Sourced from multer's releases.

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: https://github.com/expressjs/multer/compare/v2.0.2...v2.1.0

Sourced from multer's changelog.

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

• 809f9dd 2.1.0 (#1371)
• 7399190 🔒 fix orphaned files issue
• cccf0fe 🔒️ improve disconnect handling
• 2c8cd23 docs: add Turkish translation (README-tr.md) (#1360)
• fd3c7d3 feat: add defParamCharset option for UTF-8 filename support (#1210)
• c13ab94 docs: improve readability in README-pt-br.md for array method (#1367)
• e28d678 docs: improve readability (#1366)
• 51529e3 fix: add .nyc_output to .gitignore (#1332)
• b6e4b1f chore: drop xtend dependency (#1352)
• 5c8407f chore: drop object-assign dependency (#1351)
• Additional commits viewable in compare view

Sourced from @​nestjs/platform-express's releases.

v11.1.15

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @​cuiweixie in nestjs/nest#16401
• fix(microservices): introuduce max pattern depth and object complexity by @​kamilmysliwiec in nestjs/nest#16402
• chore(@​nestjs/core): allow override for initializeWildcardHandlersIfE… by @​StNekroman in nestjs/nest#16468
• chore(deps): update dependency @​fastify/middie to v9.2.0 [security] by @​renovate[bot] in nestjs/nest#16472
• fix(deps): update dependency multer to v2.1.0 [security] by @​renovate[bot] in nestjs/nest#16474

New Contributors

• @​cuiweixie made their first contribution in nestjs/nest#16401
• @​StNekroman made their first contribution in nestjs/nest#16468

Full Changelog: https://github.com/nestjs/nest/compare/v11.1.14...v11.1.15

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #16384 fix(fastify): fastify middleware bypass cve (@​kamilmysliwiec)
• common
  • #16307 fix: logger print invalid context when no stack trace provided (@​JulienDuf)

Enhancements

• common
  • #16314 fix(common): change requestOrigin type (@​SpencerKaiser)

Committers: 5

• Julien Dufresne (@​JulienDuf)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mykhailo Skrypsky (@​mixator)
• Spencer Kaiser (@​SpencerKaiser)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@​chojs23)

Enhancements

• microservices
  • #16286 feat(microservices): support per-handler qos in mqtt (@​suuuuuuminnnnnn)
  • #16262 Feat/microservices configurable max buffer size (@​jobnow)
• common
  • #16202 fix(common): exclude built-in primitives from strip proto keys (@​som14062005)

Dependencies

• platform-fastify
  • #16282 fix(deps): update dependency fastify to v5.7.4 (@​renovate[bot])
• platform-express

... (truncated)

• 6add3d6 chore(release): publish v11.1.15 release
• 1c09faf fix(deps): update dependency multer to v2.1.0 [security]
• 5d31df7 chore(release): publish v11.1.14 release
• 8d1c16c chore: update readme
• e3a958a chore(release): publish v11.1.13 release
• 58c761a fix(deps): update dependency cors to v2.8.6
• 96932ad chore(release): publish v11.1.12 release
• 585f55f chore: revert lerna version
• fef323b chore(release): publish v11.1.11 release
• de5e026 chore(@​nestjs) publish v11.1.10 release
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.