feat(deps): bump body-parser from 1.20.4 to 2.2.2 (#19191)

Bumps [body-parser](https://github.com/expressjs/body-parser) from
1.20.4 to 2.2.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/releases">body-parser's
releases</a>.</em></p>
<blockquote>
<h2>v2.2.2</h2>
<h2>What's Changed</h2>
<ul>
<li>docs: update README links by <a
href="https://github.com/efekrskl"><code>@​efekrskl</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/673">expressjs/body-parser#673</a></li>
<li>docs: release notes for the v1.20.4 release by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/674">expressjs/body-parser#674</a></li>
<li>docs: update URL-encoded parser description to include ISO-8859-1
encoding support by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/679">expressjs/body-parser#679</a></li>
<li>docs: use standard jsdoc tags everywhere by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/677">expressjs/body-parser#677</a></li>
<li>deps: qs@^6.14.1 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/689">expressjs/body-parser#689</a></li>
<li>refactor(json): simplify strict mode error string construction by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/693">expressjs/body-parser#693</a></li>
<li>Release: 2.2.2 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/691">expressjs/body-parser#691</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/efekrskl"><code>@​efekrskl</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/673">expressjs/body-parser#673</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/body-parser/compare/v2.2.1...v2.2.2">https://github.com/expressjs/body-parser/compare/v2.2.1...v2.2.2</a></p>
<h2>v2.2.1</h2>
<h2>Important: Security</h2>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2025-13466">CVE-2025-13466</a>
(<a
href="https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4">GHSA-wqch-xfxh-vrr4</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>ci: add dependabot by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/593">expressjs/body-parser#593</a></li>
<li>ci: use full SHAs for github action versions by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/594">expressjs/body-parser#594</a></li>
<li>deps: type-is@^2.0.1 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/599">expressjs/body-parser#599</a></li>
<li>build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/609">expressjs/body-parser#609</a></li>
<li>build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/610">expressjs/body-parser#610</a></li>
<li>build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/611">expressjs/body-parser#611</a></li>
<li>build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/613">expressjs/body-parser#613</a></li>
<li>build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/612">expressjs/body-parser#612</a></li>
<li>ci: add codeql github workflows scanning by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/614">expressjs/body-parser#614</a></li>
<li>ci: update CodeQL config to ignore the test directory by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/615">expressjs/body-parser#615</a></li>
<li>build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/620">expressjs/body-parser#620</a></li>
<li>build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/619">expressjs/body-parser#619</a></li>
<li>chore(deps): unpin devDependencies by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/616">expressjs/body-parser#616</a></li>
<li>ci: add node.js 24 to test matrix by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/621">expressjs/body-parser#621</a></li>
<li>build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/623">expressjs/body-parser#623</a></li>
<li>build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/624">expressjs/body-parser#624</a></li>
<li>chore: add funding to package.json by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/617">expressjs/body-parser#617</a></li>
<li>build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/625">expressjs/body-parser#625</a></li>
<li>build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/630">expressjs/body-parser#630</a></li>
<li>refactor: move common request validation to read function by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/600">expressjs/body-parser#600</a></li>
<li>deps: bump iconv-lite by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/631">expressjs/body-parser#631</a></li>
<li>doc: pull beta changelog forward into 2.0.0 by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/629">expressjs/body-parser#629</a></li>
<li>refactor: optimize raw and text parsers with shared passthrough
function by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/634">expressjs/body-parser#634</a></li>
<li>build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/640">expressjs/body-parser#640</a></li>
<li>build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/639">expressjs/body-parser#639</a></li>
<li>build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/636">expressjs/body-parser#636</a></li>
<li>build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/637">expressjs/body-parser#637</a></li>
<li>build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/638">expressjs/body-parser#638</a></li>
<li>deps: raw-body@^3.0.1 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/641">expressjs/body-parser#641</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/blob/master/HISTORY.md">body-parser's
changelog</a>.</em></p>
<blockquote>
<h1>2.2.2 / 2026-01-07</h1>
<ul>
<li>deps: qs@^6.14.1</li>
<li>refactor(json): simplify strict mode error string construction</li>
</ul>
<h1>2.2.1 / 2025-11-24</h1>
<ul>
<li>Security fix for <a
href="https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4">GHSA-wqch-xfxh-vrr4</a></li>
<li>deps:
<ul>
<li>type-is@^2.0.1</li>
<li>iconv-lite@^0.7.0
<ul>
<li>Handle split surrogate pairs when encoding UTF-8</li>
<li>Avoid false positives in <code>encodingExists</code> by using
prototype-less objects</li>
</ul>
</li>
<li>raw-body@^3.0.1</li>
<li>debug@^4.4.3</li>
</ul>
</li>
</ul>
<h1>2.2.0 / 2025-03-27</h1>
<ul>
<li>refactor: normalize common options for all parsers</li>
<li>deps:
<ul>
<li>iconv-lite@^0.6.3</li>
</ul>
</li>
</ul>
<h1>2.1.0 / 2025-02-10</h1>
<ul>
<li>deps:
<ul>
<li>type-is@^2.0.0</li>
<li>debug@^4.4.0</li>
<li>Removed destroy</li>
</ul>
</li>
<li>refactor: prefix built-in node module imports</li>
<li>use the node require cache instead of custom caching</li>
</ul>
<h1>2.0.2 / 2024-10-31</h1>
<ul>
<li>remove <code>unpipe</code> package and use native
<code>unpipe()</code> method</li>
</ul>
<h1>2.0.1 / 2024-09-10</h1>
<ul>
<li>Restore expected behavior <code>extended</code> to
<code>false</code></li>
</ul>
<h1>2.0.0 / 2024-09-10</h1>
<h2>Breaking Changes</h2>
<ul>
<li>Node.js 18 is the minimum supported version</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/expressjs/body-parser/commit/3d248660b2e8b66732b232d7c758517fbf2420a6"><code>3d24866</code></a>
2.2.2 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/691">#691</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/8474a984c3ba36a1b4328ce019833b99caa0f08f"><code>8474a98</code></a>
refactor(json): simplify strict mode error string construction (<a
href="https://redirect.github.com/expressjs/body-parser/issues/693">#693</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/03f17c2538552a57e6be537afca8c7587bd40aaa"><code>03f17c2</code></a>
deps: qs@^6.14.1 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/689">#689</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/ea1f25e503c1b2f7ba6f8562724ae0fcd247fb75"><code>ea1f25e</code></a>
docs: use standard jsdoc tags everywhere (<a
href="https://redirect.github.com/expressjs/body-parser/issues/677">#677</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/d7deef8ec61307fa28c22bc443cf8ed2f267945a"><code>d7deef8</code></a>
docs: update URL-encoded parser description to include ISO-8859-1
encoding su...</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/b6f52aabc65137c5227c8a462bddb761daeb96e7"><code>b6f52aa</code></a>
docs: release notes for the v1.20.4 release (<a
href="https://redirect.github.com/expressjs/body-parser/issues/674">#674</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/2965ca4af4883109cb2f651f4ce12da310902a0c"><code>2965ca4</code></a>
docs: update links (<a
href="https://redirect.github.com/expressjs/body-parser/issues/673">#673</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/d96b63da8d7445de317736471633bac83ec76cbb"><code>d96b63d</code></a>
2.2.1 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/659">#659</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63"><code>b204886</code></a>
sec: security patch for CVE-2025-13466</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/e20e3512e085c1162e8ffe36ac65c705a8017251"><code>e20e351</code></a>
feat: remove <code>history.md</code> from being packaged on publish (<a
href="https://redirect.github.com/expressjs/body-parser/issues/660">#660</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/expressjs/body-parser/compare/1.20.4...v2.2.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=body-parser&package-manager=npm_and_yarn&previous-version=1.20.4&new-version=2.2.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrei Borza <andrei.borza@sentry.io>

