Skip to content

deps: body-parser@~1.20.4#7021

Merged
bjohansebas merged 1 commit intoexpressjs:4.xfrom
suuuuuuminnnnnn:deps-body-parser-1.20.4
Feb 8, 2026
Merged

deps: body-parser@~1.20.4#7021
bjohansebas merged 1 commit intoexpressjs:4.xfrom
suuuuuuminnnnnn:deps-body-parser-1.20.4

Conversation

@suuuuuuminnnnnn
Copy link
Copy Markdown

@suuuuuuminnnnnn suuuuuuminnnnnn commented Feb 6, 2026

TL;DR

Updates body-parser from ~1.20.3 to ~1.20.4 to pull in patched qs@6.14.1 and clear the GHSA-6rw7-vpxm-498p advisory. Single-line change, full test pass, npm audit --production reports 0 vulnerabilities.

Context

Issue

Problem

Express 4.x depends on body-parser, which transitively depends on qs. qs < 6.14.1 is flagged by GHSA-6rw7-vpxm-498p (HIGH severity: arrayLimit bypass → potential DoS via memory exhaustion).
This is reported as vulnerable (not malicious).

Dependency chain (before)

express@4.22.1
└── body-parser@1.20.3
    └── qs@6.13.0 (vulnerable)

Additional context (#6972)

With ~1.20.3 in package.json:

  • Fresh installs may resolve to newer patch releases, but
  • Existing installations running npm install express@4 can remain on 1.20.3 since it still satisfies ~1.20.3.

Bumping the minimum to ~1.20.4 makes the safe patch-level update explicit.

Changes

  • package.json: bump body-parser from ~1.20.3~1.20.4 (single-line change)
  • No lockfile changes (repo policy)
- "body-parser": "~1.20.3",
+ "body-parser": "~1.20.4",

Evidence

Dependency tree (after)

npm ls body-parser qs
express@4.22.1
├─┬ body-parser@1.20.4
│ └── qs@6.14.1 deduped
└── qs@6.14.1

Vulnerabilities (after)

npm audit --production
found 0 vulnerabilities

Tests

npm test
1322 passing (1s)
1 pending

Notes

  • No functional changes besides the dependency bump.
  • Patch-level update only; no breaking changes expected.

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or

(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.

(d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

@krzysdz krzysdz added 4.x deps dependencies Pull requests that update a dependency file labels Feb 6, 2026
@bjohansebas bjohansebas merged commit d39e8ad into expressjs:4.x Feb 8, 2026
53 checks passed
@GroophyLifefor GroophyLifefor mentioned this pull request Feb 14, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjohansebas bjohansebas bjohansebas approved these changes

Assignees

No one assigned

Labels

4.x dependencies Pull requests that update a dependency file deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@suuuuuuminnnnnn @bjohansebas @krzysdz