From 86227d4014efdec700a014415f4f8d98afe7b6da Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 17 Apr 2025 15:45:48 +0200 Subject: [PATCH 01/55] ci: use full SHAs for github action versions (#594) --- .github/workflows/ci.yml | 16 ++++++++-------- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 8 ++++---- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b0aee326..03314b2d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,10 +16,10 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: node-version: 'lts/*' @@ -38,9 +38,9 @@ jobs: node-version: [18, 19, 20, 21, 22, 23] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: node-version: ${{ matrix.node-version }} check-latest: true @@ -52,7 +52,7 @@ jobs: run: npm run test-ci - name: Upload code coverage - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-node-${{ matrix.node-version }} path: ./coverage/lcov.info @@ -65,14 +65,14 @@ jobs: contents: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install lcov shell: bash run: sudo apt-get -y install lcov - name: Collect coverage reports - uses: actions/download-artifact@v4 + uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: path: ./coverage pattern: coverage-node-* @@ -82,6 +82,6 @@ jobs: run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info - name: Upload coverage report - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: file: ./lcov.info diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cd411926..ad4b40bc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: languages: javascript # If you wish to specify custom queries, you can do so here or in a config file. @@ -48,7 +48,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) # - name: Autobuild - # uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + # uses: github/codeql-action/autobuild@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -61,6 +61,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: category: "/language:javascript" \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 39372a22..f54c46d3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -29,12 +29,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -56,7 +56,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 + uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: sarif_file: results.sarif From 22bb75bdc24a2c6573b04356dbcbbc9b33b63326 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 17 Apr 2025 15:46:15 +0200 Subject: [PATCH 02/55] ci: add dependabot (#593) --- .github/dependabot.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..a6096a49 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: monthly + + - package-ecosystem: npm + directory: / + schedule: + interval: monthly + time: "23:00" + timezone: Europe/London + open-pull-requests-limit: 10 + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] \ No newline at end of file From 8d5795b6442f7c92319fbe00cdb20a877fc27111 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 17 Apr 2025 16:10:18 +0200 Subject: [PATCH 03/55] ci: use full SHAs for github action versions (#594) From dd22f62334051f708345c3ce41fd46c2d8ac8b92 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 17 Apr 2025 18:36:56 +0200 Subject: [PATCH 04/55] deps: type-is@^2.0.1 (#599) --- HISTORY.md | 6 ++++++ package.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 17dd110e..d18686e4 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,9 @@ +unreleased +========================= + +* deps: + * type-is@^2.0.1 + 2.2.0 / 2025-03-27 ========================= diff --git a/package.json b/package.json index e7f763b8..26d667f2 100644 --- a/package.json +++ b/package.json @@ -17,7 +17,7 @@ "on-finished": "^2.4.1", "qs": "^6.14.0", "raw-body": "^3.0.0", - "type-is": "^2.0.0" + "type-is": "^2.0.1" }, "devDependencies": { "eslint": "8.34.0", From fba2f200796927d9cd75c33339f36fd083742890 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Apr 2025 20:15:41 +0200 Subject: [PATCH 05/55] build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 (#609) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 03314b2d..898639b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Node.js - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 'lts/*' @@ -40,7 +40,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ matrix.node-version }} check-latest: true From 36bc1c2ed8e0bb00db0b406b2ab1387681ad94ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Apr 2025 20:16:06 +0200 Subject: [PATCH 06/55] build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 (#610) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ad4b40bc..d7b8233a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: languages: javascript # If you wish to specify custom queries, you can do so here or in a config file. @@ -61,6 +61,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: category: "/language:javascript" \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f54c46d3..bca84b66 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: sarif_file: results.sarif From a6c17aec20d7c8606510ee42df965bce533b64a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Apr 2025 09:09:01 +0200 Subject: [PATCH 07/55] build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 (#611) Bumps [eslint-plugin-promise](https://github.com/eslint-community/eslint-plugin-promise) from 6.1.1 to 6.6.0. - [Release notes](https://github.com/eslint-community/eslint-plugin-promise/releases) - [Changelog](https://github.com/eslint-community/eslint-plugin-promise/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint-community/eslint-plugin-promise/compare/v6.1.1...v6.6.0) --- updated-dependencies: - dependency-name: eslint-plugin-promise dependency-version: 6.6.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 26d667f2..7d276731 100644 --- a/package.json +++ b/package.json @@ -25,7 +25,7 @@ "eslint-plugin-import": "2.27.5", "eslint-plugin-markdown": "3.0.0", "eslint-plugin-node": "11.1.0", - "eslint-plugin-promise": "6.1.1", + "eslint-plugin-promise": "6.6.0", "eslint-plugin-standard": "4.1.0", "mocha": "^11.1.0", "nyc": "^17.1.0", From 1c71da347f4d58a93bc17e08125a1c29005d85ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Apr 2025 09:09:18 +0200 Subject: [PATCH 08/55] build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 (#613) Bumps [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import) from 2.27.5 to 2.31.0. - [Release notes](https://github.com/import-js/eslint-plugin-import/releases) - [Changelog](https://github.com/import-js/eslint-plugin-import/blob/main/CHANGELOG.md) - [Commits](https://github.com/import-js/eslint-plugin-import/compare/v2.27.5...v2.31.0) --- updated-dependencies: - dependency-name: eslint-plugin-import dependency-version: 2.31.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 7d276731..364de28d 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "devDependencies": { "eslint": "8.34.0", "eslint-config-standard": "14.1.1", - "eslint-plugin-import": "2.27.5", + "eslint-plugin-import": "2.31.0", "eslint-plugin-markdown": "3.0.0", "eslint-plugin-node": "11.1.0", "eslint-plugin-promise": "6.6.0", From 5f3d87858bf93324d32a055cbb833252ec7c8d94 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Apr 2025 09:12:10 +0200 Subject: [PATCH 09/55] build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 (#612) Bumps [eslint-plugin-markdown](https://github.com/eslint/eslint-plugin-markdown) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/eslint/eslint-plugin-markdown/releases) - [Changelog](https://github.com/eslint/markdown/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint-plugin-markdown/compare/v3.0.0...v3.0.1) --- updated-dependencies: - dependency-name: eslint-plugin-markdown dependency-version: 3.0.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 364de28d..b5dc8303 100644 --- a/package.json +++ b/package.json @@ -23,7 +23,7 @@ "eslint": "8.34.0", "eslint-config-standard": "14.1.1", "eslint-plugin-import": "2.31.0", - "eslint-plugin-markdown": "3.0.0", + "eslint-plugin-markdown": "3.0.1", "eslint-plugin-node": "11.1.0", "eslint-plugin-promise": "6.6.0", "eslint-plugin-standard": "4.1.0", From a722dec4218323da134054fff5e6d292972c7f8b Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Fri, 25 Apr 2025 16:16:52 +0200 Subject: [PATCH 10/55] ci: add codeql github workflows scanning (#614) --- .github/workflows/codeql.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d7b8233a..940e2c18 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,6 +31,10 @@ jobs: actions: read contents: read security-events: write + strategy: + fail-fast: false + matrix: + language: [javascript, actions] steps: - name: Checkout repository @@ -40,7 +44,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: - languages: javascript + languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. @@ -61,6 +65,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 - with: - category: "/language:javascript" \ No newline at end of file + uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 \ No newline at end of file From 171f9b8f7f06bb655a437a29f1f33bf7e43eb7e8 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 28 Apr 2025 08:26:02 +0200 Subject: [PATCH 11/55] ci: update CodeQL config to ignore the test directory (#615) --- .github/workflows/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 940e2c18..470557fc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -45,6 +45,9 @@ jobs: uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: languages: ${{ matrix.language }} + config: | + paths-ignore: + - test # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. From 477af6c139b8830a1c565b7c3333f5cea6d4f7e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 4 May 2025 12:37:44 +0200 Subject: [PATCH 12/55] build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 (#620) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.2.1 to 4.3.