From 2082bb61fed9a86393d0cc2d74689a2c37e7c1dd Mon Sep 17 00:00:00 2001
From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Date: Sat, 4 Apr 2026 23:15:04 -0700
Subject: [PATCH] fix(security): bump multer to 2.1.1 to fix HIGH CVEs

Bumps multer from ^2.0.2 to ^2.1.1 in server/package.json to resolve
three HIGH-severity DoS vulnerabilities:

- GHSA-xf7r-hgr6-v32p (incomplete cleanup)
- GHSA-v52c-386h-88mc (crafted multipart)
- GHSA-2m88-8c7h-36gr (resource exhaustion)

All three are fixed in multer >= 2.1.0.

Fixes #2753
---
 server/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/package.json b/server/package.json
index b2d17ad3..a4d1407d 100644
--- a/server/package.json
+++ b/server/package.json
@@ -68,7 +68,7 @@
     "express": "^5.1.0",
     "hermes-paperclip-adapter": "^0.2.0",
     "jsdom": "^28.1.0",
-    "multer": "^2.0.2",
+    "multer": "^2.1.1",
     "open": "^11.0.0",
     "pino": "^9.6.0",
     "pino-http": "^10.4.0",