We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in this project, please report it by emailing Naor.tedgi@gmail.com.
Please include the following information in your report:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (if applicable)
Please do not open a public issue for security vulnerabilities.
We will acknowledge your email within 48 hours and aim to provide a detailed response within 5 business days. We will keep you informed about our progress throughout the resolution process.
When using express-body-parser-error-handler, please follow these security best practices:
Always set reasonable size limits for body-parser to prevent denial-of-service attacks:
const { urlencoded, json } = require('body-parser');
const bodyParserErrorHandler = require('express-body-parser-error-handler');
// Set appropriate limits based on your application needs
app.use(urlencoded({ extended: false, limit: '100kb' }));
app.use(json({ limit: '100kb' }));
app.use(bodyParserErrorHandler());The default error handler provides detailed error messages. In production, consider customizing error messages to avoid exposing sensitive information:
app.use(bodyParserErrorHandler({
errorMessage: (err) => {
if (process.env.NODE_ENV === 'production') {
return 'Invalid request body';
}
return `Body Parser failed to parse request --> ${err.message}`;
}
}));Use the onError callback to log security-relevant events for monitoring:
app.use(bodyParserErrorHandler({
onError: (err, req, res, next) => {
// Log the error for security monitoring
console.error('Body parser error:', {
type: err.type,
ip: req.ip,
path: req.path,
timestamp: new Date().toISOString()
});
}
}));Regularly update this package and its dependencies to ensure you have the latest security patches:
npm update express-body-parser-error-handlerThis middleware handles body-parser errors, but you should still implement additional input validation for your application logic to ensure data integrity and security.
When we receive a security vulnerability report, we will:
- Confirm the vulnerability and determine its impact
- Develop and test a fix
- Release a patch as soon as possible
- Credit the reporter (unless they wish to remain anonymous)
- Publish a security advisory on GitHub
If you have suggestions on how this process could be improved, please submit a pull request or open an issue to discuss.