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/95815c38cf2ff2164869cbab79da8d1f422bc89e...d3f86a106a0bac45b974a628896c90dbdf5c8093) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 898639b5..7ed18d70 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -72,7 +72,7 @@ jobs: run: sudo apt-get -y install lcov - name: Collect coverage reports - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: ./coverage pattern: coverage-node-* From ac9f9967fb66fad65fdcec997ed92b274a9c749f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 4 May 2025 12:38:15 +0200 Subject: [PATCH 13/55] build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#619) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.15 to 3.28.16. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/45775bd8235c68ba998cffa5171334d58593da47...28deaeda66b76a05916b6923827895f2b14ab387) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.28.16 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 470557fc..7b17944c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 + uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 with: languages: ${{ matrix.language }} config: | @@ -68,4 +68,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 \ No newline at end of file + uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index bca84b66..910dfe81 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 with: sarif_file: results.sarif From 90ec11dd13dc25a0a4b479a1014767dbb8e90100 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Fri, 9 May 2025 15:34:33 +0200 Subject: [PATCH 14/55] chore(deps): unpin devDependencies (#616) --- package.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/package.json b/package.json index b5dc8303..b5ad51a8 100644 --- a/package.json +++ b/package.json @@ -20,13 +20,13 @@ "type-is": "^2.0.1" }, "devDependencies": { - "eslint": "8.34.0", - "eslint-config-standard": "14.1.1", - "eslint-plugin-import": "2.31.0", - "eslint-plugin-markdown": "3.0.1", - "eslint-plugin-node": "11.1.0", - "eslint-plugin-promise": "6.6.0", - "eslint-plugin-standard": "4.1.0", + "eslint": "^8.57.1", + "eslint-config-standard": "^14.1.1", + "eslint-plugin-import": "^2.31.0", + "eslint-plugin-markdown": "^3.0.1", + "eslint-plugin-node": "^11.1.0", + "eslint-plugin-promise": "^6.6.0", + "eslint-plugin-standard": "^4.1.0", "mocha": "^11.1.0", "nyc": "^17.1.0", "supertest": "^7.0.0" From 749ceacf97000a68c687c197987f95af50ce3a98 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Fri, 9 May 2025 15:37:00 +0200 Subject: [PATCH 15/55] ci: add node.js 24 to test matrix (#621) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7ed18d70..22c867ff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: strategy: fail-fast: false matrix: - node-version: [18, 19, 20, 21, 22, 23] + node-version: [18, 19, 20, 21, 22, 23, 24] steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 9e1fec5d3ea9079d318cd58c9399f4f31fa8df10 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Jun 2025 18:44:25 +0200 Subject: [PATCH 16/55] build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 (#623) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.16 to 3.28.18. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/28deaeda66b76a05916b6923827895f2b14ab387...ff0a06e83cb2de871e5a09832bc6a81e7276941f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.28.18 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7b17944c..c642246b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: languages: ${{ matrix.language }} config: | @@ -68,4 +68,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 \ No newline at end of file + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 910dfe81..47a16216 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: sarif_file: results.sarif From b24797bf5976dd65e55193fd62630beb15d65b10 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Jun 2025 18:44:46 +0200 Subject: [PATCH 17/55] build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#624) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.1 to 2.4.2. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/f49aabe0b5af0936a0987cfb85d86b75731b0186...05b42c624433fc40578a4040d5cf5e36ddca8cde) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 47a16216..0d16dcbe 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,7 +34,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 with: results_file: results.sarif results_format: sarif From e1da3d2f9250ff0199a07395611c87fa293ce65a Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Tue, 22 Jul 2025 22:18:01 +0200 Subject: [PATCH 18/55] chore: add funding to package.json (#617) Ref: https://github.com/expressjs/discussions/issues/356 --- package.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package.json b/package.json index b5ad51a8..435f938f 100644 --- a/package.json +++ b/package.json @@ -8,6 +8,10 @@ ], "license": "MIT", "repository": "expressjs/body-parser", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + }, "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", From 82bcddc1ec9df1ac148fd8df91c6fd218b750a1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Jul 2025 22:23:23 +0200 Subject: [PATCH 19/55] build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 (#625) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.18 to 3.29.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ff0a06e83cb2de871e5a09832bc6a81e7276941f...181d5eefc20863364f96762470ba6f862bdef56b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c642246b..b7b4bd9e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 with: languages: ${{ matrix.language }} config: | @@ -68,4 +68,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 \ No newline at end of file + uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0d16dcbe..49afbb87 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 with: sarif_file: results.sarif From 0dad12f03792ee4991d1054b1f5ff35ed70a3e34 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Aug 2025 22:52:34 +0000 Subject: [PATCH 20/55] build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.2 to 3.29.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/181d5eefc20863364f96762470ba6f862bdef56b...51f77329afa6477de8c49fc9c7046c15b9a4e79d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b7b4bd9e..dd8c9fc4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 + uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 with: languages: ${{ matrix.language }} config: | @@ -68,4 +68,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 \ No newline at end of file + uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 49afbb87..5d50766a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 with: sarif_file: results.sarif From ca9864ac0f47ef8ab0fdad177c16ae531e1e7b47 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 8 Sep 2025 22:44:05 +0200 Subject: [PATCH 21/55] refactor: move common request validation to read function (#600) --- HISTORY.md | 1 + README.md | 7 +++++- lib/read.js | 46 +++++++++++++++++++++++++++++++--- lib/types/json.js | 53 +++++---------------------------------- lib/types/raw.js | 39 ++++------------------------- lib/types/text.js | 45 +++------------------------------ lib/types/urlencoded.js | 55 ++++++----------------------------------- lib/utils.js | 2 ++ test/utils.js | 18 +++++++++++++- 9 files changed, 90 insertions(+), 176 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index d18686e4..b22f85ec 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,6 +1,7 @@ unreleased ========================= +* refactor: move common request validation to read function * deps: * type-is@^2.0.1 diff --git a/README.md b/README.md index 9fcd4c6f..7fe2e569 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,11 @@ object after the middleware (i.e. `req.body`). The `json` function takes an optional `options` object that may contain any of the following keys: +##### defaultCharset + +Specify the default character set for the json content if the charset is not +specified in the `Content-Type` header of the request. Defaults to `utf-8`. + ##### inflate When set to `true`, then deflated (compressed) bodies will be inflated; when @@ -291,7 +296,7 @@ Whether to decode numeric entities such as `☺` when parsing an iso-8859-1 form. Defaults to `false`. -#### depth +##### depth The `depth` option is used to configure the maximum depth of the `qs` library when `extended` is `true`. