fix(deps): update dependency multer to v2.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
multer	2.0.2 → 2.1.1

GitHub Vulnerability Alerts

CVE-2026-3304

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

CVE-2026-2359

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

CVE-2026-3520

Impact

A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.

Patches

Users should upgrade to 2.1.1

Workarounds

None

Resources

• GHSA-5528-5vmv-3xc2
• https://www.cve.org/CVERecord?id=CVE-2026-3520
• expressjs/multer@7e66481
• https://cna.openjsf.org/security-advisories.html

---

Release Notes

expressjs/multer (multer)

v2.1.1

Compare Source

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

v2.1.0

Compare Source

• Add defParamCharset option for UTF-8 filename support (#​1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.