Author: dependabot[bot]

dev-packages/node-core-integration-tests/package.json

@@ -36,7 +36,7 @@
     "@opentelemetry/semantic-conventions": "^1.39.0",
     "@sentry/core": "10.39.0",
     "@sentry/node-core": "10.39.0",
-    "body-parser": "^1.20.3",
+    "body-parser": "^2.2.2",
     "cors": "^2.8.5",
     "cron": "^3.1.6",
     "express": "^4.21.2",

dev-packages/node-integration-tests/package.json

@@ -46,7 +46,7 @@
     "@types/pg": "^8.6.5",
     "ai": "^4.3.16",
     "amqplib": "^0.10.7",
-    "body-parser": "^1.20.3",
+    "body-parser": "^2.2.2",
     "connect": "^3.7.0",
     "consola": "^3.2.3",
     "cors": "^2.8.5",

dev-packages/node-integration-tests/suites/express/with-http/maxIncomingRequestBodySize/scenario.mjs

@@ -7,7 +7,6 @@ const app = express();
 
 // Increase limit for JSON parsing
 app.use(bodyParser.json({ limit: '3mb' }));
-app.use(express.json({ limit: '3mb' }));
 
 app.post('/test-body-size', (req, res) => {
   const receivedSize = JSON.stringify(req.body).length;

yarn.lock

@@ -12643,7 +12643,22 @@ bluebird@^3.4.6, bluebird@^3.7.2:
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.7.2.tgz#9f229c15be272454ffa973ace0dbee79a1b0c36f"
   integrity sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==
 
-body-parser@^1.20.3, body-parser@~1.20.3:
+body-parser@^2.2.1, body-parser@^2.2.2:
+  version "2.2.2"
+  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-2.2.2.tgz#1a32cdb966beaf68de50a9dfbe5b58f83cb8890c"
+  integrity sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==
+  dependencies:
+    bytes "^3.1.2"
+    content-type "^1.0.5"
+    debug "^4.4.3"
+    http-errors "^2.0.0"
+    iconv-lite "^0.7.0"
+    on-finished "^2.4.1"
+    qs "^6.14.1"
+    raw-body "^3.0.1"
+    type-is "^2.0.1"
+
+body-parser@~1.20.3:
   version "1.20.4"
   resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.4.tgz#f8e20f4d06ca8a50a71ed329c15dccad1cdc547f"
   integrity sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==
@@ -12661,21 +12676,6 @@ body-parser@^1.20.3, body-parser@~1.20.3:
     type-is "~1.6.18"
     unpipe "~1.0.0"
 
-body-parser@^2.2.1, body-parser@^2.2.2:
-  version "2.2.2"
-  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-2.2.2.tgz#1a32cdb966beaf68de50a9dfbe5b58f83cb8890c"
-  integrity sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==
-  dependencies:
-    bytes "^3.1.2"
-    content-type "^1.0.5"
-    debug "^4.4.3"
-    http-errors "^2.0.0"
-    iconv-lite "^0.7.0"
-    on-finished "^2.4.1"
-    qs "^6.14.1"
-    raw-body "^3.0.1"
-    type-is "^2.0.1"
-
 body@^5.1.0:
   version "5.1.0"
   resolved "https://registry.yarnpkg.com/body/-/body-5.1.0.tgz#e4ba0ce410a46936323367609ecb4e6553125069"