fix(deps): update dependency multer to v2 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
multer	^1.4.1 → ^2.1.1

GitHub Vulnerability Alerts

CVE-2026-3304

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

CVE-2026-2359

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

CVE-2026-3520

Impact

A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.

Patches

Users should upgrade to 2.1.1

Workarounds

None

Resources

• GHSA-5528-5vmv-3xc2
• https://www.cve.org/CVERecord?id=CVE-2026-3520
• expressjs/multer@7e66481
• https://cna.openjsf.org/security-advisories.html

---

Release Notes

expressjs/multer (multer)

v2.1.1

Compare Source

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

v2.1.0

Compare Source

• Add defParamCharset option for UTF-8 filename support (#​1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

v2.0.2

Compare Source

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

v2.0.1

Compare Source

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

v2.0.0

Compare Source

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

v1.4.4

Compare Source

• Bugfix: Bump busboy to fix CVE-2022-24434 (#​1097)
• Breaking: Require Node.js 10.16.0 or later (#​1097)

v1.4.3

Compare Source

• Bugfix: Avoid deprecated pseudoRandomBytes function (#​774)
• Docs: Add Português Brazil translation for README (#​758)
• Docs: Clarify the callback calling convention (#​775)
• Docs: Add example on how to link to html multipart form (#​580)
• Docs: Add Spanish translation for README (#​838)
• Docs: Add Math.random() to storage filename example (#​841)
• Docs: Fix mistakes in russian doc (#​869)
• Docs: Improve Português Brazil translation (#​877)
• Docs: Update var to const in all Readmes (#​1024)
• Internal: Bump mkdirp version (#​862)
• Internal: Bump Standard version (#​878)

v1.4.2

Compare Source

• Docs: Add Russian translation for README (#​662)
• Docs: Patch zh-CN README base on newest README (#​670)
• Docs: Fix broken link in Readme (#​679)
• Docs: Fix broken link in Chinese Readme (#​730)
• Docs: Fix typo in Russian README (#​738)
• Docs: Add unit for fieldSize in busboy limit params (#​734)
• Internal: Make unit tests comaptible with Node.js 13.x (#​752)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request upgrades the multer dependency to its major version 2, specifically v2.1.0, to incorporate crucial security patches. This update resolves two Denial of Service vulnerabilities that could lead to resource exhaustion, thereby enhancing the application's stability and resilience against malformed requests. It also brings in new features like UTF-8 filename support.

Highlights

• Dependency Update: Updated the multer dependency from ^1.4.1 to ^2.1.0.
• Security Fixes: Addressed two Denial of Service (DoS) vulnerabilities (CVE-2026-3304 and CVE-2026-2359) in multer versions prior to 2.1.0.
• New Feature: Introduced support for UTF-8 filenames in multer with the defParamCharset option.

Changelog

• bookshelf/package.json
  • Updated the multer dependency to version ^2.1.0.

Activity

• The pull request was automatically generated by renovate-bot to update the multer dependency.
• No human activity or review comments have been recorded yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the multer dependency to version 2.1.0 to address security vulnerabilities. While this is a necessary update, it's a major version bump that introduces breaking API changes. The current implementation of file uploads using multer in bookshelf/lib/images.js is not compatible with multer v2 and will cause the application to fail. I've added a comment on package.json with more details. The PR needs to be amended to include the required code changes for multer v2 compatibility before it can be merged.

[gemini-code-assist]

Updating multer to v2 is a major version change that introduces breaking API changes. The current usage of multer in bookshelf/lib/images.js will break the application after this update.

Specifically, the storage configuration in bookshelf/lib/images.js on line 77 (storage: Multer.MemoryStorage) is invalid for multer v2. It needs to be updated to use the new API. For multer v2, this should be storage: Multer.memoryStorage().

This pull request must be updated to include the necessary code changes in bookshelf/lib/images.js to ensure the application remains functional.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun