body-parser - npm Package Compare versions

Comparing version 2.0.0-beta.1 to 2.0.0-beta.2

HISTORY.md

@@ -0,4 +1,22 @@
+2.0.0-beta.2 / 2023-02-23
+=========================
+
+This incorporates all changes after 1.19.1 up to 1.20.2.
+
+  * Remove deprecated `bodyParser()` combination middleware
+  * deps: debug@3.1.0
+    - Add `DEBUG_HIDE_DATE` environment variable
+    - Change timer to per-namespace instead of global
+    - Change non-TTY date format
+    - Remove `DEBUG_FD` environment variable support
+    - Support 256 namespace colors
+  * deps: iconv-lite@0.5.2
+    - Add encoding cp720
+    - Add encoding UTF-32
+  * deps: raw-body@3.0.0-beta.1
+
 2.0.0-beta.1 / 2021-12-17
 =========================
 
+  * Drop support for Node.js 0.8
   * `req.body` is no longer always initialized to `{}`
@@ -9,2 +27,43 @@ - it is left `undefined` unless a body is parsed
 
+1.20.2 / 2023-02-21
+===================
+
+  * Fix strict json error message on Node.js 19+
+  * deps: content-type@~1.0.5
+    - perf: skip value escaping when unnecessary
+  * deps: raw-body@2.5.2
+
+1.20.1 / 2022-10-06
+===================
+
+  * deps: qs@6.11.0
+  * perf: remove unnecessary object clone
+
+1.20.0 / 2022-04-02
+===================
+
+  * Fix error message for json parse whitespace in `strict`
+  * Fix internal error when inflated body exceeds limit
+  * Prevent loss of async hooks context
+  * Prevent hanging when request already read
+  * deps: depd@2.0.0
+    - Replace internal `eval` usage with `Function` constructor
+    - Use instance methods on `process` to check for listeners
+  * deps: http-errors@2.0.0
+    - deps: depd@2.0.0
+    - deps: statuses@2.0.1
+  * deps: on-finished@2.4.1
+  * deps: qs@6.10.3
+  * deps: raw-body@2.5.1
+    - deps: http-errors@2.0.0
+
+1.19.2 / 2022-02-15
+===================
+
+  * deps: bytes@3.1.2
+  * deps: qs@6.9.7
+    * Fix handling of `__proto__` keys
+  * deps: raw-body@2.4.3
+    - deps: bytes@3.1.2
+
 1.19.1 / 2021-12-10
@@ -11,0 +70,0 @@ ===================

index.js

@@ -10,9 +10,2 @@ /*!
 /**
- * Module dependencies.
- * @private
- */
-
-var deprecate = require('depd')('body-parser')
-
-/**
  * Cache of loaded parsers.
@@ -38,4 +31,3 @@ * @private
 
-exports = module.exports = deprecate.function(bodyParser,
-  'bodyParser: use individual json/urlencoded middlewares')
+exports = module.exports = bodyParser
 
@@ -95,23 +87,4 @@ /**
 
-function bodyParser (options) {
-  var opts = {}
-
-  // exclude type option
-  if (options) {
-    for (var prop in options) {
-      if (prop !== 'type') {
-        opts[prop] = options[prop]
-      }
-    }
-  }
-
-  var _urlencoded = exports.urlencoded(opts)
-  var _json = exports.json(opts)
-
-  return function bodyParser (req, res, next) {
-    _json(req, res, function (err) {
-      if (err) return next(err)
-      _urlencoded(req, res, next)
-    })
-  }
+function bodyParser () {
+  throw new Error('The bodyParser() generic has been split into individual middleware to use instead.')
 }
@@ -118,0 +91,0 @@

lib/read.js

@@ -15,5 +15,7 @@ /*!
 var createError = require('http-errors')
+var destroy = require('destroy')
 var getBody = require('raw-body')
 var iconv = require('iconv-lite')
 var onFinished = require('on-finished')
+var unpipe = require('unpipe')
 var zlib = require('zlib')
@@ -90,5 +92,10 @@
 
+      // unpipe from stream and destroy
+      if (stream !== req) {
+        unpipe(req)
+        destroy(stream, true)
+      }
+
       // read off entire request
-      stream.resume()
-      onFinished(req, function onfinished () {
+      dump(req, function onfinished () {
         next(createError(400, _error))
@@ -181,1 +188,18 @@ })
 }
+
+/**
+ * Dump the contents of a request.
+ *
+ * @param {object} req
+ * @param {function} callback
+ * @api private
+ */
+
+function dump (req, callback) {
+  if (onFinished.isFinished(req)) {
+    callback(null)
+  } else {
+    onFinished(req, callback)
+    req.resume()
+  }
+}

lib/types/json.js

@@ -41,4 +41,7 @@ /*!
 
-var FIRST_CHAR_REGEXP = /^[\x20\x09\x0a\x0d]*(.)/ // eslint-disable-line no-control-regex
+var FIRST_CHAR_REGEXP = /^[\x20\x09\x0a\x0d]*([^\x20\x09\x0a\x0d])/ // eslint-disable-line no-control-regex
 
+var JSON_SYNTAX_CHAR = '#'
+var JSON_SYNTAX_REGEXP = /#+/g
+
 /**
@@ -129,3 +132,3 @@ * Create a middleware to parse JSON bodies.
     var charset = getCharset(req) || 'utf-8'
-    if (charset.substr(0, 4) !== 'utf-') {
+    if (charset.slice(0, 4) !== 'utf-') {
       debug('invalid charset')
@@ -160,4 +163,12 @@ next(createError(415, 'unsupported charset "' + charset.toUpperCase() + '"', {
   var index = str.indexOf(char)
-  var partial = str.substring(0, index) + '#'
+  var partial = ''
 
+  if (index !== -1) {
+    partial = str.substring(0, index) + JSON_SYNTAX_CHAR
+
+    for (var i = index + 1; i < str.length; i++) {
+      partial += JSON_SYNTAX_CHAR
+    }
+  }
+
   try {
@@ -167,3 +178,5 @@ JSON.parse(partial); /* istanbul ignore next */ throw new SyntaxError('strict violation')
     return normalizeJsonSyntaxError(e, {
-      message: e.message.replace('#', char),
+      message: e.message.replace(JSON_SYNTAX_REGEXP, function (placeholder) {
+        return str.substring(index, index + placeholder.length)
+      }),
       stack: e.stack
@@ -183,3 +196,7 @@ })
 function firstchar (str) {
-  return FIRST_CHAR_REGEXP.exec(str)[1]
+  var match = FIRST_CHAR_REGEXP.exec(str)
+
+  return match
+    ? match[1]
+    : undefined
 }
@@ -186,0 +203,0 @@

package.json

 {
   "name": "body-parser",
   "description": "Node.js body parsing middleware",
-  "version": "2.0.0-beta.1",
+  "version": "2.0.0-beta.2",
   "contributors": [
@@ -12,26 +12,27 @@ "Douglas Christopher Wilson <doug@somethingdoug.com>",
   "dependencies": {
-    "bytes": "3.1.1",
-    "content-type": "~1.0.4",
-    "debug": "2.6.9",
-    "depd": "~1.1.2",
-    "http-errors": "1.8.1",
-    "iconv-lite": "0.4.24",
-    "on-finished": "~2.3.0",
-    "qs": "6.9.6",
-    "raw-body": "2.4.2",
-    "type-is": "~1.6.18"
+    "bytes": "3.1.2",
+    "content-type": "~1.0.5",
+    "debug": "3.1.0",
+    "destroy": "1.2.0",
+    "http-errors": "2.0.0",
+    "iconv-lite": "0.5.2",
+    "on-finished": "2.4.1",
+    "qs": "6.11.0",
+    "raw-body": "3.0.0-beta.1",
+    "type-is": "~1.6.18",
+    "unpipe": "1.0.0"
   },
   "devDependencies": {
-    "eslint": "7.32.0",
+    "eslint": "8.34.0",
     "eslint-config-standard": "14.1.1",
-    "eslint-plugin-import": "2.25.3",
-    "eslint-plugin-markdown": "2.2.1",
+    "eslint-plugin-import": "2.27.5",
+    "eslint-plugin-markdown": "3.0.0",
     "eslint-plugin-node": "11.1.0",
-    "eslint-plugin-promise": "5.2.0",
+    "eslint-plugin-promise": "6.1.1",
     "eslint-plugin-standard": "4.1.0",
     "methods": "1.1.2",
-    "mocha": "9.1.3",
+    "mocha": "10.2.0",
     "nyc": "15.1.0",
     "safe-buffer": "5.2.1",
-    "supertest": "6.1.6"
+    "supertest": "6.3.3"
   },
@@ -42,2 +43,3 @@ "files": [
     "HISTORY.md",
+    "SECURITY.md",
     "index.js"
@@ -44,0 +46,0 @@ ],

README.md

 # body-parser
 
-[![NPM Version][npm-image]][npm-url]
-[![NPM Downloads][downloads-image]][downloads-url]
-[![Build Status][github-actions-ci-image]][github-actions-ci-url]
+[![NPM Version][npm-version-image]][npm-url]
+[![NPM Downloads][npm-downloads-image]][npm-url]
+[![Build Status][ci-image]][ci-url]
 [![Test Coverage][coveralls-image]][coveralls-url]
@@ -58,5 +58,3 @@
 middlewares will populate the `req.body` property with the parsed body when
-the `Content-Type` request header matches the `type` option, or an empty
-object (`{}`) if there was no body to parse, the `Content-Type` was not matched,
-or an error occurred.
+the `Content-Type` request header matches the `type` option.
 
@@ -344,2 +342,10 @@ The various errors returned by this module are described in the
 
+### stream is not readable
+
+This error will occur when the request is no longer readable when this middleware
+attempts to read it. This typically means something other than a middleware from
+this module read the request body already and the middleware was also configured to
+read the same request. The `status` property is set to `500` and the `type`
+property is set to `'stream.not.readable'`.
+
 ### too many parameters
@@ -451,9 +457,10 @@
 
-[npm-image]: https://img.shields.io/npm/v/body-parser.svg
+[ci-image]: https://badgen.net/github/checks/expressjs/body-parser/master?label=ci
+[ci-url]: https://github.com/expressjs/body-parser/actions/workflows/ci.yml
+[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/body-parser/master
+[coveralls-url]: https://coveralls.io/r/expressjs/body-parser?branch=master
+[node-version-image]: https://badgen.net/npm/node/body-parser
+[node-version-url]: https://nodejs.org/en/download
+[npm-downloads-image]: https://badgen.net/npm/dm/body-parser
 [npm-url]: https://npmjs.org/package/body-parser
-[coveralls-image]: https://img.shields.io/coveralls/expressjs/body-parser/master.svg
-[coveralls-url]: https://coveralls.io/r/expressjs/body-parser?branch=master
-[downloads-image]: https://img.shields.io/npm/dm/body-parser.svg
-[downloads-url]: https://npmjs.org/package/body-parser
-[github-actions-ci-image]: https://img.shields.io/github/workflow/status/expressjs/body-parser/ci/master?label=ci
-[github-actions-ci-url]: https://github.com/expressjs/body-parser?query=workflow%3Aci
+[npm-version-image]: https://badgen.net/npm/v/body-parser

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

60961

increased by5.98%

Number of package files

11

increased by10%

Lines of code

909

increased by1.34%

Number of lines in readme file

464

increased by1.53%

Worsened metrics

Dependency count

11

increased by10%

Dependency changes

• + Addeddestroy@1.2.0

• + Addedunpipe@1.0.0

• + Addedbytes@3.1.2(transitive)

• + Addedcall-bind@1.0.7(transitive)

• + Addeddebug@3.1.0(transitive)

• + Addeddefine-data-property@1.1.4(transitive)

• + Addeddepd@2.0.0(transitive)

• + Addeddestroy@1.2.0(transitive)

• + Addedes-define-property@1.0.0(transitive)

• + Addedes-errors@1.3.0(transitive)

• + Addedfunction-bind@1.1.2(transitive)

• + Addedget-intrinsic@1.2.4(transitive)

• + Addedgopd@1.0.1(transitive)

• + Addedhas-property-descriptors@1.0.2(transitive)

• + Addedhas-proto@1.0.3(transitive)

• + Addedhas-symbols@1.0.3(transitive)

• + Addedhasown@2.0.2(transitive)

• + Addedhttp-errors@2.0.0(transitive)

• + Addediconv-lite@0.5.2(transitive)

• + Addedobject-inspect@1.13.2(transitive)

• + Addedon-finished@2.4.1(transitive)

• + Addedqs@6.11.0(transitive)

• + Addedraw-body@3.0.0-beta.1(transitive)

• + Addedset-function-length@1.2.2(transitive)

• + Addedside-channel@1.0.6(transitive)

• + Addedstatuses@2.0.1(transitive)

• - Removeddepd@~1.1.2

• - Removedbytes@3.1.1(transitive)

• - Removeddebug@2.6.9(transitive)

• - Removeddepd@1.1.2(transitive)

• - Removedhttp-errors@1.8.1(transitive)

• - Removediconv-lite@0.4.24(transitive)

• - Removedon-finished@2.3.0(transitive)

• - Removedqs@6.9.6(transitive)

• - Removedraw-body@2.4.2(transitive)

• - Removedstatuses@1.5.0(transitive)

• Updatedbytes@3.1.2

• Updatedcontent-type@~1.0.5

• Updateddebug@3.1.0

• Updatedhttp-errors@2.0.0

• Updatediconv-lite@0.5.2

• Updatedon-finished@2.4.1

• Updatedqs@6.11.0

• Updatedraw-body@3.0.0-beta.1