Releases: adonisjs/bodyparser
Tag as latest
11.0.0 (2026-02-25)
Check 11.0.0 pre-releases to get a better sense of changes
What's Changed
- fix: #72 allow case insensitive comparision of the extensions list by @JanStevens in #73
New Contributors
- @JanStevens made their first contribution in #73
Full Changelog: v10.1.0...v11.0.0
Contributors
Assets 2
Fix wrongly thrown error
10.1.4 (2026-02-23)
Bug Fixes
What's Changed
- fix: mismatch catch err variable used by @davisthedev in #77
New Contributors
- @davisthedev made their first contribution in #77
Full Changelog: v10.1.3...v10.1.4
Contributors
Assets 2
Security Fixes
Multipart field names sanitization
Hardened the internal storage used by the multipart parser to collect form fields, preventing potential misuse of specially crafted field names.
File type detection memory improvement
Fixed an issue where the internal buffer used for file type detection could grow indefinitely when processing files whose content didn't match any known magic number signature. The parser now falls back to filename-based detection after a reasonable threshold, ensuring predictable memory usage during file uploads.
Full Changelog: v11.0.0-next.8...v11.0.0-next.9
Security Fixes
Multipart field names sanitization
Hardened the internal storage used by the multipart parser to collect form fields, preventing potential misuse of specially crafted field names.
File type detection memory improvement
Fixed an issue where the internal buffer used for file type detection could grow indefinitely when processing files whose content didn't match any known magic number signature. The parser now falls back to filename-based detection after a reasonable threshold, ensuring predictable memory usage during file uploads.
Use flash symbol to prevent Multipart files being part of flash messages
11.0.0-next.8 (2026-02-01)
Bug Fixes
- use Symbol.for to use portable symbols (080b53a)
Full Changelog: v11.0.0-next.7...v11.0.0-next.8
Bug fix in multipart error handling and make size and extension validators public
11.0.0-next.7 (2026-02-01)
Bug Fixes
Features
- make size and extensions validators public and prevent flashing files (fc78bd7)
Full Changelog: v11.0.0-next.6...v11.0.0-next.7
Prevent path traversal during file uploads
11.0.0-next.6 (2026-01-02)
Security update for CVE-2026-21440 (GHSA-gvq6-hvvp-h34h)
This patch release fixes a security issue in multipart file uploads related to how filenames were handled when moving uploaded files to disk.
The MultipartFile.move(location) no longer uses the client-provided filename by default. Previously, if no filename was explicitly provided, the original filename sent by the client was used. This behavior has been changed and now we use uuid to create a unique random name for the file.
Breaking change
If your application relied on the original client filename being preserved implicitly, this behavior has changed. The newly generated file names will now use uuid.
However, if you were always passing an explicit name, then you are unaffected with this breaking change.
We consider this a necessary breaking change to close a security gap and align with secure defaults. Shipping this as a patch release ensures the fix reaches all users, including those who do not regularly upgrade major versions.
Breaking - Prevent path traversal during file uploads
10.1.2 (2026-01-02)
Security update for CVE-2026-21440 (GHSA-gvq6-hvvp-h34h)
This patch release fixes a security issue in multipart file uploads related to how filenames were handled when moving uploaded files to disk.
The MultipartFile.move(location) no longer uses the client-provided filename by default. Previously, if no filename was explicitly provided, the original filename sent by the client was used. This behavior has been changed and now we use uuid to create a unique random name for the file.
Breaking change
If your application relied on the original client filename being preserved implicitly, this behavior has changed. The newly generated file names will now use uuid.
However, if you were always passing an explicit name, then you are unaffected with this breaking change.
We consider this a necessary breaking change to close a security gap and align with secure defaults. Shipping this as a patch release ensures the fix reaches all users, including those who do not regularly upgrade major versions.
Bug Fixes
- path traversal during file.move operation (6795c0e)
Full Changelog: v10.1.1...v10.1.2
Update dependencies
11.0.0-next.5 (2025-12-15)
Full Changelog: v11.0.0-next.4...v11.0.0-next.5
Update to the latest release of HTTP server
11.0.0-next.4 (2025-12-03)
Full Changelog: v11.0.0-next.3...v11.0.0-next.4