Releases: adonisjs/bodyparser
Prevent path traversal during file uploads
11.0.0-next.6 (2026-01-02)
Security update for CVE-2026-21440 (GHSA-gvq6-hvvp-h34h)
This patch release fixes a security issue in multipart file uploads related to how filenames were handled when moving uploaded files to disk.
The MultipartFile.move(location) no longer uses the client-provided filename by default. Previously, if no filename was explicitly provided, the original filename sent by the client was used. This behavior has been changed and now we use uuid to create a unique random name for the file.
Breaking change
If your application relied on the original client filename being preserved implicitly, this behavior has changed. The newly generated file names will now use uuid.
However, if you were always passing an explicit name, then you are unaffected with this breaking change.
We consider this a necessary breaking change to close a security gap and align with secure defaults. Shipping this as a patch release ensures the fix reaches all users, including those who do not regularly upgrade major versions.
Breaking - Prevent path traversal during file uploads
10.1.2 (2026-01-02)
Security update for CVE-2026-21440 (GHSA-gvq6-hvvp-h34h)
This patch release fixes a security issue in multipart file uploads related to how filenames were handled when moving uploaded files to disk.
The MultipartFile.move(location) no longer uses the client-provided filename by default. Previously, if no filename was explicitly provided, the original filename sent by the client was used. This behavior has been changed and now we use uuid to create a unique random name for the file.
Breaking change
If your application relied on the original client filename being preserved implicitly, this behavior has changed. The newly generated file names will now use uuid.
However, if you were always passing an explicit name, then you are unaffected with this breaking change.
We consider this a necessary breaking change to close a security gap and align with secure defaults. Shipping this as a patch release ensures the fix reaches all users, including those who do not regularly upgrade major versions.
Bug Fixes
- path traversal during file.move operation (6795c0e)
Full Changelog: v10.1.1...v10.1.2
Update dependencies
11.0.0-next.5 (2025-12-15)
Full Changelog: v11.0.0-next.4...v11.0.0-next.5
Update to the latest release of HTTP server
11.0.0-next.4 (2025-12-03)
Full Changelog: v11.0.0-next.3...v11.0.0-next.4
Fix issue with uploading zip files
11.0.0-next.3 (2025-11-20)
There were two issues in place.
- The
file-typepackage was failing with detecting the mime-type of zip files and it was throwing an error - The bodyparser was not aborting the request and instead processed the entire stream. As a result of this, the file was uploaded successfully, but with a series of error logs on the console.
Bug Fixes
- abort when partHandler.reportProgress throws an error 108a3df
Full Changelog: v11.0.0-next.2...v11.0.0-next.3
Fix issue with uploading zip files
10.1.1 (2025-11-20)
There were two issues in place.
- The
file-typepackage was failing with detecting the mime-type of zip files and it was throwing an error - The bodyparser was not aborting the request and instead processed the entire stream. As a result of this, the file was uploaded successfully, but with a series of error logs on the console.
Bug Fixes
- abort when partHandler.reportProgress throws an error da1f279
Full Changelog: v10.1.0...v10.1.1
Add support for trimming whitespaces
11.0.0-next.2 (2025-10-25)
Bug Fixes
Features
- add support for trimming whitespaces and performance improvements (6694313)
- cleanup and process multipart parser config only once (10b3142)
- setup typedoc (8a82de1)
What's Changed
- fix: #72 allow case insensitive comparision of the extensions list by @JanStevens in #73
New Contributors
- @JanStevens made their first contribution in #73
Full Changelog: v11.0.0-next.1...v11.0.0-next.2
Contributors
Assets 2
Introduce request.bodyType property
11.0.0-next.1 (2025-09-02)
Features
- introduce request.bodyType property (bbdcbc6)
Full Changelog: v11.0.0-next.0...v11.0.0-next.1
Merge files and fields without the experimental flag and use randomUUID and remove cuid2 package
11.0.0-next.0 (2025-07-30)
Bug Fixes
- typing errors (21897e1)
Features
- merge fields and files inside a single collection (b2e9b44)
- use crypto.randomUUID() instead of cuid2 for generating tmpFile names (f6e7781)
BREAKING CHANGES
- Remove mergeMultipartFieldsAndFiles and merge its behavior to the
default implementation
Full Changelog: v10.1.0...v11.0.0-next.0
Allow merging multipart fields and files
10.1.0 (2025-05-15)
The multipart fields and files are kept as two separate objects by the bodyparser. This creates an issue when you have nested data and want to keep some files and fields next to each other. For example, you are creating a set of users using a batch request, and each user could have their avatar next to them.
users[0].name
users[0].email
users[0].avatar
users[1].name
users[1].email
users[1].avatar
request.all() // [{ name: 'foo', email: '...' }, { name: 'bar', email: '...' }]
request.allFiles() // [{ avatar: MultipartFile }, { avatar: MultipartFile }]Now, when you decide to validate the users array. AdonisJS will perform a shallow comparison of fields and files, and the files array will override the fields, hence the name and the email properties will be missing in the final merged object.
{
...request.all(),
...request.allFiles(),
}One way to fix this issue is to perform a deep merge. However, instead of performing a deep merge after the fact, we can make the bodyparser collect all the data in one object called the request body.
This is what we do now (after this release). However, we do it behind a feature flag because it is technically a breaking change, even though it should not impact most applications.
However, if you are looping through the request body (accessed via request.all(), you will have to be a bit careful and account for some values to be an instance of MultipartFile.
Opting into the new behavior
You can opt into the new behavior by defining the following feature flag inside the adonisrc.ts file.
{
experimental: {
mergeMultipartFieldsAndFiles: true,
}
}Features
- merge multipart fields and files when "mergeMultipartFieldsAndFiles" flag is enabled (f03e53e)
Full Changelog: v10.0.3...v10.1.0