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to `32`. It is recommended to keep this value as low as possible. diff --git a/lib/read.js b/lib/read.js index eee8b111..b3f2345f 100644 --- a/lib/read.js +++ b/lib/read.js @@ -16,6 +16,8 @@ var getBody = require('raw-body') var iconv = require('iconv-lite') var onFinished = require('on-finished') var zlib = require('node:zlib') +var hasBody = require('type-is').hasBody +var { getCharset } = require('./utils') /** * Module exports. @@ -36,14 +38,52 @@ module.exports = read */ function read (req, res, next, parse, debug, options) { + if (onFinished.isFinished(req)) { + debug('body already parsed') + next() + return + } + + if (!('body' in req)) { + req.body = undefined + } + + // skip requests without bodies + if (!hasBody(req)) { + debug('skip empty body') + next() + return + } + + debug('content-type %j', req.headers['content-type']) + + // determine if request should be parsed + if (!options.shouldParse(req)) { + debug('skip parsing') + next() + return + } + + var encoding = null + if (options?.skipCharset !== true) { + encoding = getCharset(req) || options.defaultCharset + + // validate charset + if (!!options?.isValidCharset && !options.isValidCharset(encoding)) { + debug('invalid charset') + next(createError(415, 'unsupported charset "' + encoding.toUpperCase() + '"', { + charset: encoding, + type: 'charset.unsupported' + })) + return + } + } + var length var opts = options var stream // read options - var encoding = opts.encoding !== null - ? opts.encoding - : null var verify = opts.verify try { diff --git a/lib/types/json.js b/lib/types/json.js index 078ce710..2d136e50 100644 --- a/lib/types/json.js +++ b/lib/types/json.js @@ -12,12 +12,9 @@ * @private */ -var createError = require('http-errors') var debug = require('debug')('body-parser:json') -var isFinished = require('on-finished').isFinished var read = require('../read') -var typeis = require('type-is') -var { getCharset, normalizeOptions } = require('../utils') +var { normalizeOptions } = require('../utils') /** * Module exports. @@ -51,7 +48,7 @@ var JSON_SYNTAX_REGEXP = /#+/g */ function json (options) { - var { inflate, limit, verify, shouldParse } = normalizeOptions(options, 'application/json') + var normalizedOptions = normalizeOptions(options, 'application/json') var reviver = options?.reviver var strict = options?.strict !== false @@ -84,49 +81,11 @@ function json (options) { } return function jsonParser (req, res, next) { - if (isFinished(req)) { - debug('body already parsed') - next() - return - } - - if (!('body' in req)) { - req.body = undefined - } - - // skip requests without bodies - if (!typeis.hasBody(req)) { - debug('skip empty body') - next() - return - } - - debug('content-type %j', req.headers['content-type']) - - // determine if request should be parsed - if (!shouldParse(req)) { - debug('skip parsing') - next() - return - } - - // assert charset per RFC 7159 sec 8.1 - var charset = getCharset(req) || 'utf-8' - if (charset.slice(0, 4) !== 'utf-') { - debug('invalid charset') - next(createError(415, 'unsupported charset "' + charset.toUpperCase() + '"', { - charset: charset, - type: 'charset.unsupported' - })) - return - } - - // read read(req, res, next, parse, debug, { - encoding: charset, - inflate, - limit, - verify + ...normalizedOptions, + + // assert charset per RFC 7159 sec 8.1 + isValidCharset: (charset) => charset.slice(0, 4) === 'utf-' }) } } diff --git a/lib/types/raw.js b/lib/types/raw.js index 3788ff27..95ba5817 100644 --- a/lib/types/raw.js +++ b/lib/types/raw.js @@ -11,9 +11,7 @@ */ var debug = require('debug')('body-parser:raw') -var isFinished = require('on-finished').isFinished var read = require('../read') -var typeis = require('type-is') var { normalizeOptions } = require('../utils') /** @@ -31,45 +29,18 @@ module.exports = raw */ function raw (options) { - var { inflate, limit, verify, shouldParse } = normalizeOptions(options, 'application/octet-stream') + var normalizedOptions = normalizeOptions(options, 'application/octet-stream') function parse (buf) { return buf } return function rawParser (req, res, next) { - if (isFinished(req)) { - debug('body already parsed') - next() - return - } - - if (!('body' in req)) { - req.body = undefined - } - - // skip requests without bodies - if (!typeis.hasBody(req)) { - debug('skip empty body') - next() - return - } - - debug('content-type %j', req.headers['content-type']) - - // determine if request should be parsed - if (!shouldParse(req)) { - debug('skip parsing') - next() - return - } - - // read read(req, res, next, parse, debug, { - encoding: null, - inflate, - limit, - verify + ...normalizedOptions, + + // Skip charset validation and parse the body as is + skipCharset: true }) } } diff --git a/lib/types/text.js b/lib/types/text.js index 3e0ab1bb..aa096a98 100644 --- a/lib/types/text.js +++ b/lib/types/text.js @@ -11,10 +11,8 @@ */ var debug = require('debug')('body-parser:text') -var isFinished = require('on-finished').isFinished var read = require('../read') -var typeis = require('type-is') -var { getCharset, normalizeOptions } = require('../utils') +var { normalizeOptions } = require('../utils') /** * Module exports. @@ -31,50 +29,13 @@ module.exports = text */ function text (options) { - var { inflate, limit, verify, shouldParse } = normalizeOptions(options, 'text/plain') - - var defaultCharset = options?.defaultCharset || 'utf-8' + var normalizedOptions = normalizeOptions(options, 'text/plain') function parse (buf) { return buf } return function textParser (req, res, next) { - if (isFinished(req)) { - debug('body already parsed') - next() - return - } - - if (!('body' in req)) { - req.body = undefined - } - - // skip requests without bodies - if (!typeis.hasBody(req)) { - debug('skip empty body') - next() - return - } - - debug('content-type %j', req.headers['content-type']) - - // determine if request should be parsed - if (!shouldParse(req)) { - debug('skip parsing') - next() - return - } - - // get charset - var charset = getCharset(req) || defaultCharset - - // read - read(req, res, next, parse, debug, { - encoding: charset, - inflate, - limit, - verify - }) + read(req, res, next, parse, debug, normalizedOptions) } } diff --git a/lib/types/urlencoded.js b/lib/types/urlencoded.js index f993425e..4d8750aa 100644 --- a/lib/types/urlencoded.js +++ b/lib/types/urlencoded.js @@ -14,11 +14,9 @@ var createError = require('http-errors') var debug = require('debug')('body-parser:urlencoded') -var isFinished = require('on-finished').isFinished var read = require('../read') -var typeis = require('type-is') var qs = require('qs') -var { getCharset, normalizeOptions } = require('../utils') +var { normalizeOptions } = require('../utils') /** * Module exports. @@ -35,10 +33,9 @@ module.exports = urlencoded */ function urlencoded (options) { - var { inflate, limit, verify, shouldParse } = normalizeOptions(options, 'application/x-www-form-urlencoded') + var normalizedOptions = normalizeOptions(options, 'application/x-www-form-urlencoded') - var defaultCharset = options?.defaultCharset || 'utf-8' - if (defaultCharset !== 'utf-8' && defaultCharset !== 'iso-8859-1') { + if (normalizedOptions.defaultCharset !== 'utf-8' && normalizedOptions.defaultCharset !== 'iso-8859-1') { throw new TypeError('option defaultCharset must be either utf-8 or iso-8859-1') } @@ -52,49 +49,11 @@ function urlencoded (options) { } return function urlencodedParser (req, res, next) { - if (isFinished(req)) { - debug('body already parsed') - next() - return - } - - if (!('body' in req)) { - req.body = undefined - } - - // skip requests without bodies - if (!typeis.hasBody(req)) { - debug('skip empty body') - next() - return - } - - debug('content-type %j', req.headers['content-type']) - - // determine if request should be parsed - if (!shouldParse(req)) { - debug('skip parsing') - next() - return - } - - // assert charset - var charset = getCharset(req) || defaultCharset - if (charset !== 'utf-8' && charset !== 'iso-8859-1') { - debug('invalid charset') - next(createError(415, 'unsupported charset "' + charset.toUpperCase() + '"', { - charset: charset, - type: 'charset.unsupported' - })) - return - } - - // read read(req, res, next, parse, debug, { - encoding: charset, - inflate, - limit, - verify + ...normalizedOptions, + + // assert charset + isValidCharset: (charset) => charset === 'utf-8' || charset === 'iso-8859-1' }) } } diff --git a/lib/utils.js b/lib/utils.js index eee5d952..c457aa65 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -64,6 +64,7 @@ function normalizeOptions (options, defaultType) { : options?.limit var type = options?.type || defaultType var verify = options?.verify || false + var defaultCharset = options?.defaultCharset || 'utf-8' if (verify !== false && typeof verify !