chore(deps): update dependency body-parser to v2.2.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
body-parser	2.2.0 → 2.2.1

---

body-parser vulnerable to denial of service when url encoding is enabled

CVE-2024-45590 / GHSA-qwcr-r2fm-qrc7

More information

Details

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7
• https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce
• https://nvd.nist.gov/vuln/detail/CVE-2024-45590
• https://github.com/advisories/GHSA-qwcr-r2fm-qrc7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

body-parser is vulnerable to denial of service when url encoding is used

CVE-2025-13466 / GHSA-wqch-xfxh-vrr4

More information

Details

Impact

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.

Patches

This issue is addressed in version 2.2.1.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P

References

• https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4
• https://nvd.nist.gov/vuln/detail/CVE-2025-13466
• https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63
• https://github.com/expressjs/body-parser/releases/tag/v2.2.1
• https://github.com/advisories/GHSA-wqch-xfxh-vrr4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

expressjs/body-parser (body-parser)

v2.2.1

Compare Source

=========================

• Security fix for GHSA-wqch-xfxh-vrr4
• deps:
  • type-is@^2.0.1
  • iconv-lite@^0.7.0
    • Handle split surrogate pairs when encoding UTF-8
    • Avoid false positives in encodingExists by using prototype-less objects
  • raw-body@^3.0.1
  • debug@^4.4.3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: daf66ef

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.19%. Comparing base (c9a6abf) to head (daf66ef).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #839   +/-   ##
=======================================
  Coverage   92.19%   92.19%           
=======================================
  Files          17       17           
  Lines         397      397           
  Branches      128      137    +9     
=======================================
  Hits          366      366           
  Misses         31       31           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.