Body-parser is a crucial Node.js middleware designed for parsing incoming request bodies, making the data accessible within your application. Comparing versions 1.3.0 and 1.3.1 reveals subtle but important distinctions for developers. Both versions share the same core functionality and maintain the same fundamental dependencies: qs for query string parsing, bytes for handling byte sizes, and raw-body for efficiently reading raw request bodies. The primary difference lies in the type-is dependency, updated from version 1.2.0 to 1.2.1 in the newer release. While seemingly minor, this update likely addresses bug fixes or minor improvements within the type-is library, which is responsible for determining the media type of a request.
Furthermore, the development environment also saw upgrades, with the mocha testing framework updated to "~1.20.1" from "~1.18.2", and should assertion library advancing to "~4.0.4" from "~3.3.1" in, version 1.3.1. Supertest, used for HTTP testing, also moved to version "~0.13.0" from "~0.12.1." These changes suggest improvements in the testing suite, possibly increased stability or enhanced testing capabilities. Developers upgrading should be aware of potential minor behavioral changes in the type-is library & the testing framework used to test that their existing code work as expected. Both versions are released under the MIT license and readily available via npm, offering a reliable solution for body parsing in Node.js applications. It is advisable checking the changelog to fully understand what each dependecy upgrade brings in both stability and features.
All the vulnerabilities related to the version 1.3.1 of the package
body-parser vulnerable to denial of service when url encoding is enabled
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
