		# Security Policies and Procedures

		## Reporting a Bug

		The Express team and community take all security bugs seriously. Thank you
		for improving the security of Express. We appreciate your efforts and
		responsible disclosure and will make every effort to acknowledge your
		contributions.

		Report security bugs by emailing the current owner(s) of `body-parser`. This
		information can be found in the npm registry using the command
		`npm owner ls body-parser`.
		If unsure or unable to get the information from the above, open an issue
		in the [project issue tracker](https://github.com/expressjs/body-parser/issues)
		asking for the current contact information.

		To ensure the timely response to your report, please ensure that the entirety
		of the report is contained within the email body and not solely behind a web
		link or an attachment.

		At least one owner will acknowledge your email within 48 hours, and will send a
		more detailed response within 48 hours indicating the next steps in handling
		your report. After the initial reply to your report, the owners will
		endeavor to keep you informed of the progress towards a fix and full
		announcement, and may ask for additional information or guidance.

+18

-0

HISTORY.md

		@@ -0,1 +1,19 @@
		1.20.0 / 2022-04-02
		===================

		* Fix error message for json parse whitespace in `strict`
		* Fix internal error when inflated body exceeds limit
		* Prevent loss of async hooks context
		* Prevent hanging when request already read
		* deps: depd@2.0.0
		- Replace internal `eval` usage with `Function` constructor
		- Use instance methods on `process` to check for listeners
		* deps: http-errors@2.0.0
		- deps: depd@2.0.0
		- deps: statuses@2.0.1
		* deps: on-finished@2.4.1
		* deps: qs@6.10.3
		* deps: raw-body@2.5.1
		- deps: http-errors@2.0.0

		1.19.2 / 2022-02-15
		@@ -2,0 +20,0 @@ ===================

+26

-2

lib/read.js

		@@ -15,5 +15,7 @@ /*!
		var createError = require('http-errors')
		var destroy = require('destroy')
		var getBody = require('raw-body')
		var iconv = require('iconv-lite')
		var onFinished = require('on-finished')
		var unpipe = require('unpipe')
		var zlib = require('zlib')
		@@ -93,5 +95,10 @@

		// unpipe from stream and destroy
		if (stream !== req) {
		unpipe(req)
		destroy(stream, true)
		}

		// read off entire request
		stream.resume()
		onFinished(req, function onfinished () {
		dump(req, function onfinished () {
		next(createError(400, _error))
		@@ -184,1 +191,18 @@ })
		}

		/**
		* Dump the contents of a request.
		*
		* @param {object} req
		* @param {function} callback
		* @api private
		*/

		function dump (req, callback) {
		if (onFinished.isFinished(req)) {
		callback(null)
		} else {
		onFinished(req, callback)
		req.resume()
		}
		}

+10

-4

lib/types/json.js

		@@ -40,3 +40,3 @@ /*!

		var FIRST_CHAR_REGEXP = /^[\x20\x09\x0a\x0d]*(.)/ // eslint-disable-line no-control-regex
		var FIRST_CHAR_REGEXP = /^[\x20\x09\x0a\x0d]*([^\x20\x09\x0a\x0d])/ // eslint-disable-line no-control-regex

		@@ -126,3 +126,3 @@ /**
		var charset = getCharset(req) \|\| 'utf-8'
		if (charset.substr(0, 4) !== 'utf-') {
		if (charset.slice(0, 4) !== 'utf-') {
		debug('invalid charset')
		@@ -157,3 +157,5 @@ next(createError(415, 'unsupported charset "' + charset.toUpperCase() + '"', {
		var index = str.indexOf(char)
		var partial = str.substring(0, index) + '#'
		var partial = index !== -1
		? str.substring(0, index) + '#'
		: ''

		@@ -179,3 +181,7 @@ try {
		function firstchar (str) {
		return FIRST_CHAR_REGEXP.exec(str)[1]
		var match = FIRST_CHAR_REGEXP.exec(str)

		return match
		? match[1]
		: undefined
		}
		@@ -182,0 +188,0 @@

+13

-9

package.json

		{
		"name": "body-parser",
		"description": "Node.js body parsing middleware",
		"version": "1.19.2",
		"version": "1.20.0",
		"contributors": [
		@@ -15,9 +15,11 @@ "Douglas Christopher Wilson <doug@somethingdoug.com>",
		"debug": "2.6.9",
		"depd": "~1.1.2",
		"http-errors": "1.8.1",
		"depd": "2.0.0",
		"destroy": "1.2.0",
		"http-errors": "2.0.0",
		"iconv-lite": "0.4.24",
		"on-finished": "~2.3.0",
		"qs": "6.9.7",
		"raw-body": "2.4.3",
		"type-is": "~1.6.18"
		"on-finished": "2.4.1",
		"qs": "6.10.3",
		"raw-body": "2.5.1",
		"type-is": "~1.6.18",
		"unpipe": "1.0.0"
		},
		@@ -33,3 +35,3 @@ "devDependencies": {
		"methods": "1.1.2",
		"mocha": "9.2.0",
		"mocha": "9.2.2",
		"nyc": "15.1.0",
		@@ -43,6 +45,8 @@ "safe-buffer": "5.2.1",
		"HISTORY.md",
		"SECURITY.md",
		"index.js"
		],
		"engines": {
		"node": ">= 0.8"
		"node": ">= 0.8",
		"npm": "1.2.8000 \|\| >= 1.4.16"
		},
		@@ -49,0 +53,0 @@ "scripts": {

+9

-1

README.md

		@@ -345,2 +345,10 @@ # body-parser

		### stream is not readable

		This error will occur when the request is no longer readable when this middleware
		attempts to read it. This typically means something other than a middleware from
		this module read the reqest body already and the middleware was also configured to
		read the same request. The `status` property is set to `500` and the `type`
		property is set to `'stream.not.readable'`.

		### too many parameters
		@@ -457,2 +465,2 @@
		[github-actions-ci-image]: https://img.shields.io/github/workflow/status/expressjs/body-parser/ci/master?label=ci
		[github-actions-ci-url]: https://github.com/expressjs/body-parser?query=workflow%3Aci
		[github-actions-ci-url]: https://github.com/expressjs/body-parser/actions/workflows/ci.yml

body-parser - npm Package Compare versions

New alerts