fix(deps): update dependency multer to v2 [security]#658
fix(deps): update dependency multer to v2 [security]#658renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
Conversation
|
/gcbrun |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the multer dependency to version 2.1.1. The review feedback points out that this major version upgrade requires a correction in the initialization of the memory storage engine to avoid runtime failures, as the current implementation incorrectly uses a class reference instead of a function call.
| "body-parser": "^1.18.3", | ||
| "express": "^4.16.4", | ||
| "multer": "^1.4.1", | ||
| "multer": "^2.1.1", |
There was a problem hiding this comment.
Upgrading to multer v2.x is a major version bump that introduces breaking changes. The current implementation in bookshelf/lib/images.js (line 77) uses Multer.MemoryStorage, which is incorrect for both v1 and v2. It should be updated to Multer.memoryStorage() (a function call) to correctly initialize the memory storage engine. In v2, passing the class/constructor instead of an instance will cause the middleware to fail during file processing.
Additionally, verify that the deployment environment supports the new minimum Node.js version requirement (10.16.0) mentioned in the release notes.
2 participants
This PR contains the following updates:
^1.4.1→^2.1.1GitHub Vulnerability Alerts
CVE-2026-3304
Impact
A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.
Patches
Users should upgrade to
2.1.0Workarounds
None
CVE-2026-2359
Impact
A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.
Patches
Users should upgrade to
2.1.0Workarounds
None
CVE-2026-3520
Impact
A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.
Patches
Users should upgrade to
2.1.1Workarounds
None
Resources
Release Notes
expressjs/multer (multer)
v2.1.1Compare Source
v2.1.0Compare Source
defParamCharsetoption for UTF-8 filename support (#1210)v2.0.2Compare Source
v2.0.1Compare Source
v2.0.0Compare Source
v1.4.4Compare Source
v1.4.3Compare Source
v1.4.2Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.