Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snyk vulnerability through formidable dependency #124

Open
s-huh opened this issue May 25, 2022 · 6 comments
Open

Snyk vulnerability through formidable dependency #124

s-huh opened this issue May 25, 2022 · 6 comments

Comments

@s-huh
Copy link

s-huh commented May 25, 2022

Hi, Snyk is identifying an Arbitrary File Upload vulnerability in my project (deemed as Critical) introduced through: sumo-logger@2.8.1 > superagent@7.1.3 > formidable@2.0.1. It seems to have been fixed in formidable@3.2.4. Are there any plans to update this dependency to eliminate this vulnerability?

@JamesIrish
Copy link

Likewise, same problem with our application too. npm audit shows the issue as critical and our attempts to use npm-force-resolutions and npm audit fix combinations haven't yielded great results. We can get around it with npm-force-resolutions but that introduces other issues! If this can be fixed in the sumo package that would be ideal. Thanks.

@JamesIrish
Copy link

Just linking to the open issue on superagent to update their dependency on formidable: ladjs/superagent#1725

@bpolanczyk
Copy link
Contributor

bpolanczyk commented Jun 2, 2022

I'll take a look and issue a patch release soon. Thanks for finding that out!

@scottdickerson
Copy link

@bpolanczyk any updates on this? it would be great to be able to upgrade without forcing a local resolution. Thank you!

@markhughes
Copy link

This is still flagging

@domcorso-nib
Copy link

Does anyone have a resolution for this?

We're getting this as a critical severity as of this morning:
GHSA-8cp3-66vr-3r4c

I've also raised an issue with SuperAgent:
ladjs/superagent#1799

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants