Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump body-parser and express #45

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump body-parser and express #45

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 10, 2024

Bumps body-parser to 1.20.3 and updates ancestor dependency express. These dependencies need to be updated together.

Updates body-parser from 1.18.2 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

New Contributors

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2

1.20.1

  • deps: qs@6.11.0
  • perf: remove unnecessary object clone

1.20.0

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2

1.20.1 / 2022-10-06

  • deps: qs@6.11.0
  • perf: remove unnecessary object clone

1.20.0 / 2022-04-02

  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
  • deps: http-errors@2.0.0
    • deps: depd@2.0.0
    • deps: statuses@2.0.1
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
    • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

  • deps: bytes@3.1.2
  • deps: qs@6.9.7
    • Fix handling of __proto__ keys
  • deps: raw-body@2.4.3
    • deps: bytes@3.1.2

1.19.1 / 2021-12-10

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.


Updates express from 4.16.2 to 4.20.0

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

Other Changes

New Contributors

Full Changelog: expressjs/express@4.19.1...4.20.0

... (truncated)

Changelog

Sourced from express's changelog.

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@0.6.0

4.18.3 / 2024-02-29

  • Fix routing requests without method
  • deps: body-parser@1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@2.5.2
  • deps: cookie@0.6.0
    • Add partitioned option

4.18.2 / 2022-10-08

  • Fix regression routing a large stack in a single route
  • deps: body-parser@1.20.1

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump body-parser and express
e759808 
Bumps [body-parser](https://github.com/expressjs/body-parser) to 1.20.3 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `body-parser` from 1.18.2 to 1.20.3
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@1.18.2...1.20.3)

Updates `express` from 4.16.2 to 4.20.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.16.2...4.20.0)

---
updated-dependencies:
- dependency-name: body-parser
  dependency-type: indirect
- dependency-name: express
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 10, 2024
@korbit-ai Korbit AI
Copy link

korbit-ai bot commented Sep 10, 2024

By default, I don't review pull requests opened by bots. If you would like me to review this pull request anyway, you can request a review via the /korbit-review command in a comment.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 10, 2024
edited
Loading

DryRun Security Summary

This pull request updates the project's dependencies, primarily the package-lock.json file, including the addition of a new dependency called body-parser and updates to several existing dependencies, which should be reviewed for potential security implications and breaking changes.

Expand for full summary

Summary:

This pull request appears to be a routine update to the project's dependencies, primarily focused on updating the package-lock.json file. The key changes include the addition of a new dependency called body-parser (version 1.20.3) and updates to several existing dependencies, such as express, http-errors, and qs.

From an application security perspective, the addition of the body-parser dependency is worth reviewing. This package is responsible for parsing incoming request bodies, which can potentially introduce security risks if not properly configured or validated. It's important to ensure that your application is properly validating and sanitizing any user-provided input to prevent vulnerabilities such as injection attacks (e.g., SQL injection, command injection). Additionally, the updates to the other dependencies should be reviewed to understand the changes and ensure that they do not introduce any new security vulnerabilities or breaking changes to your application.

Files Changed:

  • package-lock.json: This file has been updated to include a new dependency, body-parser (version 1.20.3), and updates to several existing dependencies, such as express, http-errors, on-finished, qs, raw-body, setprototypeof, statuses, and type-is. These updates are likely to address security vulnerabilities or provide bug fixes and improvements.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/body-parser@1.20.3 network Transitive: filesystem, unsafe +9 416 kB ulisesgascon
npm/call-bind@1.0.7 None 0 22.1 kB ljharb
npm/content-disposition@0.5.4 None +1 51.2 kB dougwilson
npm/define-data-property@1.1.4 None 0 30.9 kB ljharb
npm/depd@2.0.0 environment, eval 0 27.1 kB dougwilson
npm/es-define-property@1.0.0 None 0 11.8 kB ljharb
npm/es-errors@1.3.0 None 0 12.3 kB ljharb
npm/express@4.20.0 Transitive: environment, filesystem, network +12 736 kB blakeembrey, dougwilson, linusu, ...4 more
npm/forwarded@0.2.0 None 0 5.88 kB dougwilson
npm/function-bind@1.1.2 None 0 31.4 kB ljharb
npm/get-intrinsic@1.2.4 eval 0 41.6 kB ljharb
npm/gopd@1.0.1 None 0 7.7 kB ljharb
npm/has-property-descriptors@1.0.2 None 0 10.9 kB ljharb
npm/has-proto@1.0.3 None 0 12 kB ljharb
npm/has-symbols@1.0.3 None 0 20.6 kB ljharb
npm/hasown@2.0.2 None 0 8.77 kB ljharb
npm/ipaddr.js@1.9.1 None 0 42.1 kB whitequark
npm/merge-descriptors@1.0.3 None 0 5.08 kB sindresorhus
npm/object-inspect@1.13.2 None 0 99.1 kB ljharb
npm/path-to-regexp@0.1.10 None 0 6.38 kB blakeembrey
npm/proxy-addr@2.0.7 None 0 15.4 kB dougwilson
npm/set-function-length@1.2.2 None 0 14.7 kB ljharb
npm/side-channel@1.0.6 None 0 23.2 kB ljharb
npm/toidentifier@1.0.1 None 0 4.68 kB dougwilson

🚮 Removed packages: npm/content-disposition@0.5.2, npm/express@4.16.2, npm/ipaddr.js@1.5.2, npm/proxy-addr@2.0.2

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Debug access npm/on-finished@2.4.1 🚫
Uses eval npm/depd@2.0.0 🚫
Debug access npm/raw-body@2.5.2 🚫
Uses eval npm/get-intrinsic@1.2.4 🚫
New author npm/encodeurl@2.0.0 🚫
New author npm/body-parser@1.20.3 🚫
Unstable ownership npm/body-parser@1.20.3 🚫
New author npm/serve-static@1.16.0 🚫
Unstable ownership npm/serve-static@1.16.0 🚫
New author npm/send@0.19.0 🚫
Unstable ownership npm/send@0.19.0 🚫

View full report↗︎

Next steps

What is debug access?

Uses debug, reflection and dynamic code execution features.

Removing the use of debug will reduce the risk of any reflection and dynamic code execution.

What is eval?

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is unstable ownership?

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.

Try to reduce the amount of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/on-finished@2.4.1
  • @SocketSecurity ignore npm/depd@2.0.0
  • @SocketSecurity ignore npm/raw-body@2.5.2
  • @SocketSecurity ignore npm/get-intrinsic@1.2.4
  • @SocketSecurity ignore npm/encodeurl@2.0.0
  • @SocketSecurity ignore npm/body-parser@1.20.3
  • @SocketSecurity ignore npm/serve-static@1.16.0
  • @SocketSecurity ignore npm/send@0.19.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants