Update dependency multer to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
multer	^1.4.4 -> ^2.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-48997

Impact

A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.1

Workarounds

None

References

expressjs/multer@35a3272
https://github.com/expressjs/multer/issues/1233
https://github.com/expressjs/multer/pull/1256

CVE-2025-7338

Impact

A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.2

Workarounds

None

---

Release Notes

expressjs/multer (multer)

v2.0.2

Compare Source

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

v2.0.1

Compare Source

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

v2.0.0

Compare Source

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/multer
npm ERR!   multer@"^2.0.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer multer@"^1.4.2" from [email protected]
npm ERR! node_modules/multer-gridfs-storage
npm ERR!   multer-gridfs-storage@"^5.0.2" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/multer
npm ERR!   peer multer@"^1.4.2" from [email protected]
npm ERR!   node_modules/multer-gridfs-storage
npm ERR!     multer-gridfs-storage@"^5.0.2" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /runner/cache/others/npm/_logs/2025-08-31T09_59_21_188Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2025-08-31T09_59_21_188Z-debug-0.log

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
rollout	❌ Failed (Inspect)			Jun 5, 2025 5:14am