fix(deps): update dependency multer to v2 [security]#660
fix(deps): update dependency multer to v2 [security]#660renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
Conversation
|
/gcbrun |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request upgrades the multer dependency to version 2.1.1. The review feedback correctly identifies that this major version update introduces breaking changes in the API, specifically regarding storage initialization and export structures, which require updates in the application code to avoid runtime errors.
| "body-parser": "^1.18.3", | ||
| "express": "^4.16.4", | ||
| "multer": "^1.4.1", | ||
| "multer": "^2.1.1", |
There was a problem hiding this comment.
The upgrade to multer v2.x is a major version change that introduces breaking changes. The current implementation in bookshelf/lib/images.js (line 77) passes the Multer.MemoryStorage constructor to the storage option, but multer v2 requires an instance (e.g., Multer.memoryStorage()). Additionally, the export structure of multer v2 may differ from v1, which could cause Multer({ ... }) to fail if the default export is no longer the factory function. These issues will cause runtime errors. Update the initialization in lib/images.js to be compatible with the v2 API and enable the defParamCharset: 'utf8' option to correctly handle UTF-8 filenames.
renovate-bot
force-pushed
the
renovate/npm-multer-vulnerability
branch
from
74f9127 to
93ddf77
Compare
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/npm-multer-vulnerability
branch
from
93ddf77 to
5e3f54e
Compare
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/npm-multer-vulnerability
branch
from
5e3f54e to
7b1e96b
Compare
|
/gcbrun |
3 participants
This PR contains the following updates:
^1.4.1→^2.0.0Multer vulnerable to Denial of Service via incomplete cleanup
CVE-2026-3304 / GHSA-xf7r-hgr6-v32p
More information
Details
Impact
A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.
Patches
Users should upgrade to
2.1.0Workarounds
None
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Multer vulnerable to Denial of Service via resource exhaustion
CVE-2026-2359 / GHSA-v52c-386h-88mc
More information
Details
Impact
A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.
Patches
Users should upgrade to
2.1.0Workarounds
None
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Multer Vulnerable to Denial of Service via Uncontrolled Recursion
CVE-2026-3520 / GHSA-5528-5vmv-3xc2
More information
Details
Impact
A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.
Patches
Users should upgrade to
2.1.1Workarounds
None
Resources
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
expressjs/multer (multer)
v2.1.1Compare Source
v2.1.0Compare Source
defParamCharsetoption for UTF-8 filename support (#1210)v2.0.2Compare Source
v2.0.1Compare Source
v2.0.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.