From bbc01533d7e9f2f3650d20bf787940495b92b2df Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 01:04:48 +0800 Subject: [PATCH] chore: bump up multer version to v2.1.1 [SECURITY] (#14576) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [multer](https://redirect.github.com/expressjs/multer) | [`2.1.0` → `2.1.1`](https://renovatebot.com/diffs/npm/multer/2.1.0/2.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/multer/2.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/multer/2.1.0/2.1.1?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2026-2359](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc) ### Impact A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. ### Patches Users should upgrade to `2.1.0` ### Workarounds None #### [CVE-2026-3304](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p) ### Impact A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. ### Patches Users should upgrade to `2.1.0` ### Workarounds None #### [CVE-2026-3520](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2) ### Impact A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. ### Patches Users should upgrade to `2.1.1` ### Workarounds None ### Resources - https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 - https://www.cve.org/CVERecord?id=CVE-2026-3520 - https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 - https://cna.openjsf.org/security-advisories.html --- ### Release Notes
expressjs/multer (multer) ### [`v2.1.1`](https://redirect.github.com/expressjs/multer/blob/HEAD/CHANGELOG.md#211) [Compare Source](https://redirect.github.com/expressjs/multer/compare/v2.1.0...v2.1.1) - Fix [CVE-2026-3520](https://www.cve.org/CVERecord?id=CVE-2026-3520) ([GHSA-5528-5vmv-3xc2](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2)) - fix error/abort handling
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index f5baa2f7d7..6fcd0dcc28 100644 --- a/yarn.lock +++ b/yarn.lock @@ -29128,14 +29128,14 @@ __metadata: linkType: hard "multer@npm:^2.0.2": - version: 2.1.0 - resolution: "multer@npm:2.1.0" + version: 2.1.1 + resolution: "multer@npm:2.1.1" dependencies: append-field: "npm:^1.0.0" busboy: "npm:^1.6.0" concat-stream: "npm:^2.0.0" type-is: "npm:^1.6.18" - checksum: 10/7677636ed84ebd12d67849887ab69c982a7043c1ed0d209e512500f8cff73474601fc0b6922ba07dfd872641822788d323ab795e53f6d0910a5f00b10e07b498 + checksum: 10/fb22868caaed37d725715c14c60b740b81665265da3a026bb61954414f65b99f76b360128413b8a2a7cc1a95ecae28a42bf831fe172bb79682d19ec105b556bd languageName: node linkType: hard