build(deps): bump body-parser from 1.20.2 to 2.2.1

[dependabot]

Bumps body-parser from 1.20.2 to 2.2.1.

Release notes

Sourced from body-parser's releases.

v2.2.1

Important: Security

• Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

• ci: add dependabot by @​Phillip9587 in expressjs/body-parser#593
• ci: use full SHAs for github action versions by @​Phillip9587 in expressjs/body-parser#594
• deps: type-is@^2.0.1 by @​Phillip9587 in expressjs/body-parser#599
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/body-parser#609
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @​dependabot[bot] in expressjs/body-parser#610
• build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @​dependabot[bot] in expressjs/body-parser#611
• build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @​dependabot[bot] in expressjs/body-parser#613
• build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @​dependabot[bot] in expressjs/body-parser#612
• ci: add codeql github workflows scanning by @​Phillip9587 in expressjs/body-parser#614
• ci: update CodeQL config to ignore the test directory by @​Phillip9587 in expressjs/body-parser#615
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/body-parser#620
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @​dependabot[bot] in expressjs/body-parser#619
• chore(deps): unpin devDependencies by @​Phillip9587 in expressjs/body-parser#616
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/body-parser#621
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/body-parser#623
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/body-parser#624
• chore: add funding to package.json by @​Phillip9587 in expressjs/body-parser#617
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/body-parser#625
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/body-parser#630
• refactor: move common request validation to read function by @​Phillip9587 in expressjs/body-parser#600
• deps: bump iconv-lite by @​bjohansebas in expressjs/body-parser#631
• doc: pull beta changelog forward into 2.0.0 by @​jonchurch in expressjs/body-parser#629
• refactor: optimize raw and text parsers with shared passthrough function by @​Phillip9587 in expressjs/body-parser#634
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#640
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in expressjs/body-parser#639
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#636
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#637
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @​dependabot[bot] in expressjs/body-parser#638
• deps: raw-body@^3.0.1 by @​Phillip9587 in expressjs/body-parser#641
• deps: debug@^4.4.3 by @​Phillip9587 in expressjs/body-parser#642
• docs: add iconv-lite 0.7.0 changes to history entry by @​Phillip9587 in expressjs/body-parser#645
• ci: add node.js 25 to test matrix by @​Phillip9587 in expressjs/body-parser#650
• perf: move read options outside parser middlewares by @​Phillip9587 in expressjs/body-parser#648
• test(json): add RFC 7159 whitespace edge cases by @​Ayoub-Mabrouk in expressjs/body-parser#653
• test: add test for urlencoded invalid defaultCharset by @​Phillip9587 in expressjs/body-parser#643
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in expressjs/body-parser#657
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @​dependabot[bot] in expressjs/body-parser#656
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#655
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @​dependabot[bot] in expressjs/body-parser#654
• ci: also test on first supported node.js version by @​Phillip9587 in expressjs/body-parser#646
• chore: switch badges from badgen.net to shields.io by @​Phillip9587 in expressjs/body-parser#661
• Remove history.md from being packaged on publish by @​bjohansebas in expressjs/body-parser#660
• Release: 2.2.1 by @​UlisesGascon in expressjs/body-parser#659

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.1 / 2025-11-24

• Security fix for GHSA-wqch-xfxh-vrr4
• deps:
  • type-is@^2.0.1
  • iconv-lite@^0.7.0
    • Handle split surrogate pairs when encoding UTF-8
    • Avoid false positives in encodingExists by using prototype-less objects
  • raw-body@^3.0.1
  • debug@^4.4.3

2.2.0 / 2025-03-27

• refactor: normalize common options for all parsers
• deps:
  • iconv-lite@^0.6.3

2.1.0 / 2025-02-10

• deps:
  • type-is@^2.0.0
  • debug@^4.4.0
  • Removed destroy
• refactor: prefix built-in node module imports
• use the node require cache instead of custom caching

2.0.2 / 2024-10-31

• remove unpipe package and use native unpipe() method

2.0.1 / 2024-09-10

• Restore expected behavior extended to false

2.0.0 / 2024-09-10

Breaking Changes

• Node.js 18 is the minimum supported version
• req.body is no longer always initialized to {}
  • it is left undefined unless a body is parsed
• Remove deprecated bodyParser() combination middleware
• urlencoded parser now defaults extended to false as released, this is not the case, fixed in 2.0.1
• urlencoded simple parser now uses qs module instead of querystring module

... (truncated)

Commits

• d96b63d 2.2.1 (#659)
• b204886 sec: security patch for CVE-2025-13466
• e20e351 feat: remove history.md from being packaged on publish (#660)
• 0d7ce71 docs: switch badges from badgen.net to shields.io (#661)
• 168afff ci: also test on first supported node.js version (#646)
• e539a71 build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#654)
• 9391612 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#655)
• 57baafb build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#656)
• a6a088e build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#657)
• 10a114d test: add test for urlencoded invalid defaultCharset (#643)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @felipelssilva.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[felipelssilva]

@dependabot rebase

[dependabot]

Dependabot attempted to update this pull request, but because the branch dependabot/npm_and_yarn/body-parser-2.2.1 is protected it was unable to do so.

[felipelssilva]

@dependabot merge

[dependabot]

Beginning January 27, 2026, Dependabot will no longer support the @dependabot merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

[dependabot]

Oh no! Something went wrong on our end. Please try again later.

If the problem persists, please contact GitHub support for assistance 🙇

[felipelssilva]

@dependabot rebase

[dependabot]

Oh no! Something went wrong on our end. Please try again later.

If the problem persists, please contact GitHub support for assistance 🙇

[felipelssilva]

@dependabot reopen

[dependabot]

Beginning January 27, 2026, Dependabot will no longer support the @dependabot reopen command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.