Skip to content

Bump body-parser from 2.2.2 to 2.3.0#358

Draft
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/body-parser-2.3.0
Draft

Bump body-parser from 2.2.2 to 2.3.0#358
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/body-parser-2.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor

Bumps body-parser from 2.2.2 to 2.3.0.

Release notes

Sourced from body-parser's releases.

v2.3.0

What's Changed

New Contributors

Full Changelog: expressjs/body-parser@v2.2.2...v2.3.0

Changelog

Sourced from body-parser's changelog.

2.3.0 / 2026-06-15

  • fix: use static exports instead of lazy getters to improve ESM compatibility
  • feat: add subpath exports for individual parsers
  • fix: improve limit option validation (#698)
    • Invalid limit values (e.g. unparseable strings or NaN) now throw instead of being silently ignored, which previously disabled size limit enforcement
    • null and undefined fall back to the default 100kb limit
  • deps:
    • content-type@^2.0.0
    • http-errors@^2.0.1
    • iconv-lite^0.7.2
    • qs@^6.15.2
    • raw-body@^3.0.2
    • type-is@^2.1.0
Commits
  • d0f2ace 2.3.0 (#735)
  • 7d03f2f chore: updated deps to latest (#733)
  • 8024ba7 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#732)
  • 32b4ed4 build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 (#731)
  • ff0f6b9 docs: update outdated reference to MDN docs (#730)
  • 14d001a refactor: switch to const/let and enable eslint no-var rule (#729)
  • 37f36a2 deps: update content-type and type-is (#728)
  • e1c244b build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 (#723)
  • e01087f build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#724)
  • a7698d3 build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#725)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Greptile Summary

This is a Dependabot PR that bumps body-parser from 2.2.2 to 2.3.0. The body-parser release adds stricter limit option validation (invalid values now throw rather than silently disabling size limits), ESM subpath exports, and dependency updates (content-type ^2, qs ^6.15, raw-body ^3.0.2).

  • package.json and package-lock.json change only the body-parser pin; no other direct dependency versions are touched.
  • pnpm-lock.yaml was previously out of sync with package.json on the master branch; regenerating it as part of this install also resolves stale entries, effectively upgrading mongoose (8→9), consolidate (0.16→1.0), sequelize-typescript (0.3→1.0), passport (0.6→0.7), and mysql2 patch versions — none of which are mentioned in the PR description.

Confidence Score: 4/5

The body-parser bump itself is safe, but merging also silently deploys mongoose 8→9, consolidate 0.16→1.0, and sequelize-typescript 0→1 through the pnpm lockfile — major version upgrades that should be explicitly validated before going to production.

The pnpm-lock.yaml regeneration carries major-version upgrades (mongoose, consolidate, sequelize-typescript) that are entirely absent from the PR description. On a platform handling billions of requests monthly, these updates warrant conscious review and regression testing rather than an implicit merge through a Dependabot body-parser PR.

pnpm-lock.yaml — the hidden major-version upgrades land here and will affect any environment that uses pnpm to install dependencies.

Important Files Changed

Filename Overview
package.json Single-line change: body-parser pinned version bumped from 2.2.2 to 2.3.0; all other entries unchanged.
package-lock.json npm lockfile updated only for body-parser and its transitive deps (content-type 1→2, qs, raw-body, type-is); all other locked versions unchanged.
pnpm-lock.yaml Lockfile was out of sync with package.json on the base branch; regeneration picks up mongoose 8→9, consolidate 0.16→1.0, sequelize-typescript 0.3→1.0, and other version changes in addition to the body-parser bump.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json] -->|body-parser 2.2.2 → 2.3.0| B[npm install / pnpm install]
    B --> C[package-lock.json\nbody-parser only updated]
    B --> D[pnpm-lock.yaml\nbody-parser + stale deps resolved]
    D --> E[mongoose 8.16.0 → 9.6.3\nMAJOR]
    D --> F[consolidate 0.16.0 → 1.0.4\nMAJOR]
    D --> G[sequelize-typescript 0.3.22 → 1.0.0\nMAJOR]
    D --> H[passport 0.6.0 → 0.7.0\nMINOR]
    D --> I[mysql2 3.22.1 → 3.22.4\nPATCH]
    style E fill:#f96,stroke:#c00
    style F fill:#f96,stroke:#c00
    style G fill:#f96,stroke:#c00
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[package.json] -->|body-parser 2.2.2 → 2.3.0| B[npm install / pnpm install]
    B --> C[package-lock.json\nbody-parser only updated]
    B --> D[pnpm-lock.yaml\nbody-parser + stale deps resolved]
    D --> E[mongoose 8.16.0 → 9.6.3\nMAJOR]
    D --> F[consolidate 0.16.0 → 1.0.4\nMAJOR]
    D --> G[sequelize-typescript 0.3.22 → 1.0.0\nMAJOR]
    D --> H[passport 0.6.0 → 0.7.0\nMINOR]
    D --> I[mysql2 3.22.1 → 3.22.4\nPATCH]
    style E fill:#f96,stroke:#c00
    style F fill:#f96,stroke:#c00
    style G fill:#f96,stroke:#c00
Loading

