Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency body-parser to v1.20.3 [security] #133

Merged
merged 1 commit into from
Sep 14, 2024
Merged

fix(deps): update dependency body-parser to v1.20.3 [security] #133

merged 1 commit into from
Sep 14, 2024

Conversation

svc-secops
Copy link
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
body-parser 1.20.2 -> 1.20.3 age adoption passing confidence

body-parser vulnerable to denial of service when url encoding is enabled

CVE-2024-45590 / GHSA-qwcr-r2fm-qrc7

More information

Details

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

expressjs/body-parser (body-parser)

v1.20.3

Compare Source

===================

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 13, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: 1e69bf0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@netlify Netlify
Copy link

netlify bot commented Sep 13, 2024
edited
Loading

Deploy Preview for graphql-testing-library canceled.

Name Link
🔨 Latest commit 1e69bf0
🔍 Latest deploy log https://app.netlify.com/sites/graphql-testing-library/deploys/66e58f6bb343e70008207284

@svc-secops svc-secops enabled auto-merge (squash) September 14, 2024 13:28
@svc-secops svc-secops force-pushed the renovate/npm-body-parser-vulnerability branch from 48a0652 to 1e69bf0 Compare September 14, 2024 13:28
@svc-secops svc-secops merged commit 3ce8efc into main Sep 14, 2024
2 checks passed
@svc-secops svc-secops deleted the renovate/npm-body-parser-vulnerability branch September 14, 2024 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
🎄 dependencies vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@svc-secops