Body-parser is a crucial Node.js middleware for parsing incoming request bodies before your handlers process them, offering streamlined access to data sent by clients. Comparing versions 1.9.0 and 1.8.4 several commonalities are visible, both versions share a similar description and essential functionalities like parsing JSON, URL-encoded, and raw data. The dependencies objects are almost identical, including qs, bytes, type-is, raw-body, iconv-lite, media-typer, and on-finished. The devDependencies, including testing and coverage tools like mocha, should, istanbul, and supertest, remain consistent across both versions, indicating a commitment to code quality. The used license remains MIT.
A key difference lies in the depd dependency. Version 1.9.0 uses depd version ~1.0.0, while version 1.8.4 employs depd version 0.4.5. This suggests a potential update in the deprecation handling mechanism or internal logging within the body-parser middleware. The releaseDate also pinpoints a minor uplift, with version 1.9.0 being released later on the same day as version 1.8.4. While the core functionalities appear unchanged, developers should be aware of the depd update, especially if their code relies on specific deprecation behaviors. Given the minimal differences, upgrading from 1.8.4 to 1.9.0 should be straightforward, reaping any potential minor improvements or bug fixes included in the depd dependency upgrade. The repository's url did not change.
All the vulnerabilities related to the version 1.9.0 of the package
body-parser vulnerable to denial of service when url encoding is enabled
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