== 'function') { throw new TypeError('option verify must be function') @@ -78,6 +79,7 @@ function normalizeOptions (options, defaultType) { inflate, limit, verify, + defaultCharset, shouldParse } } diff --git a/test/utils.js b/test/utils.js index ee6df5d8..364d3838 100644 --- a/test/utils.js +++ b/test/utils.js @@ -10,6 +10,7 @@ describe('normalizeOptions(options, defaultType)', () => { assert.strictEqual(result.inflate, true) assert.strictEqual(result.limit, 100 * 1024) // 100kb in bytes assert.strictEqual(result.verify, false) + assert.strictEqual(result.defaultCharset, 'utf-8') assert.strictEqual(typeof result.shouldParse, 'function') } }) @@ -19,12 +20,14 @@ describe('normalizeOptions(options, defaultType)', () => { inflate: false, limit: '200kb', type: 'application/xml', - verify: () => {} + verify: () => {}, + defaultCharset: 'iso-8859-1' } const result = normalizeOptions(options, 'application/json') assert.strictEqual(result.inflate, false) assert.strictEqual(result.limit, 200 * 1024) // 200kb in bytes assert.strictEqual(result.verify, options.verify) + assert.strictEqual(result.defaultCharset, 'iso-8859-1') assert.strictEqual(typeof result.shouldParse, 'function') }) @@ -41,6 +44,7 @@ describe('normalizeOptions(options, defaultType)', () => { assert.strictEqual(result.inflate, false) assert.strictEqual(result.limit, 200 * 1024) // 200kb in bytes assert.strictEqual(result.verify, options.verify) + assert.strictEqual(result.defaultCharset, 'utf-8') assert.strictEqual(typeof result.shouldParse, 'function') assert.strictEqual(result.additional, undefined) assert.strictEqual(result.something, undefined) @@ -109,6 +113,18 @@ describe('normalizeOptions(options, defaultType)', () => { assert.strictEqual(result.shouldParse({ headers: { 'content-type': 'application/json' } }), true) }) }) + + describe('defaultCharset', () => { + it('should return "utf-8" if defaultCharset is not provided', () => { + const result = normalizeOptions({}, 'application/json') + assert.strictEqual(result.defaultCharset, 'utf-8') + }) + + it('should accept a defaultCharset', () => { + const result = normalizeOptions({ defaultCharset: 'iso-8859-1' }, 'application/json') + assert.strictEqual(result.defaultCharset, 'iso-8859-1') + }) + }) }) describe('defaultType', () => { From f1f47d9ea8c154f9230481f0f3d11607814be21b Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Mon, 8 Sep 2025 15:50:40 -0500 Subject: [PATCH 22/55] deps: bump iconv-lite (#631) * depb: bump iconv-lite * Update package.json * Update HISTORY.md --------- Co-authored-by: Phillip Barta --- HISTORY.md | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index b22f85ec..96f82ec4 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -4,6 +4,7 @@ unreleased * refactor: move common request validation to read function * deps: * type-is@^2.0.1 + * iconv-lite@^0.7.0 2.2.0 / 2025-03-27 ========================= diff --git a/package.json b/package.json index 435f938f..6a3c46e3 100644 --- a/package.json +++ b/package.json @@ -17,7 +17,7 @@ "content-type": "^1.0.5", "debug": "^4.4.0", "http-errors": "^2.0.0", - "iconv-lite": "^0.6.3", + "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.0", "raw-body": "^3.0.0", From 5d691ff1ca02b3ec4ffd5dd4f77d43a6cdd4ee2c Mon Sep 17 00:00:00 2001 From: Jon Church Date: Mon, 14 Jul 2025 15:13:35 -0400 Subject: [PATCH 23/55] doc: pull beta changelog forward into 2.0.0 --- HISTORY.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 96f82ec4..0e6fbd51 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -35,9 +35,26 @@ unreleased 2.0.0 / 2024-09-10 ========================= -* Propagate changes from 1.20.3 -* add brotli support #406 -* Breaking Change: Node.js 18 is the minimum supported version + +## Breaking Changes +* Node.js 18 is the minimum supported version +* `req.body` is no longer always initialized to `{}` + - it is left `undefined` unless a body is parsed +* Remove deprecated `bodyParser()` combination middleware +* ~`urlencoded` parser now defaults `extended` to `false`~ as released, this is not the case, fixed in 2.0.1 +* `urlencoded` simple parser now uses `qs` module instead of `querystring` module + +## Features +* Add brotli support #406 +* urlencoded: Add option to customize the depth with a default value of 32 +* urlencoded: Support iso-8859-1, utf8 sentinel, and numeric entities +* Use `on-finished` to determine when body read + +## Dependencies +* deps: raw-body@^3.0.0 +* deps: qs@6.12.3 +* deps: debug@3.1.0 +* deps: iconv-lite@0.5.2 2.0.0-beta.2 / 2023-02-23 ========================= From 1fd32225ef05bf6b435af23eb7353c7bd9db9908 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Tue, 9 Sep 2025 12:14:55 +0200 Subject: [PATCH 24/55] refactor: optimize raw and text parsers with shared passthrough function (#634) --- lib/types/raw.js | 8 ++------ lib/types/text.js | 8 ++------ lib/utils.js | 15 +++++++++++++-- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/lib/types/raw.js b/lib/types/raw.js index 95ba5817..f0d989b5 100644 --- a/lib/types/raw.js +++ b/lib/types/raw.js @@ -12,7 +12,7 @@ var debug = require('debug')('body-parser:raw') var read = require('../read') -var { normalizeOptions } = require('../utils') +var { normalizeOptions, passthrough } = require('../utils') /** * Module exports. @@ -31,12 +31,8 @@ module.exports = raw function raw (options) { var normalizedOptions = normalizeOptions(options, 'application/octet-stream') - function parse (buf) { - return buf - } - return function rawParser (req, res, next) { - read(req, res, next, parse, debug, { + read(req, res, next, passthrough, debug, { ...normalizedOptions, // Skip charset validation and parse the body as is diff --git a/lib/types/text.js b/lib/types/text.js index aa096a98..8b61a049 100644 --- a/lib/types/text.js +++ b/lib/types/text.js @@ -12,7 +12,7 @@ var debug = require('debug')('body-parser:text') var read = require('../read') -var { normalizeOptions } = require('../utils') +var { normalizeOptions, passthrough } = require('../utils') /** * Module exports. @@ -31,11 +31,7 @@ module.exports = text function text (options) { var normalizedOptions = normalizeOptions(options, 'text/plain') - function parse (buf) { - return buf - } - return function textParser (req, res, next) { - read(req, res, next, parse, debug, normalizedOptions) + read(req, res, next, passthrough, debug, normalizedOptions) } } diff --git a/lib/utils.js b/lib/utils.js index c457aa65..5634005f 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -11,10 +11,10 @@ var typeis = require('type-is') /** * Module exports. */ - module.exports = { getCharset, - normalizeOptions + normalizeOptions, + passthrough } /** @@ -83,3 +83,14 @@ function normalizeOptions (options, defaultType) { shouldParse } } + +/** + * Passthrough function that returns input unchanged. + * Used by parsers that don't need to transform the data. + * + * @param {*} value + * @return {*} + */ +function passthrough (value) { + return value +} From 00e795d9b0bc1e126fb21b79f1bcddbf8d36568a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Oct 2025 22:21:00 +0000 Subject: [PATCH 25/55] build(deps): bump actions/checkout from 4.2.2 to 5.0.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/11bd71901bbe5b1630ceea73d27597364c9af683...08c6903cd8c0fde910a37f88322edcfb5dd907a8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 6 +++--- .github/workflows/codeql.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 22c867ff..89161c49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,7 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -38,7 +38,7 @@ jobs: node-version: [18, 19, 20, 21, 22, 23, 24] steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: @@ -65,7 +65,7 @@ jobs: contents: read checks: write steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install lcov shell: bash diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dd8c9fc4..234ec22f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5d50766a..0279b1ef 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -29,7 +29,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false From 45cba390572262cf4e1a608e225a3134587792be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Oct 2025 22:20:55 +0000 Subject: [PATCH 26/55] build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.2 to 2.4.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/05b42c624433fc40578a4040d5cf5e36ddca8cde...4eaacf0543bb3f2c246792bd56e8cdeffafb205a) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0279b1ef..2fbdb8fe 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,7 +34,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif From f80b0e84d632b2174d324112b9b924c1eccc2ca1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 Oct 2025 07:43:14 +0000 Subject: [PATCH 27/55] build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 5.0.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/49933ea5288caeca8642d1e84afbd3f7d6820020...a0853c24544627f65ddf259abe73b1d18a591444) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 89161c49..e7d1ba14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: 'lts/*' @@ -40,7 +40,7 @@ jobs: steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ matrix.node-version }} check-latest: true From a2bfe0a455acc63d8a106c6164f37902325e22c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Oct 2025 22:20:41 +0000 Subject: [PATCH 28/55] build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 5.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...634f93cb2916e3fdff6788551b99b062d0335ce0) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e7d1ba14..3094a6ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -72,7 +72,7 @@ jobs: run: sudo apt-get -y install lcov - name: Collect coverage reports - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: path: ./coverage pattern: coverage-node-* From 0cca46ad0d9a47ed396cbbbd3443a9270190da71 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Oct 2025 22:20:52 +0000 Subject: [PATCH 29/55] build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.7 to 3.30.