chore(deps): bump multer from 2.0.2 to 2.1.1

[dependabot]

Bumps multer from 2.0.2 to 2.1.1.

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

• 368c8a1 2.1.1 (#1380)
• 7e66481 🐛 fix recursion issue
• 643571e ✅ add explicit test for client able to send body without abrupt disconnect
• e86fa52 fix error/abort handling
• ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• 17d7f51 chore: add node version to 25.x in CI
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade multer to 2.1.1 to patch security vulnerabilities and improve upload error/abort handling. Adds optional UTF-8 filename support via the defParamCharset option.

^{Written for commit cd569fe. Summary will update on new commits.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cubic-dev-ai]

No issues found across 2 files

[greptile-apps]

Greptile Summary

This PR upgrades multer from 2.0.2 to 2.1.1 in apps/api/package.json to resolve three security vulnerabilities (CVE-2026-3520, CVE-2026-2359, and CVE-2026-3304), and the pnpm-lock.yaml is updated accordingly.

• Security fix: All three CVEs are addressed by this bump; merging is strongly recommended from a security perspective.
• Lock file churn: The pnpm-lock.yaml update contains changes beyond the multer bump — including an updated @maxim_mazurok/gapi.client.drive-v3, changed @nx/angular peer-dependency hashes, esbuild@0.25.4 being incorporated into webpack peer-dep snapshots, and the removal of @module-federation/enhanced@0.21.6 / @module-federation/node@2.7.25 snapshots. These appear to be collateral floating-dependency updates from re-running pnpm install, but a build and smoke test is advisable before merging.
• Pre-existing concern surfaced: The lock file now explicitly shows a security-vulnerability deprecation notice for next@14.2.33. This vulnerability predates this PR but is worth tracking as a follow-up.

Confidence Score: 4/5

• Safe to merge after verifying build succeeds; the multer bump is a straightforward security patch and the broader lock file churn appears to be normal pnpm floating-dep updates.
• The core change (multer 2.0.2 → 2.1.1) is a targeted security patch with a high Dependabot compatibility score and no API-breaking changes. The broader lock file changes (webpack peer deps, module-federation snapshot removals, gapi client update) are a minor risk: they are collateral from regenerating the full lock file and likely benign, but they make it harder to isolate regressions without running the build.
• pnpm-lock.yaml — contains broader dependency changes beyond the multer bump that should be reviewed; next@14.2.33 security vulnerability is surfaced here as a follow-up item.

Important Files Changed

Filename	Overview
apps/api/package.json	Single-line change bumping multer from ^2.0.2 to ^2.1.1 to address three CVEs (CVE-2026-3520, CVE-2026-2359, CVE-2026-3304). No other changes to this file.
pnpm-lock.yaml	Lock file updated with multer 2.1.1, but also contains collateral changes: @maxim_mazurok/gapi.client.drive-v3 bumped, webpack snapshot peer dep hashes updated with esbuild@0.25.4, @module-federation snapshots removed/changed, semver updated, and next@14.2.33 now explicitly flagged as containing a security vulnerability in its deprecation notice.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot opens PR] --> B[Bump multer 2.0.2 → 2.1.1\nin apps/api/package.json]
    B --> C[Run pnpm install\nto regenerate lock file]
    C --> D{Lock file changes}
    D --> E[multer 2.0.2 → 2.1.1\nCVE-2026-3520 fixed\nCVE-2026-2359 fixed\nCVE-2026-3304 fixed]
    D --> F[Collateral updates:\n@maxim_mazurok/gapi.client.drive-v3\n@nx/angular peer hash\nwebpack snapshots + esbuild\n@module-federation snapshots\nsemver 7.7.3 → 7.7.4]
    E --> G[NestJS API uses multer\nfor file upload handling]
    G --> H[Verify build & tests pass\nbefore merging]
    F --> H

Loading

_{Last reviewed commit: cd569fe}

[greptile-apps]

Broader lock file changes beyond multer

The pnpm-lock.yaml diff contains considerably more changes than just the multer bump. Notable collateral updates include:

• @maxim_mazurok/gapi.client.drive-v3 updated from 0.1.20251119 → 0.1.20260303
• @nx/angular@21.0.3 peer-dependency hash changed (25kdjzbgp6y4cbqvad66eapdmi → kc7c3pdl2egimajvcsht3ishum)
• Several webpack snapshots now include esbuild@0.25.4 as a resolved peer
• @module-federation/enhanced@0.21.6 and @module-federation/node@2.7.25 snapshots were removed
• webpack-dev-server now resolves against webpack@5.103.0 in some snapshot paths (previously webpack@5.98.0)
• next@14.2.33 now has an explicit security-vulnerability deprecation notice surfaced in the lock file

These changes appear to be floating dependency updates that were triggered by re-running pnpm install, but they go beyond what a targeted multer patch would normally produce. It's worth confirming the build and key functionality still work after merging, per the team's dependency-update policy.

Context Used: Rule from dashboard - When updating dependencies via automated PRs (like Dependabot), ensure the package.json file is expl... (source)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud