From 54f98be279986c7648eb70ca5e4980b578f0cdc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 9 Jul 2026 12:35:20 +0200 Subject: [PATCH 1/3] docs: include security fix in 2.3.0 changes Ref: https://github.com/expressjs/body-parser/security/advisories/GHSA-v422-hmwv-36x6 --- HISTORY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/HISTORY.md b/HISTORY.md index b973e21c..f102c9e4 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,6 +1,7 @@ 2.3.0 / 2026-06-15 ======================== +* Security fix for [GHSA-v422-hmwv-36x6](https://github.com/expressjs/body-parser/security/advisories/GHSA-v422-hmwv-36x6) * fix: use static exports instead of lazy getters to improve ESM compatibility * feat: add subpath exports for individual parsers * fix: improve `limit` option validation (#698) From 4188e55d37567dacec9436cca962945af7ee1a1f Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 13 Jul 2026 22:45:45 +0200 Subject: [PATCH 2/3] docs: include 1.x release notes --- HISTORY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/HISTORY.md b/HISTORY.md index f102c9e4..c980f305 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -108,6 +108,19 @@ This incorporates all changes after 1.19.1 up to 1.20.2. - it is left `undefined` unless a body is parsed * `urlencoded` parser now defaults `extended` to `false` * Use `on-finished` to determine when body read +1.20.6 / 2026-07-09 +=================== +* Security fix for [GHSA-v422-hmwv-36x6](https://github.com/expressjs/body-parser/security/advisories/GHSA-v422-hmwv-36x6) +* fix: improve `limit` option validation (#698) + * Invalid `limit` values (e.g. unparseable strings or `NaN`) now throw instead of being silently ignored, which previously disabled size limit enforcement + * `null` and `undefined` fall back to the default 100kb limit + +1.20.5 / 2026-04-24 +=================== +* refactor(json): simplify strict mode error string construction +* fix: extended urlencoded parsing of arrays with >100 elements (#716) +* deps: qs@~6.15.1 +* 1.20.4 / 2025-12-01 =================== From 4b5bd059efbbecc85a24154f0918e4aa3f87507d Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 13 Jul 2026 22:47:10 +0200 Subject: [PATCH 3/3] add missing blank --- HISTORY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/HISTORY.md b/HISTORY.md index c980f305..9d43ed3e 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -108,6 +108,7 @@ This incorporates all changes after 1.19.1 up to 1.20.2. - it is left `undefined` unless a body is parsed * `urlencoded` parser now defaults `extended` to `false` * Use `on-finished` to determine when body read + 1.20.6 / 2026-07-09 =================== * Security fix for [GHSA-v422-hmwv-36x6](https://github.com/expressjs/body-parser/security/advisories/GHSA-v422-hmwv-36x6)