Update dependency body-parser to v1.20.3 [SECURITY] by renovate[bot] · Pull Request #42 · hatamiarash7/WebhookHandler

renovate · 2024-09-11T20:25:01Z

This PR contains the following updates:

Package	Change	Age	Confidence
body-parser	`1.19.0` → `1.20.3`

body-parser vulnerable to denial of service when url encoding is enabled

CVE-2024-45590 / GHSA-qwcr-r2fm-qrc7

More information

Details

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Severity

CVSS Score: 8.7 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

expressjs/body-parser (body-parser)

`v1.20.3`

Compare Source

===================

deps: qs@6.13.0
add depth option to customize the depth level in the parser
IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

`v1.20.2`

Compare Source

===================

Fix strict json error message on Node.js 19+
deps: content-type@~1.0.5
- perf: skip value escaping when unnecessary
deps: raw-body@2.5.2

`v1.20.1`

Compare Source

===================

deps: qs@6.11.0
perf: remove unnecessary object clone

`v1.20.0`

Compare Source

===================

Fix error message for json parse whitespace in strict
Fix internal error when inflated body exceeds limit
Prevent loss of async hooks context
Prevent hanging when request already read
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: http-errors@2.0.0
- deps: depd@2.0.0
- deps: statuses@2.0.1
deps: on-finished@2.4.1
deps: qs@6.10.3
deps: raw-body@2.5.1
- deps: http-errors@2.0.0

`v1.19.2`

Compare Source

===================

deps: bytes@3.1.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
deps: raw-body@2.4.3
- deps: bytes@3.1.2

`v1.19.1`

Compare Source

===================

deps: bytes@3.1.1
deps: http-errors@1.8.1
- deps: inherits@2.0.4
- deps: toidentifier@1.0.1
- deps: setprototypeof@1.2.0
deps: qs@6.9.6
deps: raw-body@2.4.2
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
deps: safe-buffer@5.2.1
deps: type-is@~1.6.18

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2024-09-11T20:25:24Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud · 2024-12-02T10:18:05Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2025-03-11T14:29:59Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2026-04-27T22:46:11Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2026-06-01T20:42:16Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 8e5a118 to 0d8f8d0 Compare December 2, 2024 10:17

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 0d8f8d0 to 4bd069a Compare January 23, 2025 19:56

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 4bd069a to 3796c5c Compare February 9, 2025 15:12

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 3796c5c to 1ed4839 Compare March 3, 2025 13:23

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 1ed4839 to 5b5d690 Compare March 11, 2025 14:29

renovate Bot changed the title ~~Update dependency body-parser to v1.20.3 [SECURITY]~~ Update dependency body-parser to v1.20.3 [SECURITY] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/npm-body-parser-vulnerability branch March 27, 2026 01:08

renovate Bot changed the title ~~Update dependency body-parser to v1.20.3 [SECURITY] - autoclosed~~ Update dependency body-parser to v1.20.3 [SECURITY] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from 5b5d690 to ae21d18 Compare March 30, 2026 17:36

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from ae21d18 to af725b4 Compare April 8, 2026 20:03

renovate Bot changed the title ~~Update dependency body-parser to v1.20.3 [SECURITY]~~ Update dependency body-parser to v1.20.3 [SECURITY] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot changed the title ~~Update dependency body-parser to v1.20.3 [SECURITY] - autoclosed~~ Update dependency body-parser to v1.20.3 [SECURITY] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from af725b4 to ef97eda Compare April 27, 2026 22:45

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from ef97eda to 7b1329d Compare May 28, 2026 13:49

Update dependency body-parser to v1.20.3 [SECURITY]

0548c88

renovate Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 7b1329d to 0548c88 Compare June 1, 2026 20:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency body-parser to v1.20.3 [SECURITY]#42

Update dependency body-parser to v1.20.3 [SECURITY]#42
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-body-parser-vulnerability

renovate Bot commented Sep 11, 2024 •

edited

Loading

Uh oh!

sonarqubecloud Bot commented Sep 11, 2024

Uh oh!

sonarqubecloud Bot commented Dec 2, 2024

Uh oh!

sonarqubecloud Bot commented Mar 11, 2025

Uh oh!

sonarqubecloud Bot commented Apr 27, 2026

Uh oh!

sonarqubecloud Bot commented Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Sep 11, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

body-parser vulnerable to denial of service when url encoding is enabled

Details

Impact

Patches

References

Severity

References

Release Notes

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.2

v1.19.1

Configuration

Uh oh!

sonarqubecloud Bot commented Sep 11, 2024

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented Dec 2, 2024

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented Mar 11, 2025

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented Apr 27, 2026

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented Jun 1, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Sep 11, 2024 •

edited

Loading

`v1.20.3`

`v1.20.2`

`v1.20.1`

`v1.20.0`

`v1.19.2`

`v1.19.1`