \=================== - deps: qs@6.13.0 - add `depth` option to customize the depth level in the parser - IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) ### [`v1.20.2`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1202--2023-02-21) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.1...1.20.2) \=================== - Fix strict json error message on Node.js 19+ - deps: content-type@~1.0.5 - perf: skip value escaping when unnecessary - deps: raw-body@2.5.2 ### [`v1.20.1`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1201--2022-10-06) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.0...1.20.1) \=================== - deps: qs@6.11.0 - perf: remove unnecessary object clone ### [`v1.20.0`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1200--2022-04-02) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.2...1.20.0) \=================== - Fix error message for json parse whitespace in `strict` - Fix internal error when inflated body exceeds limit - Prevent loss of async hooks context - Prevent hanging when request already read - deps: depd@2.0.0 - Replace internal `eval` usage with `Function` constructor - Use instance methods on `process` to check for listeners - deps: http-errors@2.0.0 - deps: depd@2.0.0 - deps: statuses@2.0.1 - deps: on-finished@2.4.1 - deps: qs@6.10.3 - deps: raw-body@2.5.1 - deps: http-errors@2.0.0 ### [`v1.19.2`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1192--2022-02-15) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.1...1.19.2) \=================== - deps: bytes@3.1.2 - deps: qs@6.9.7 - Fix handling of `__proto__` keys - deps: raw-body@2.4.3 - deps: bytes@3.1.2 ### [`v1.19.1`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1191--2021-12-10) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.0...1.19.1) \=================== - deps: bytes@3.1.1 - deps: http-errors@1.8.1 - deps: inherits@2.0.4 - deps: toidentifier@1.0.1 - deps: setprototypeof@1.2.0 - deps: qs@6.9.6 - deps: raw-body@2.4.2 - deps: bytes@3.1.1 - deps: http-errors@1.8.1 - deps: safe-buffer@5.2.1 - deps: type-is@~1.6.18

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.