fix(deps): update dependency multer to v2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
multer	^1.4.4 -> ^2.0.0

GitHub Vulnerability Alerts

CVE-2025-47935

Impact

Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance.

This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.

Patches

Users should upgrade to 2.0.0

Workarounds

None

References

• https://github.com/expressjs/multer/pull/1120
• expressjs/multer@2c8505f

CVE-2025-47944

Impact

A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.0

Workarounds

None

References

• https://github.com/expressjs/multer/issues/1176
• expressjs/multer@2c8505f

CVE-2025-48997

Impact

A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.1

Workarounds

None

References

expressjs/multer@35a3272
https://github.com/expressjs/multer/issues/1233
https://github.com/expressjs/multer/pull/1256

CVE-2025-7338

Impact

A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.2

Workarounds

None

---

Release Notes

expressjs/multer (multer)

v2.0.2

Compare Source

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

v2.0.1

Compare Source

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

v2.0.0

Compare Source

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @socialgouv/eslint-config-typescript@1.131.0
npm error Found: typescript@5.8.3
npm error node_modules/typescript
npm error   dev typescript@"latest" from the root project
npm error   peerOptional typescript@">=5.1.0" from @prisma/client@6.10.1
npm error   node_modules/@prisma/client
npm error     @prisma/client@"^6.6.0" from the root project
npm error     peer @prisma/client@">=2.26.0 || >=3" from @next-auth/prisma-adapter@1.0.7
npm error     node_modules/@next-auth/prisma-adapter
npm error       @next-auth/prisma-adapter@"^1.0.5" from the root project
npm error   15 more (@typescript-eslint/project-service, ...)
npm error
npm error Could not resolve dependency:
npm error peer typescript@"4" from @socialgouv/eslint-config-typescript@1.131.0
npm error node_modules/@socialgouv/eslint-config-typescript
npm error   dev @socialgouv/eslint-config-typescript@"^1.100.0" from the root project
npm error
npm error Conflicting peer dependency: typescript@4.9.5
npm error node_modules/typescript
npm error   peer typescript@"4" from @socialgouv/eslint-config-typescript@1.131.0
npm error   node_modules/@socialgouv/eslint-config-typescript
npm error     dev @socialgouv/eslint-config-typescript@"^1.100.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-11-18T17_33_22_787Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-11-18T17_33_22_787Z-debug-0.log

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	multer@​1.4.4 ⏵ 2.0.2	+1	+75	+1	+37

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud