Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

📦 Update dependency body-parser to v1.20.3 [SECURITY] #40144

Merged
merged 1 commit into from
Sep 10, 2024
Merged

📦 Update dependency body-parser to v1.20.3 [SECURITY] #40144

merged 1 commit into from
Sep 10, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 10, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
body-parser 1.20.2 -> 1.20.3 age adoption passing confidence

See all other Renovate PRs on the Dependency Dashboard

How to resolve breaking changes

This PR may introduce breaking changes that require manual intervention. In such cases, you will need to check out this branch, fix the cause of the breakage, and commit the fix to ensure a green CI build. To check out and update this PR, follow the steps below:

# Check out the PR branch
git checkout -b renovate/npm-body-parser-vulnerability main
git pull https://github.com/ampproject/amphtml.git renovate/npm-body-parser-vulnerability

# Directly make fixes and commit them
amp lint --fix # For lint errors in JS files
amp prettify --fix # For prettier errors in non-JS files
# Edit source code in case of new compiler warnings / errors

# Push the changes to the branch
git push git@github.com:ampproject/amphtml.git renovate/npm-body-parser-vulnerability:renovate/npm-body-parser-vulnerability

GitHub Vulnerability Alerts

CVE-2024-45590

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the WG: infra label Sep 10, 2024
@renovate renovate bot enabled auto-merge (squash) September 10, 2024 19:39
@renovate renovate bot merged commit 1a72c5d into main Sep 10, 2024
51 of 52 checks passed
@renovate renovate bot deleted the renovate/npm-body-parser-vulnerability branch September 10, 2024 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve renovate-approve approved these changes

Assignees
No one assigned
Labels
WG: infra
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants