feat(deps): bump body-parser from 1.20.4 to 2.2.2

[dependabot]

Bumps body-parser from 1.20.4 to 2.2.2.

Release notes

Sourced from body-parser's releases.

v2.2.2

What's Changed

• docs: update README links by @​efekrskl in expressjs/body-parser#673
• docs: release notes for the v1.20.4 release by @​Phillip9587 in expressjs/body-parser#674
• docs: update URL-encoded parser description to include ISO-8859-1 encoding support by @​Phillip9587 in expressjs/body-parser#679
• docs: use standard jsdoc tags everywhere by @​Phillip9587 in expressjs/body-parser#677
• deps: qs@^6.14.1 by @​UlisesGascon in expressjs/body-parser#689
• refactor(json): simplify strict mode error string construction by @​jonchurch in expressjs/body-parser#693
• Release: 2.2.2 by @​UlisesGascon in expressjs/body-parser#691

New Contributors

• @​efekrskl made their first contribution in expressjs/body-parser#673

Full Changelog: expressjs/body-parser@v2.2.1...v2.2.2

v2.2.1

Important: Security

• Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

• ci: add dependabot by @​Phillip9587 in expressjs/body-parser#593
• ci: use full SHAs for github action versions by @​Phillip9587 in expressjs/body-parser#594
• deps: type-is@^2.0.1 by @​Phillip9587 in expressjs/body-parser#599
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/body-parser#609
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @​dependabot[bot] in expressjs/body-parser#610
• build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @​dependabot[bot] in expressjs/body-parser#611
• build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @​dependabot[bot] in expressjs/body-parser#613
• build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @​dependabot[bot] in expressjs/body-parser#612
• ci: add codeql github workflows scanning by @​Phillip9587 in expressjs/body-parser#614
• ci: update CodeQL config to ignore the test directory by @​Phillip9587 in expressjs/body-parser#615
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/body-parser#620
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @​dependabot[bot] in expressjs/body-parser#619
• chore(deps): unpin devDependencies by @​Phillip9587 in expressjs/body-parser#616
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/body-parser#621
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/body-parser#623
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/body-parser#624
• chore: add funding to package.json by @​Phillip9587 in expressjs/body-parser#617
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/body-parser#625
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/body-parser#630
• refactor: move common request validation to read function by @​Phillip9587 in expressjs/body-parser#600
• deps: bump iconv-lite by @​bjohansebas in expressjs/body-parser#631
• doc: pull beta changelog forward into 2.0.0 by @​jonchurch in expressjs/body-parser#629
• refactor: optimize raw and text parsers with shared passthrough function by @​Phillip9587 in expressjs/body-parser#634
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#640
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in expressjs/body-parser#639
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#636
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#637
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @​dependabot[bot] in expressjs/body-parser#638
• deps: raw-body@^3.0.1 by @​Phillip9587 in expressjs/body-parser#641

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.2 / 2026-01-07

• deps: qs@^6.14.1
• refactor(json): simplify strict mode error string construction

2.2.1 / 2025-11-24

• Security fix for GHSA-wqch-xfxh-vrr4
• deps:
  • type-is@^2.0.1
  • iconv-lite@^0.7.0
    • Handle split surrogate pairs when encoding UTF-8
    • Avoid false positives in encodingExists by using prototype-less objects
  • raw-body@^3.0.1
  • debug@^4.4.3

2.2.0 / 2025-03-27

• refactor: normalize common options for all parsers
• deps:
  • iconv-lite@^0.6.3

2.1.0 / 2025-02-10

• deps:
  • type-is@^2.0.0
  • debug@^4.4.0
  • Removed destroy
• refactor: prefix built-in node module imports
• use the node require cache instead of custom caching

2.0.2 / 2024-10-31

• remove unpipe package and use native unpipe() method

2.0.1 / 2024-09-10

• Restore expected behavior extended to false

2.0.0 / 2024-09-10

Breaking Changes

• Node.js 18 is the minimum supported version

... (truncated)

Commits

• 3d24866 2.2.2 (#691)
• 8474a98 refactor(json): simplify strict mode error string construction (#693)
• 03f17c2 deps: qs@^6.14.1 (#689)
• ea1f25e docs: use standard jsdoc tags everywhere (#677)
• d7deef8 docs: update URL-encoded parser description to include ISO-8859-1 encoding su...
• b6f52aa docs: release notes for the v1.20.4 release (#674)
• 2965ca4 docs: update links (#673)
• d96b63d 2.2.1 (#659)
• b204886 sec: security patch for CVE-2025-13466
• e20e351 feat: remove history.md from being packaged on publish (#660)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[chargome]

@dependabot rebase

[github-actions]

Codecov Results 📊

---

Generated by Codecov Action

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.56 kB	-	-
@sentry/browser - with treeshaking flags	24.08 kB	-	-
@sentry/browser (incl. Tracing)	42.36 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	47.03 kB	-	-
@sentry/browser (incl. Tracing, Replay)	81.18 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.8 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	85.87 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	98.03 kB	-	-
@sentry/browser (incl. Feedback)	42.29 kB	-	-
@sentry/browser (incl. sendFeedback)	30.23 kB	-	-
@sentry/browser (incl. FeedbackAsync)	35.22 kB	-	-
@sentry/browser (incl. Metrics)	26.74 kB	-	-
@sentry/browser (incl. Logs)	26.88 kB	-	-
@sentry/browser (incl. Metrics & Logs)	27.56 kB	-	-
@sentry/react	27.33 kB	-	-
@sentry/react (incl. Tracing)	44.72 kB	-	-
@sentry/vue	30.01 kB	-	-
@sentry/vue (incl. Tracing)	44.22 kB	-	-
@sentry/svelte	25.58 kB	-	-
CDN Bundle	28.11 kB	-	-
CDN Bundle (incl. Tracing)	43.2 kB	-	-
CDN Bundle (incl. Logs, Metrics)	28.95 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	44.03 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	68.02 kB	-	-
CDN Bundle (incl. Tracing, Replay)	80.07 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	80.94 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	85.5 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.4 kB	-	-
CDN Bundle - uncompressed	82.22 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	127.93 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.05 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	130.76 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	208.71 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	244.81 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	247.63 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	257.61 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	260.42 kB	-	-
@sentry/nextjs (client)	47.12 kB	-	-
@sentry/sveltekit (client)	42.81 kB	-	-
@sentry/node-core	52.15 kB	+0.02%	+9 B 🔺
@sentry/node	166.53 kB	+0.01%	+6 B 🔺
@sentry/node - without tracing	93.95 kB	+0.02%	+12 B 🔺
@sentry/aws-serverless	109.45 kB	+0.01%	+10 B 🔺

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	8,952	-	9,347	-4%
GET With Sentry	1,590	18%	1,668	-5%
GET With Sentry (error only)	6,016	67%	6,089	-1%
POST Baseline	1,177	-	1,210	-3%
POST With Sentry	579	49%	586	-1%
POST With Sentry (error only)	1,031	88%	1,072	-4%
MYSQL Baseline	3,255	-	3,283	-1%
MYSQL With Sentry	426	13%	480	-11%
MYSQL With Sentry (error only)	2,651	81%	2,675	-1%

View base workflow run