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/51f77329afa6477de8c49fc9c7046c15b9a4e79d...3599b3baa15b485a2e49ef411a7a4bb2452e7f93) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 234ec22f..b5b6e435 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 with: languages: ${{ matrix.language }} config: | @@ -68,4 +68,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 \ No newline at end of file + uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2fbdb8fe..8009befb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 with: sarif_file: results.sarif From bbf22e5f5b8b44de494a2c88c84960e8a2cd33ba Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 2 Oct 2025 09:49:01 +0200 Subject: [PATCH 30/55] Update .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b5b6e435..13e6b932 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 + uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: languages: ${{ matrix.language }} config: | From c2da29ee55009b2eccc7fbbc1caa2d5816a56982 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 2 Oct 2025 09:49:08 +0200 Subject: [PATCH 31/55] Update .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 13e6b932..dd750b29 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -68,4 +68,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 \ No newline at end of file + uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 \ No newline at end of file From 987c6f7eb36545904ae481cb278ee02a47962624 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 2 Oct 2025 09:49:13 +0200 Subject: [PATCH 32/55] Update .github/workflows/scorecard.yml --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8009befb..f9cf990e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 + uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: sarif_file: results.sarif From 4528a874eb074175e39043e7e33563305403c970 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 2 Oct 2025 21:15:18 +0200 Subject: [PATCH 33/55] deps: raw-body@^3.0.1 (#641) --- HISTORY.md | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 0e6fbd51..59e7eebe 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -5,6 +5,7 @@ unreleased * deps: * type-is@^2.0.1 * iconv-lite@^0.7.0 + * raw-body@^3.0.1 2.2.0 / 2025-03-27 ========================= diff --git a/package.json b/package.json index 6a3c46e3..460511f6 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.0", - "raw-body": "^3.0.0", + "raw-body": "^3.0.1", "type-is": "^2.0.1" }, "devDependencies": { From 49a83b9d55cbe8027b6fb0b6e2bd624947fd4014 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Fri, 3 Oct 2025 13:29:03 +0200 Subject: [PATCH 34/55] deps: debug@^4.4.3 (#642) --- HISTORY.md | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 59e7eebe..1cb39441 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -6,6 +6,7 @@ unreleased * type-is@^2.0.1 * iconv-lite@^0.7.0 * raw-body@^3.0.1 + * debug@^4.4.3 2.2.0 / 2025-03-27 ========================= diff --git a/package.json b/package.json index 460511f6..74b1ae71 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", - "debug": "^4.4.0", + "debug": "^4.4.3", "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", From 721c76da456d3e01b69b97e3801bf04f732e09bc Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Wed, 8 Oct 2025 13:09:06 +0200 Subject: [PATCH 35/55] docs: add iconv-lite 0.7.0 changes to history entry (#645) --- HISTORY.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/HISTORY.md b/HISTORY.md index 1cb39441..bda40a40 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -5,6 +5,8 @@ unreleased * deps: * type-is@^2.0.1 * iconv-lite@^0.7.0 + * Handle split surrogate pairs when encoding UTF-8 + * Avoid false positives in `encodingExists` by using prototype-less objects * raw-body@^3.0.1 * debug@^4.4.3 From b85fe580d3c924d042e73ab5ba416374c2a55f6b Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 16 Oct 2025 13:51:54 +0200 Subject: [PATCH 36/55] ci: add node.js 25 to test matrix (#650) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3094a6ec..0d8d4974 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: strategy: fail-fast: false matrix: - node-version: [18, 19, 20, 21, 22, 23, 24] + node-version: [18, 19, 20, 21, 22, 23, 24, 25] steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 From 2f272579adda9be50ee19743bc478dc246f54a94 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Tue, 28 Oct 2025 10:25:39 +0100 Subject: [PATCH 37/55] perf: move read options outside parser middlewares (#648) Move options object creation outside the returned parser middlewares to avoid recreating objects on every request. --- lib/types/json.js | 15 ++++++++------- lib/types/raw.js | 15 ++++++++------- lib/types/text.js | 2 +- lib/types/urlencoded.js | 15 ++++++++------- 4 files changed, 25 insertions(+), 22 deletions(-) diff --git a/lib/types/json.js b/lib/types/json.js index 2d136e50..15c54bb4 100644 --- a/lib/types/json.js +++ b/lib/types/json.js @@ -48,7 +48,7 @@ var JSON_SYNTAX_REGEXP = /#+/g */ function json (options) { - var normalizedOptions = normalizeOptions(options, 'application/json') + const normalizedOptions = normalizeOptions(options, 'application/json') var reviver = options?.reviver var strict = options?.strict !== false @@ -80,13 +80,14 @@ function json (options) { } } - return function jsonParser (req, res, next) { - read(req, res, next, parse, debug, { - ...normalizedOptions, + const readOptions = { + ...normalizedOptions, + // assert charset per RFC 7159 sec 8.1 + isValidCharset: (charset) => charset.slice(0, 4) === 'utf-' + } - // assert charset per RFC 7159 sec 8.1 - isValidCharset: (charset) => charset.slice(0, 4) === 'utf-' - }) + return function jsonParser (req, res, next) { + read(req, res, next, parse, debug, readOptions) } } diff --git a/lib/types/raw.js b/lib/types/raw.js index f0d989b5..04b1b88f 100644 --- a/lib/types/raw.js +++ b/lib/types/raw.js @@ -29,14 +29,15 @@ module.exports = raw */ function raw (options) { - var normalizedOptions = normalizeOptions(options, 'application/octet-stream') + const normalizedOptions = normalizeOptions(options, 'application/octet-stream') - return function rawParser (req, res, next) { - read(req, res, next, passthrough, debug, { - ...normalizedOptions, + const readOptions = { + ...normalizedOptions, + // Skip charset validation and parse the body as is + skipCharset: true + } - // Skip charset validation and parse the body as is - skipCharset: true - }) + return function rawParser (req, res, next) { + read(req, res, next, passthrough, debug, readOptions) } } diff --git a/lib/types/text.js b/lib/types/text.js index 8b61a049..d4c7e3b6 100644 --- a/lib/types/text.js +++ b/lib/types/text.js @@ -29,7 +29,7 @@ module.exports = text */ function text (options) { - var normalizedOptions = normalizeOptions(options, 'text/plain') + const normalizedOptions = normalizeOptions(options, 'text/plain') return function textParser (req, res, next) { read(req, res, next, passthrough, debug, normalizedOptions) diff --git a/lib/types/urlencoded.js b/lib/types/urlencoded.js index 4d8750aa..ae6b2478 100644 --- a/lib/types/urlencoded.js +++ b/lib/types/urlencoded.js @@ -33,7 +33,7 @@ module.exports = urlencoded */ function urlencoded (options) { - var normalizedOptions = normalizeOptions(options, 'application/x-www-form-urlencoded') + const normalizedOptions = normalizeOptions(options, 'application/x-www-form-urlencoded') if (normalizedOptions.defaultCharset !== 'utf-8' && normalizedOptions.defaultCharset !== 'iso-8859-1') { throw new TypeError('option defaultCharset must be either utf-8 or iso-8859-1') @@ -48,13 +48,14 @@ function urlencoded (options) { : {} } - return function urlencodedParser (req, res, next) { - read(req, res, next, parse, debug, { - ...normalizedOptions, + const readOptions = { + ...normalizedOptions, + // assert charset + isValidCharset: (charset) => charset === 'utf-8' || charset === 'iso-8859-1' + } - // assert charset - isValidCharset: (charset) => charset === 'utf-8' || charset === 'iso-8859-1' - }) + return function urlencodedParser (req, res, next) { + read(req, res, next, parse, debug, readOptions) } } From 05afd0f8aa44fa63b81a03c9d2b67e5ca7ea462d Mon Sep 17 00:00:00 2001 From: Ayoub Mabrouk <77799760+Ayoub-Mabrouk@users.noreply.github.com> Date: Thu, 30 Oct 2025 14:55:04 +0100 Subject: [PATCH 38/55] test(json): add RFC 7159 whitespace edge cases (#653) - Test all RFC 7159 whitespace characters before valid JSON - Test body with only whitespace characters - Improves coverage of firstchar function edge cases --- test/json.js | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/json.js b/test/json.js index e679ac57..9582e7d9 100644 --- a/test/json.js +++ b/test/json.js @@ -288,6 +288,22 @@ describe('bodyParser.json()', function () { .expect(200, '{"user":"tobi"}', done) }) + it('should handle all RFC 7159 whitespace characters before JSON', function (done) { + request(this.server) + .post('/') + .set('Content-Type', 'application/json') + .send('\x20\x09\x0a\x0d{ "user": "tobi" }') + .expect(200, '{"user":"tobi"}', done) + }) + + it('should error on body with only RFC 7159 whitespace characters', function (done) { + request(this.server) + .post('/') + .set('Content-Type', 'application/json') + .send('\x20\x09\x0a\x0d') + .expect(400, '[entity.parse.failed] ' + parseError('\x20\x09\x0a\x0d'), done) + }) + it('should include correct message in stack trace', function (done) { request(this.server) .post('/') From 10a114d55d5d9be979eaa06a37e65c0df713ae33 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 30 Oct 2025 15:17:31 +0100 Subject: [PATCH 39/55] test: add test for urlencoded invalid defaultCharset (#643) --- test/urlencoded.