-
-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump multer to version that removes dicer as sub-dependency #739
Bump multer to version that removes dicer as sub-dependency #739
Conversation
Have you verified that this works as intended, per this comment: expressjs/multer#1097 (comment) ? |
Unfortunately, |
I did, but let me recheck. A 1.4.5 would have been so nice.. |
You are right, a modified local package-lock made it so 1.4.4-lts.1 was installed. Without it I got 1.4.4. |
I will try to downgrade my node and see if I can get a proper lockfile without bumping lockfileVersion. |
With this lockfile it picks the right multer version for me |
I've released |
The problem is: the lockfile is irrelevant for other packages using express-openapi-validator. The test you actually need to perform is having a package depend on your local version of express-openapi-validator, and check how the multer dependency is resolved there. That said, using the new |
Ah of course, stupid me |
fixed in |
1.4.4 version of multer has a DoS vulnerability through a sub-dependency on dicer. 1.4.4-lts.1 bumps their busboy dependency which in turn drops dicer as a dependency.
#735
https://github.com/expressjs/multer/pull/1097/files#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519