Body-parser is a crucial Node.js middleware for parsing incoming request bodies, making data accessible in your application. Comparing versions 1.10.1 and 1.10.2, the updates primarily involve underlying dependency tweaks. While both versions share the same core functionality and API, the key difference lies in the raw-body and iconv-lite dependencies. Version 1.10.2 upgrades raw-body from 1.3.1 to 1.3.2 and iconv-lite from 0.4.5 to 0.4.6.
For developers, these seemingly minor dependency updates could include bug fixes, performance improvements, or security patches within those specific modules. While the high-level functionality of body-parser remains consistent between these versions, staying up-to-date ensures you're benefiting from the latest improvements in its building blocks. If you're already using body-parser, upgrading to 1.10.2 is a low-risk way to potentially enhance your application's stability and security. Specifically for character set conversions you need to check how the new version of iconv-lite behaves. It's worth noting if you experienced issues related to handling raw request data or character encoding previously, this update likely addresses them. Always check the changelogs of the updated dependencies for detailed information on what's changed.
All the vulnerabilities related to the version 1.10.2 of the package
body-parser vulnerable to denial of service when url encoding is enabled
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