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/urlencoded.js b/test/urlencoded.js index d9e1c5bd..49730659 100644 --- a/test/urlencoded.js +++ b/test/urlencoded.js @@ -43,6 +43,10 @@ describe('bodyParser.urlencoded()', function () { .expect(200, '{}', done) }) + it('should throw on invalid defaultCharset', function () { + assert.throws(createServer.bind(null, { defaultCharset: 'utf-16' }), /TypeError: option defaultCharset must be either utf-8 or iso-8859-1/) + }) + var extendedValues = [true, false] extendedValues.forEach(function (extended) { describe('in ' + (extended ? 'extended' : 'simple') + ' mode', function () { From a6a088e088dfe226b4a4f8e1290352db5e26aab4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Nov 2025 09:23:09 +0100 Subject: [PATCH 40/55] build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#657) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0d8d4974..02f7b2a9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -72,7 +72,7 @@ jobs: run: sudo apt-get -y install lcov - name: Collect coverage reports - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: path: ./coverage pattern: coverage-node-* From 57baafb3bb04c115967a5f8ce9b8be2f96ea0b03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Nov 2025 09:23:44 +0100 Subject: [PATCH 41/55] build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#656) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dd750b29..02eb542c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: languages: ${{ matrix.language }} config: | @@ -68,4 +68,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 \ No newline at end of file + uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f9cf990e..d4a44516 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,6 +64,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: sarif_file: results.sarif From 939161277a70c1b082f7169f7dc64abf35ff5ce9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Nov 2025 09:24:16 +0100 Subject: [PATCH 42/55] build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#655) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02f7b2a9..8969cccc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -52,7 +52,7 @@ jobs: run: npm run test-ci - name: Upload code coverage - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: coverage-node-${{ matrix.node-version }} path: ./coverage/lcov.info diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d4a44516..b6dc0e29 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -56,7 +56,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: SARIF file path: results.sarif From e539a7121d106539379b3192705a06bac48c6d1c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Nov 2025 09:24:46 +0100 Subject: [PATCH 43/55] build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#654) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8969cccc..9eb310f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Node.js - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 'lts/*' @@ -40,7 +40,7 @@ jobs: steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: ${{ matrix.node-version }} check-latest: true From 168afff3470302aa28050a8ae6681fa1fdaf71a2 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Sun, 2 Nov 2025 12:55:01 +0100 Subject: [PATCH 44/55] ci: also test on first supported node.js version (#646) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9eb310f7..06c9a41a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: strategy: fail-fast: false matrix: - node-version: [18, 19, 20, 21, 22, 23, 24, 25] + node-version: [18.0.0, 18, 19, 20, 21, 22, 23, 24, 25] steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 From 0d7ce71c84fa3dd80930188c85f8b2862c1f32a5 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Tue, 18 Nov 2025 10:43:26 +0100 Subject: [PATCH 45/55] docs: switch badges from badgen.net to shields.io (#661) --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7fe2e569..31b66ce0 100644 --- a/README.md +++ b/README.md @@ -483,14 +483,12 @@ app.use(bodyParser.text({ type: 'text/html' })) [MIT](LICENSE) -[ci-image]: https://badgen.net/github/checks/expressjs/body-parser/master?label=ci +[ci-image]: https://img.shields.io/github/actions/workflow/status/expressjs/body-parser/ci.yml?branch=master&label=ci [ci-url]: https://github.com/expressjs/body-parser/actions/workflows/ci.yml -[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/body-parser/master +[coveralls-image]: https://img.shields.io/coverallsCoverage/github/expressjs/body-parser?branch=master [coveralls-url]: https://coveralls.io/r/expressjs/body-parser?branch=master -[node-version-image]: https://badgen.net/npm/node/body-parser -[node-version-url]: https://nodejs.org/en/download -[npm-downloads-image]: https://badgen.net/npm/dm/body-parser +[npm-downloads-image]: https://img.shields.io/npm/dm/body-parser [npm-url]: https://npmjs.org/package/body-parser -[npm-version-image]: https://badgen.net/npm/v/body-parser +[npm-version-image]: https://img.shields.io/npm/v/body-parser [ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/body-parser/badge [ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/body-parser \ No newline at end of file From e20e3512e085c1162e8ffe36ac65c705a8017251 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Tue, 18 Nov 2025 04:55:11 -0500 Subject: [PATCH 46/55] feat: remove `history.md` from being packaged on publish (#660) --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 74b1ae71..3998f795 100644 --- a/package.json +++ b/package.json @@ -38,7 +38,6 @@ "files": [ "lib/", "LICENSE", - "HISTORY.md", "index.js" ], "engines": { From b204886a6744b0b6d297cd0e849d75de836f3b63 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 24 Nov 2025 19:15:15 +0100 Subject: [PATCH 47/55] sec: security patch for CVE-2025-13466 See: https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 --- lib/types/urlencoded.js | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/lib/types/urlencoded.js b/lib/types/urlencoded.js index ae6b2478..92409373 100644 --- a/lib/types/urlencoded.js +++ b/lib/types/urlencoded.js @@ -127,11 +127,16 @@ function createQueryParser (options) { * * @param {string} body * @param {number} limit + * @return {number|undefined} Returns undefined if limit exceeded * @api private */ - function parameterCount (body, limit) { - var len = body.split('&').length - - return len > limit ? undefined : len - 1 + let count = 0 + let index = -1 + do { + count++ + if (count > limit) return undefined // Early exit if limit exceeded + index = body.indexOf('&', index + 1) + } while (index !== -1) + return count } From d96b63da8d7445de317736471633bac83ec76cbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 24 Nov 2025 19:17:59 +0100 Subject: [PATCH 48/55] 2.2.1 (#659) --- HISTORY.md | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index bda40a40..0d675b17 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,7 +1,7 @@ -unreleased +2.2.1 / 2025-11-24 ========================= -* refactor: move common request validation to read function +* Security fix for [GHSA-wqch-xfxh-vrr4](https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4) * deps: * type-is@^2.0.1 * iconv-lite@^0.7.0 diff --git a/package.json b/package.json index 3998f795..596133cd 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "body-parser", "description": "Node.js body parsing middleware", - "version": "2.2.0", + "version": "2.2.1", "contributors": [ "Douglas Christopher Wilson ", "Jonathan Ong (http://jongleberry.com)" From 2965ca4af4883109cb2f651f4ce12da310902a0c Mon Sep 17 00:00:00 2001 From: Efe Date: Sun, 30 Nov 2025 17:05:05 +0100 Subject: [PATCH 49/55] docs: update links (#673) --- README.