Comments Outside Diff (1)

  1. pnpm-lock.yaml, line 1 (link)

    P1 Silent major-version upgrades bundled in lockfile sync

    The pnpm-lock.yaml was out of sync with package.json on the base branch (the specifiers for mongoose, mysql2, passport, consolidate, and sequelize-typescript in the pnpm lockfile still tracked the old pinned versions). Running pnpm install to bump body-parser also resolved those drifted entries, pulling in several major-version changes that are not mentioned in the PR description:

    • mongoose 8.16.0 → 9.6.3 (major — significant breaking-change release)
    • consolidate 0.16.0 → 1.0.4 (major)
    • sequelize-typescript 0.3.22 → 1.0.0 (major)
    • passport 0.6.0 → 0.7.0 (minor)
    • mysql2 3.22.1 → 3.22.4 (patch)

    If pnpm is the package manager used in production or CI, these effective upgrades will be applied when deploying this PR. For a platform processing billions of requests per month, mongoose 8→9 and sequelize-typescript 0→1 carry meaningful breaking-change risk that deserves explicit validation before merge.

    Prompt To Fix With AI
    This is a comment left during a code review.
    Path: pnpm-lock.yaml
    Line: 1
    
    Comment:
    **Silent major-version upgrades bundled in lockfile sync**
    
    The `pnpm-lock.yaml` was out of sync with `package.json` on the base branch (the specifiers for `mongoose`, `mysql2`, `passport`, `consolidate`, and `sequelize-typescript` in the pnpm lockfile still tracked the old pinned versions). Running `pnpm install` to bump body-parser also resolved those drifted entries, pulling in several major-version changes that are not mentioned in the PR description:
    
    - `mongoose` 8.16.0 → 9.6.3 (major — significant breaking-change release)
    - `consolidate` 0.16.0 → 1.0.4 (major)
    - `sequelize-typescript` 0.3.22 → 1.0.0 (major)
    - `passport` 0.6.0 → 0.7.0 (minor)
    - `mysql2` 3.22.1 → 3.22.4 (patch)
    
    If pnpm is the package manager used in production or CI, these effective upgrades will be applied when deploying this PR. For a platform processing billions of requests per month, mongoose 8→9 and sequelize-typescript 0→1 carry meaningful breaking-change risk that deserves explicit validation before merge.
    
    How can I resolve this? If you propose a fix, please make it concise.

    Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
pnpm-lock.yaml:1
**Silent major-version upgrades bundled in lockfile sync**

The `pnpm-lock.yaml` was out of sync with `package.json` on the base branch (the specifiers for `mongoose`, `mysql2`, `passport`, `consolidate`, and `sequelize-typescript` in the pnpm lockfile still tracked the old pinned versions). Running `pnpm install` to bump body-parser also resolved those drifted entries, pulling in several major-version changes that are not mentioned in the PR description:

- `mongoose` 8.16.0 → 9.6.3 (major — significant breaking-change release)
- `consolidate` 0.16.0 → 1.0.4 (major)
- `sequelize-typescript` 0.3.22 → 1.0.0 (major)
- `passport` 0.6.0 → 0.7.0 (minor)
- `mysql2` 3.22.1 → 3.22.4 (patch)

If pnpm is the package manager used in production or CI, these effective upgrades will be applied when deploying this PR. For a platform processing billions of requests per month, mongoose 8→9 and sequelize-typescript 0→1 carry meaningful breaking-change risk that deserves explicit validation before merge.

Reviews (1): Last reviewed commit: "Bump body-parser from 2.2.2 to 2.3.0" | Re-trigger Greptile

Bumps [body-parser](https://github.com/expressjs/body-parser) from 2.2.2 to 2.3.0.
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@v2.2.2...v2.3.0)

---
updated-dependencies:
- dependency-name: body-parser
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 16, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 16, 2026 10:13
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 16, 2026
@sallainternalbot sallainternalbot Bot marked this pull request as draft June 16, 2026 10:13
@codacy-production

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 2 medium

Alerts:

⚠ 2 issues (≤ 0 issues of at least minor severity)

Results:
2 new issues

Category Results
Security 2 medium

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0 (≤ 2 duplication)

View in Codacy

AI Reviewer: run a review on demand. To trigger the first review automatically, go to your organization or repository integration settings. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants