Update dependency body-parser to v2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
body-parser	1.20.4 → 2.2.1

---

Release Notes

expressjs/body-parser (body-parser)

v2.2.1

Compare Source

=========================

• Security fix for GHSA-wqch-xfxh-vrr4
• deps:
  • type-is@^2.0.1
  • iconv-lite@^0.7.0
    • Handle split surrogate pairs when encoding UTF-8
    • Avoid false positives in encodingExists by using prototype-less objects
  • raw-body@^3.0.1
  • debug@^4.4.3

v2.2.0

Compare Source

=========================

• refactor: normalize common options for all parsers
• deps:
  • iconv-lite@^0.6.3

v2.1.0

Compare Source

=========================

• deps:
  • type-is@^2.0.0
  • debug@^4.4.0
  • Removed destroy
• refactor: prefix built-in node module imports
• use the node require cache instead of custom caching

v2.0.2

Compare Source

=========================

• remove unpipe package and use native unpipe() method

v2.0.1

Compare Source

=========================

• Restore expected behavior extended to false

v2.0.0

Compare Source

=========================

Breaking Changes

• Node.js 18 is the minimum supported version
• req.body is no longer always initialized to {}
  • it is left undefined unless a body is parsed
• Remove deprecated bodyParser() combination middleware
• urlencoded parser now defaults extended to false as released, this is not the case, fixed in 2.0.1
• urlencoded simple parser now uses qs module instead of querystring module

Features

• Add brotli support #​406
• urlencoded: Add option to customize the depth with a default value of 32
• urlencoded: Support iso-8859-1, utf8 sentinel, and numeric entities
• Use on-finished to determine when body read

Dependencies

• deps: raw-body@^3.0.0
• deps: qs@​6.12.3
• deps: debug@​3.1.0
• deps: iconv-lite@​0.5.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Jump: body-parser 1.20.4 → 2.2.1 (major version upgrade)

Security Fixes:

• v2.2.1 addresses CVE-2025-13466 / GHSA-wqch-xfxh-vrr4 (Moderate severity, CVSS 5.3)
  • Vulnerability: DoS attack via inefficient handling of URL-encoded bodies with very large parameter counts
  • Impact: Remote attackers could cause resource exhaustion (CPU/memory) within the 100KB limit
  • This is a critical security patch that should be applied

Breaking Changes in v2.0.0:

1. Node.js 18+ Required ✅ (Current environment: v18.20.8 - Compatible)
2. req.body no longer initialized to {} - Now remains undefined until body is parsed
3. Removed deprecated bodyParser() middleware - Not used in this codebase
4. urlencoded simple parser uses qs module instead of querystring

New Features:

• Brotli compression support
• Customizable depth option for urlencoded parser (default: 32)
• Support for iso-8859-1, UTF8 sentinel, and numeric entities
• Uses on-finished module for body read completion detection

Dependency Updates:

• debug: 2.6.9 → 4.4.3
• iconv-lite: 0.4.24 → 0.7.2
• raw-body: 2.5.3 → 3.0.2
• type-is: 1.6.18 → 2.0.1
• qs: ~6.14.0 (maintained)
• Removed: destroy, unpipe packages (replaced with native methods)

🎯 Impact Scope Investigation

Usage Locations Identified:

1. api/src/index.js:11 - Import statement

   const body_parser = require('body-parser');

2. api/src/index.js:67-68 - Middleware registration

   app.use(body_parser.urlencoded({ extended: true }));
   app.use(body_parser.json());

3. api/src/api/v2.js - Request body access points:

   • Line 240: job = await get_job(req.body) - POST /execute endpoint
   • Line 298: const { language, version } = req.body - POST /packages endpoint
   • Line 327: const { language, version } = req.body - DELETE /packages endpoint

Critical Analysis:

✅ extended: true configuration - Already explicitly set, unaffected by v2.0.0 default change

✅ req.body access pattern - All usage occurs in POST/DELETE endpoints where body-parser middleware has already processed the request body, so req.body will be defined

✅ No undefined checks needed - The codebase uses req.body directly after body-parser middleware processes the request, and the middleware only runs on routes where content-type is application/json

✅ Input validation - The get_job() function properly validates all required fields, handling missing/invalid data gracefully

✅ Content-type validation - Middleware at api/src/api/v2.js:122-134 enforces application/json content-type for non-GET requests

Dependency Compatibility:

• Express 4.22.1 is compatible with body-parser v2.x
• All transitive dependencies are updated appropriately in package-lock.json
• Express maintains its own body-parser v1.20.4 dependency internally (visible in the lock file), preventing conflicts

Environment Requirements:

• Node.js 18.20.8 meets the minimum requirement (Node.js 18+) ✅

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is safe and includes important security fixes
2. ✅ Deploy to production - No code changes required

No Migration Required:

• The codebase already uses extended: true explicitly
• All req.body access patterns are safe (occur after middleware processing)
• Proper input validation is already in place
• Content-type validation prevents undefined body scenarios

Post-Merge Verification (Recommended):

1. Run existing test suite to verify behavior
2. Monitor application logs after deployment for any unexpected body parsing errors
3. Verify that all POST/DELETE endpoints continue to function correctly

Long-term Considerations:

• Consider updating Express to v5.x in the future (when stable) for better integration with body-parser v2.x
• The security fix in v2.2.1 addresses a real DoS vulnerability - this update provides measurable security improvement

🔗 Reference Links

• body-parser v2.2.1 Release Notes
• body-parser v2.0.0 Breaking Changes
• Security Advisory CVE-2025-13466
• body-parser GitHub Repository
• Renovate PR #30

Generated by koki-develop/claude-renovate-review