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 31b66ce0..696c19ef 100644 --- a/README.md +++ b/README.md @@ -17,18 +17,18 @@ before trusting. For example, `req.body.foo.toString()` may fail in multiple ways, for example the `foo` property may not be there or may not be a string, and `toString` may not be a function and instead a string or other user input. -[Learn about the anatomy of an HTTP transaction in Node.js](https://nodejs.org/en/docs/guides/anatomy-of-an-http-transaction/). +[Learn about the anatomy of an HTTP transaction in Node.js](https://nodejs.org/en/learn/http/anatomy-of-an-http-transaction). _This does not handle multipart bodies_, due to their complex and typically large nature. For multipart bodies, you may be interested in the following modules: - * [busboy](https://www.npmjs.org/package/busboy#readme) and - [connect-busboy](https://www.npmjs.org/package/connect-busboy#readme) - * [multiparty](https://www.npmjs.org/package/multiparty#readme) and - [connect-multiparty](https://www.npmjs.org/package/connect-multiparty#readme) - * [formidable](https://www.npmjs.org/package/formidable#readme) - * [multer](https://www.npmjs.org/package/multer#readme) + * [busboy](https://www.npmjs.com/package/busboy#readme) and + [connect-busboy](https://www.npmjs.com/package/connect-busboy#readme) + * [multiparty](https://www.npmjs.com/package/multiparty#readme) and + [connect-multiparty](https://www.npmjs.com/package/connect-multiparty#readme) + * [formidable](https://www.npmjs.com/package/formidable#readme) + * [multer](https://www.npmjs.com/package/multer#readme) This module provides the following parsers: @@ -39,8 +39,8 @@ This module provides the following parsers: Other body parsers you might be interested in: -- [body](https://www.npmjs.org/package/body#readme) -- [co-body](https://www.npmjs.org/package/co-body#readme) +- [body](https://www.npmjs.com/package/body#readme) +- [co-body](https://www.npmjs.com/package/co-body#readme) ## Installation @@ -109,7 +109,7 @@ accept anything `JSON.parse` accepts. Defaults to `true`. The `type` option is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function, `type` option is passed directly to the -[type-is](https://www.npmjs.org/package/type-is#readme) library and this can +[type-is](https://www.npmjs.com/package/type-is#readme) library and this can be an extension name (like `json`), a mime type (like `application/json`), or a mime type with a wildcard (like `*/*` or `*/json`). If a function, the `type` option is called as `fn(req)` and the request is parsed if it returns a truthy @@ -154,7 +154,7 @@ to `'100kb'`. The `type` option is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function, `type` option is passed directly to the -[type-is](https://www.npmjs.org/package/type-is#readme) library and this +[type-is](https://www.npmjs.com/package/type-is#readme) library and this can be an extension name (like `bin`), a mime type (like `application/octet-stream`), or a mime type with a wildcard (like `*/*` or `application/*`). If a function, the `type` option is called as `fn(req)` @@ -205,7 +205,7 @@ to `'100kb'`. The `type` option is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function, `type` option is passed directly to the -[type-is](https://www.npmjs.org/package/type-is#readme) library and this can +[type-is](https://www.npmjs.com/package/type-is#readme) library and this can be an extension name (like `txt`), a mime type (like `text/plain`), or a mime type with a wildcard (like `*/*` or `text/*`). If a function, the `type` option is called as `fn(req)` and the request is parsed if it returns a @@ -239,7 +239,7 @@ any of the following keys: The "extended" syntax allows for rich objects and arrays to be encoded into the URL-encoded format, allowing for a JSON-like experience with URL-encoded. For more information, please [see the qs -library](https://www.npmjs.org/package/qs#readme). +library](https://www.npmjs.com/package/qs#readme). Defaults to `false`. @@ -266,7 +266,7 @@ than this value, a 413 will be returned to the client. Defaults to `1000`. The `type` option is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function, `type` option is passed directly to the -[type-is](https://www.npmjs.org/package/type-is#readme) library and this can +[type-is](https://www.npmjs.com/package/type-is#readme) library and this can be an extension name (like `urlencoded`), a mime type (like `application/x-www-form-urlencoded`), or a mime type with a wildcard (like `*/x-www-form-urlencoded`). If a function, the `type` option is called as @@ -488,7 +488,7 @@ app.use(bodyParser.text({ type: 'text/html' })) [coveralls-image]: https://img.shields.io/coverallsCoverage/github/expressjs/body-parser?branch=master [coveralls-url]: https://coveralls.io/r/expressjs/body-parser?branch=master [npm-downloads-image]: https://img.shields.io/npm/dm/body-parser -[npm-url]: https://npmjs.org/package/body-parser +[npm-url]: https://npmjs.com/package/body-parser [npm-version-image]: https://img.shields.io/npm/v/body-parser [ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/body-parser/badge -[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/body-parser \ No newline at end of file +[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/body-parser From b6f52aabc65137c5227c8a462bddb761daeb96e7 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 4 Dec 2025 00:18:14 +0100 Subject: [PATCH 50/55] docs: release notes for the v1.20.4 release (#674) --- HISTORY.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/HISTORY.md b/HISTORY.md index 0d675b17..716afc6d 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -86,6 +86,14 @@ This incorporates all changes after 1.19.1 up to 1.20.2. * `urlencoded` parser now defaults `extended` to `false` * Use `on-finished` to determine when body read +1.20.4 / 2025-12-01 +=================== + + * deps: qs@~6.14.0 + * deps: use tilde notation for dependencies + * deps: http-errors@~2.0.1 + * deps: raw-body@~2.5.3 + 1.20.3 / 2024-09-10 =================== From d7deef8ec61307fa28c22bc443cf8ed2f267945a Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 5 Jan 2026 10:24:18 +0100 Subject: [PATCH 51/55] docs: update URL-encoded parser description to include ISO-8859-1 encoding support (#679) --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 696c19ef..39d320f5 100644 --- a/README.md +++ b/README.md @@ -221,8 +221,8 @@ encoding of the request. The parsing can be aborted by throwing an error. Returns middleware that only parses `urlencoded` bodies and only looks at requests where the `Content-Type` header matches the `type` option. This -parser accepts only UTF-8 encoding of the body and supports automatic -inflation of `gzip`, `br` (brotli) and `deflate` encodings. +parser accepts only UTF-8 and ISO-8859-1 encodings of the body and supports +automatic inflation of `gzip`, `br` (brotli) and `deflate` encodings. A new `body` object containing the parsed data is populated on the `request` object after the middleware (i.e. `req.body`). This object will contain From ea1f25e503c1b2f7ba6f8562724ae0fcd247fb75 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 5 Jan 2026 10:30:23 +0100 Subject: [PATCH 52/55] docs: use standard jsdoc tags everywhere (#677) * docs: use standard jsdoc tags everywhere * docs: fix jsdoc function return type annotation Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- index.js | 21 ++++++--------------- lib/read.js | 37 +++++++++++++++++-------------------- lib/types/json.js | 18 +++++++----------- lib/types/raw.js | 7 +++---- lib/types/text.js | 7 +++---- lib/types/urlencoded.js | 14 +++++++------- lib/utils.js | 20 +++++++++++--------- 7 files changed, 54 insertions(+), 70 deletions(-) diff --git a/index.js b/index.js index d722d0b2..013ce5c4 100644 --- a/index.js +++ b/index.js @@ -7,26 +7,23 @@ 'use strict' /** - * @typedef Parsers - * @type {function} - * @property {function} json - * @property {function} raw - * @property {function} text - * @property {function} urlencoded + * @typedef {Object} Parsers + * @property {Function} json JSON parser + * @property {Function} raw Raw parser + * @property {Function} text Text parser + * @property {Function} urlencoded URL-encoded parser */ /** * Module exports. - * @type {Parsers} + * @type {Function & Parsers} */ - exports = module.exports = bodyParser /** * JSON parser. * @public */ - Object.defineProperty(exports, 'json', { configurable: true, enumerable: true, @@ -37,7 +34,6 @@ Object.defineProperty(exports, 'json', { * Raw parser. * @public */ - Object.defineProperty(exports, 'raw', { configurable: true, enumerable: true, @@ -48,7 +44,6 @@ Object.defineProperty(exports, 'raw', { * Text parser. * @public */ - Object.defineProperty(exports, 'text', { configurable: true, enumerable: true, @@ -59,7 +54,6 @@ Object.defineProperty(exports, 'text', { * URL-encoded parser. * @public */ - Object.defineProperty(exports, 'urlencoded', { configurable: true, enumerable: true, @@ -69,12 +63,9 @@ Object.defineProperty(exports, 'urlencoded', { /** * Create a middleware to parse json and urlencoded bodies. * - * @param {object} [options] - * @return {function} * @deprecated * @public */ - function bodyParser () { throw new Error('The bodyParser() generic has been split into individual middleware to use instead.') } diff --git a/lib/read.js b/lib/read.js index b3f2345f..d1f3f480 100644 --- a/lib/read.js +++ b/lib/read.js @@ -28,15 +28,14 @@ module.exports = read /** * Read a request into a buffer and parse. * - * @param {object} req - * @param {object} res - * @param {function} next - * @param {function} parse - * @param {function} debug - * @param {object} options + * @param {Object} req + * @param {Object} res + * @param {Function} next + * @param {Function} parse + * @param {Function} debug + * @param {Object} options * @private */ - function read (req, res, next, parse, debug, options) { if (onFinished.isFinished(req)) { debug('body already parsed') @@ -176,13 +175,12 @@ function read (req, res, next, parse, debug, options) { /** * Get the content stream of the request. * - * @param {object} req - * @param {function} debug - * @param {boolean} [inflate=true] - * @return {object} - * @api private + * @param {Object} req + * @param {Function} debug + * @param {boolean} inflate + * @returns {Object} + * @private */ - function contentstream (req, debug, inflate) { var encoding = (req.headers['content-encoding'] || 'identity').toLowerCase() var length = req.headers['content-length'] @@ -209,9 +207,9 @@ function contentstream (req, debug, inflate) { /** * Create a decompression stream for the given encoding. * @param {string} encoding - * @param {function} debug - * @return {object} - * @api private + * @param {Function} debug + * @returns {Object} + * @private */ function createDecompressionStream (encoding, debug) { switch (encoding) { @@ -235,11 +233,10 @@ function createDecompressionStream (encoding, debug) { /** * Dump the contents of a request. * - * @param {object} req - * @param {function} callback - * @api private + * @param {Object} req + * @param {Function} callback + * @private */ - function dump (req, callback) { if (onFinished.isFinished(req)) { callback(null) diff --git a/lib/types/json.js b/lib/types/json.js index 15c54bb4..058fcc62 100644 --- a/lib/types/json.js +++ b/lib/types/json.js @@ -33,7 +33,6 @@ module.exports = json * %x0A / ; Line feed or New line * %x0D ) ; Carriage return */ - var FIRST_CHAR_REGEXP = /^[\x20\x09\x0a\x0d]*([^\x20\x09\x0a\x0d])/ // eslint-disable-line no-control-regex var JSON_SYNTAX_CHAR = '#' @@ -42,11 +41,10 @@ var JSON_SYNTAX_REGEXP = /#+/g /** * Create a middleware to parse JSON bodies. * - * @param {object} [options] - * @return {function} + * @param {Object} [options] + * @returns {Function} * @public */ - function json (options) { const normalizedOptions = normalizeOptions(options, 'application/json') @@ -96,10 +94,9 @@ function json (options) { * * @param {string} str * @param {string} char - * @return {Error} + * @returns {Error} * @private */ - function createStrictSyntaxError (str, char) { var index = str.indexOf(char) var partial = '' @@ -128,10 +125,9 @@ function createStrictSyntaxError (str, char) { * Get the first non-whitespace character in a string. * * @param {string} str - * @return {function} + * @returns {string|undefined} * @private */ - function firstchar (str) { var match = FIRST_CHAR_REGEXP.exec(str) @@ -144,10 +140,10 @@ function firstchar (str) { * Normalize a SyntaxError for JSON.parse. * * @param {SyntaxError} error - * @param {object} obj - * @return {SyntaxError} + * @param {Object} obj + * @returns {SyntaxError} + * @private */ - function normalizeJsonSyntaxError (error, obj) { var keys = Object.getOwnPropertyNames(error) diff --git a/lib/types/raw.js b/lib/types/raw.js index 04b1b88f..ad4854dd 100644 --- a/lib/types/raw.js +++ b/lib/types/raw.js @@ -23,11 +23,10 @@ module.exports = raw /** * Create a middleware to parse raw bodies. * - * @param {object} [options] - * @return {function} - * @api public + * @param {Object} [options] + * @returns {Function} + * @public */ - function raw (options) { const normalizedOptions = normalizeOptions(options, 'application/octet-stream') diff --git a/lib/types/text.js b/lib/types/text.js index d4c7e3b6..9df73be9 100644 --- a/lib/types/text.js +++ b/lib/types/text.js @@ -23,11 +23,10 @@ module.exports = text /** * Create a middleware to parse text bodies. * - * @param {object} [options] - * @return {function} - * @api public + * @param {Object} [options] + * @returns {Function} + * @public */ - function text (options) { const normalizedOptions = normalizeOptions(options, 'text/plain') diff --git a/lib/types/urlencoded.js b/lib/types/urlencoded.js index 92409373..cdc51f5d 100644 --- a/lib/types/urlencoded.js +++ b/lib/types/urlencoded.js @@ -27,11 +27,10 @@ module.exports = urlencoded /** * Create a middleware to parse urlencoded bodies. * - * @param {object} [options] - * @return {function} + * @param {Object} [options] + * @returns {Function} * @public */ - function urlencoded (options) { const normalizedOptions = normalizeOptions(options, 'application/x-www-form-urlencoded') @@ -62,9 +61,10 @@ function urlencoded (options) { /** * Get the extended query parser. * - * @param {object} options + * @param {Object} options + * @returns {Function} + * @private */ - function createQueryParser (options) { var extended = Boolean(options?.extended) var parameterLimit = options?.parameterLimit !== undefined @@ -127,8 +127,8 @@ function createQueryParser (options) { * * @param {string} body * @param {number} limit - * @return {number|undefined} Returns undefined if limit exceeded - * @api private + * @returns {number|undefined} Returns undefined if limit exceeded + * @private */ function parameterCount (body, limit) { let count = 0 diff --git a/lib/utils.js b/lib/utils.js index 5634005f..e0bf9741 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -20,10 +20,10 @@ module.exports = { /** * Get the charset of a request. * - * @param {object} req - * @api private + * @param {Object} req + * @returns {string | undefined} + * @private */ - function getCharset (req) { try { return (contentType.parse(req).parameters.charset || '').toLowerCase() @@ -36,9 +36,9 @@ function getCharset (req) { * Get the simple type checker. * * @param {string | string[]} type - * @return {function} + * @returns {Function} + * @private */ - function typeChecker (type) { return function checkType (req) { return Boolean(typeis(req, type)) @@ -48,9 +48,10 @@ function typeChecker (type) { /** * Normalizes the common options for all parsers. * - * @param {object} options options to normalize - * @param {string | string[] | function} defaultType default content type(s) or a function to determine it - * @returns {object} + * @param {Object} options options to normalize + * @param {string | string[] | Function} defaultType default content type(s) or a function to determine it + * @returns {Object} + * @private */ function normalizeOptions (options, defaultType) { if (!defaultType) { @@ -89,7 +90,8 @@ function normalizeOptions (options, defaultType) { * Used by parsers that don't need to transform the data. * * @param {*} value - * @return {*} + * @returns {*} + * @private */ function passthrough (value) { return value From 03f17c2538552a57e6be537afca8c7587bd40aaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 5 Jan 2026 19:27:10 +0100 Subject: [PATCH 53/55] deps: qs@^6.14.1 (#689) * deps: qs@^6.14.1 * fix(urlencoded): simple mode, set arrayLimit to paramCount (see: https://github.com/expressjs/body-parser/pull/689#issuecomment-3709398249) --------- Co-authored-by: Jon Church --- lib/types/urlencoded.js | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/types/urlencoded.js b/lib/types/urlencoded.js index cdc51f5d..4a3227c1 100644 --- a/lib/types/urlencoded.js +++ b/lib/types/urlencoded.js @@ -96,7 +96,7 @@ function createQueryParser (options) { }) } - var arrayLimit = extended ? Math.max(100, paramCount) : 0 + var arrayLimit = extended ? Math.max(100, paramCount) : paramCount debug('parse ' + (extended ? 'extended ' : '') + 'urlencoding') try { diff --git a/package.json b/package.json index 596133cd..b5a50168 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", - "qs": "^6.14.0", + "qs": "^6.14.1", "raw-body": "^3.0.1", "type-is": "^2.0.1" }, From 8474a984c3ba36a1b4328ce019833b99caa0f08f Mon Sep 17 00:00:00 2001 From: Jon Church Date: Tue, 6 Jan 2026 01:06:49 -0500 Subject: [PATCH 54/55] refactor(json): simplify strict mode error string construction (#693) --- HISTORY.md | 4 ++++ lib/types/json.js | 6 +----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 716afc6d..94429c1a 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,7 @@ +Unreleased +========================= +* refactor(json): simplify strict mode error string construction + 2.2.1 / 2025-11-24 ========================= diff --git a/lib/types/json.js b/lib/types/json.js index 058fcc62..23c73577 100644 --- a/lib/types/json.js +++ b/lib/types/json.js @@ -102,11 +102,7 @@ function createStrictSyntaxError (str, char) { var partial = '' if (index !== -1) { - partial = str.substring(0, index) + JSON_SYNTAX_CHAR - - for (var i = index + 1; i < str.length; i++) { - partial += JSON_SYNTAX_CHAR - } + partial = str.substring(0, index) + JSON_SYNTAX_CHAR.repeat(str.length - index) } try { From 3d248660b2e8b66732b232d7c758517fbf2420a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 7 Jan 2026 10:34:37 +0100 Subject: [PATCH 55/55] 2.2.2 (#691) --- HISTORY.md | 4 +++- package.json | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 94429c1a..7d3eeb62 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,5 +1,7 @@ -Unreleased +2.2.2 / 2026-01-07 ========================= + +* deps: qs@^6.14.1 * refactor(json): simplify strict mode error string construction 2.2.1 / 2025-11-24 diff --git a/package.json b/package.json index b5a50168..486878a2 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "body-parser", "description": "Node.js body parsing middleware", - "version": "2.2.1", + "version": "2.2.2", "contributors": [ "Douglas Christopher Wilson ", "Jonathan Ong (http://jongleberry.com)"