fix(deps): update dependency multer to v2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
multer	^1.4.2 → ^2.1.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-2359

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

CVE-2026-3304

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

CVE-2026-3520

Impact

A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.

Patches

Users should upgrade to 2.1.1

Workarounds

None

Resources

• GHSA-5528-5vmv-3xc2
• https://www.cve.org/CVERecord?id=CVE-2026-3520
• expressjs/multer@7e66481
• https://cna.openjsf.org/security-advisories.html

---

Release Notes

expressjs/multer (multer)

v2.1.1

Compare Source

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

v2.1.0

Compare Source

• Add defParamCharset option for UTF-8 filename support (#​1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

v2.0.2

Compare Source

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

v2.0.1

Compare Source

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

v2.0.0

Compare Source

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

v1.4.4

Compare Source

• Bugfix: Bump busboy to fix CVE-2022-24434 (#​1097)
• Breaking: Require Node.js 10.16.0 or later (#​1097)

v1.4.3

Compare Source

• Bugfix: Avoid deprecated pseudoRandomBytes function (#​774)
• Docs: Add Português Brazil translation for README (#​758)
• Docs: Clarify the callback calling convention (#​775)
• Docs: Add example on how to link to html multipart form (#​580)
• Docs: Add Spanish translation for README (#​838)
• Docs: Add Math.random() to storage filename example (#​841)
• Docs: Fix mistakes in russian doc (#​869)
• Docs: Improve Português Brazil translation (#​877)
• Docs: Update var to const in all Readmes (#​1024)
• Internal: Bump mkdirp version (#​862)
• Internal: Bump Standard version (#​878)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.