fix(deps): update dependency multer to v2 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
multer	^1.4.4 -> ^2.0.0

GitHub Vulnerability Alerts

CVE-2025-47935

Impact

Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance.

This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.

Patches

Users should upgrade to 2.0.0

Workarounds

None

References

• https://github.com/expressjs/multer/pull/1120
• expressjs/multer@2c8505f

CVE-2025-47944

Impact

A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.0

Workarounds

None

References

• https://github.com/expressjs/multer/issues/1176
• expressjs/multer@2c8505f

---

Release Notes

expressjs/multer (multer)

v2.0.0

Compare Source

Important

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

What's Changed

• 🐛 drain stream. fixes regression in node 18, remove old CI, set minimum node version, fix readme badges, add .npmrc
• fix: handle two busboy error events
• ♻️ fully drain stream
• 🥅 explicitly handle req error
• 🚨 lint:fix
• ⬆️ bump mocha
• docs: include release 2.0.0 details

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nx/​nx-darwin-arm64@​20.0.10
	@​nx/​nx-darwin-x64@​20.0.10
	@​nx/​nx-freebsd-x64@​20.0.10
	@​nx/​nx-linux-arm-gnueabihf@​20.0.10
	@​nx/​nx-linux-arm64-gnu@​20.0.10
	@​nx/​nx-linux-arm64-musl@​20.0.10
	@​nx/​nx-linux-x64-gnu@​20.0.10
	@​nx/​nx-linux-x64-musl@​20.0.10
	@​nx/​nx-win32-arm64-msvc@​20.0.10
	@​nx/​nx-win32-x64-msvc@​20.0.10
	@​commitlint/​message@​19.5.0
	is-unicode-supported@​0.1.0
	hasown@​2.0.2
	@​commitlint/​to-lines@​19.5.0
	is-interactive@​1.0.0
	isarray@​0.0.1 ⏵ 1.0.0
	safer-buffer@​2.1.2
	typedarray@​0.0.6
	aggregate-error@​3.1.0
	path-parse@​1.0.7
See 410 more rows in the dashboard

View full report

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 65.51%. Comparing base (8f555af) to head (c750877).

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3724      +/-   ##
==========================================
- Coverage   65.52%   65.51%   -0.01%     
==========================================
  Files         958      958              
  Lines       15925    15925              
  Branches     2206     2205       -1     
==========================================
- Hits        10435    10434       -1     
- Misses       5149     5443     +294     
+ Partials      341       48     -293     

see 127 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8f555af...c750877. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.