Body-parser versions 1.3.0 and 1.2.2 are both Node.js middleware designed to parse incoming request bodies before your handlers process them. They share a common foundation, offering essential functionality for handling data from client requests. Looking at the core dependencies, both versions rely on "qs" for query string parsing, "bytes" for handling byte sizes, "type-is" for content type detection, and "raw-body" for efficient raw body consumption. This indicates a consistent approach to the fundamental tasks of body parsing. Similarly, the development dependencies for testing ("mocha," "should," "supertest") and code coverage ("istanbul") are identical, suggesting continuity in the quality assurance and testing methodologies between the two releases. The author and licensing (MIT) remain consistent, as does the repository URL, underlining the stability of the project's maintainership and open-source nature.
The primary difference between the versions lies in their release date: version 1.3.0 was released on May 31, 2014, while version 1.2.2 was released on May 27, 2014. This seemingly small gap suggests that version 1.3.0 likely incorporates minor bug fixes, performance enhancements, or subtle refinements over its predecessor. While the specific changes aren't explicitly outlined in the metadata, developers upgrading from 1.2.2 to 1.3.0 could anticipate minor improvements without the risk of major breaking changes, given the shared dependencies. Although the impact of upgrading might be small for users needing new features, it's advisable to upgrade and profit from the fixed bugs.
All the vulnerabilities related to the version 1.3.0 of the package
body-parser vulnerable to denial of service when url encoding is enabled
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
