Update dependency express-fileupload to v1.1.9 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
express-fileupload	1.1.6 → 1.1.9

---

Prototype Pollution in express-fileupload

CVE-2020-7699 / GHSA-9wcg-jrwf-8gg7

More information

Details

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-7699
• https://github.com/richardgirges/express-fileupload/issues/236
• https://github.com/richardgirges/express-fileupload/pull/237
• https://github.com/richardgirges/express-fileupload/commit/db495357d7557ceb5c034de91a7a574bd12f9b9f
• https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-595969
• https://security.netapp.com/advisory/ntap-20200821-0003/
• https://github.com/advisories/GHSA-9wcg-jrwf-8gg7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

richardgirges/express-fileupload (express-fileupload)

v1.1.9

Compare Source

Updates:

Second prototype pollution security vulnerability fix when using processNested (#​236)

v1.1.8

Compare Source

Updates:

Fixed prototype pollution security vulnerability when using processNested (#​236)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.