Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(express): bump multer 1.4.4 to 1.4.4-lts.1 to fix "CVE-2022-24434" #9686

Merged
merged 1 commit into from
Jun 14, 2022
Merged

chore(express): bump multer 1.4.4 to 1.4.4-lts.1 to fix "CVE-2022-24434" #9686

merged 1 commit into from
Jun 14, 2022

Conversation

sushant9096
Copy link
Contributor

@sushant9096 sushant9096 commented May 29, 2022
edited
Loading

Signed-off-by: Sushant Zope sushantzope9096@gmail.com

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Other... Please describe:

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@coveralls
Copy link

coveralls commented May 29, 2022
edited
Loading

Pull Request Test Coverage Report for Build 0e6ad03a-1c07-4438-87ca-2a407f4faa23

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 94.107%
Totals Coverage Status
Change from base Build 2c609ad3-53bd-44dc-9a1e-0e3b21feab0c: 0.0%
Covered Lines: 5781
Relevant Lines: 6143
💛 - Coveralls

@sushant9096
Copy link
Contributor Author

sushant9096 commented May 29, 2022
edited
Loading

updated multer package version in packages/platform-express to fix vulnerbility

@sushant9096 sushant9096 changed the title fix(express): vulnerability "CVE-2022-24434" chore(express): bump multer from 1.4.4 to 1.4.4-lts.1 to fix "CVE-2022-24434" May 30, 2022
@sushant9096 sushant9096 changed the title chore(express): bump multer from 1.4.4 to 1.4.4-lts.1 to fix "CVE-2022-24434" chore(express): bump multer1.4.4 to 1.4.4-lts.1 to fix "CVE-2022-24434" May 30, 2022
@sushant9096 sushant9096 changed the title chore(express): bump multer1.4.4 to 1.4.4-lts.1 to fix "CVE-2022-24434" chore(express): bump multer 1.4.4 to 1.4.4-lts.1 to fix "CVE-2022-24434" May 30, 2022
@ShaharAdskAcc
Copy link

also waiting for it 👍

kamilmysliwiec
kamilmysliwiec reviewed May 31, 2022
View reviewed changes
.gitignore Outdated Show resolved Hide resolved
@sushant9096
fix(express): vulnerability "CVE-2022-24434"
4571390 
Signed-off-by: Sushant Zope <sushantzope9096@gmail.com>
@jitbasemartin jitbasemartin mentioned this pull request Jun 2, 2022
Closed
@hiagodotme
Copy link

Until this is released a workaround to resolve the issue is:

  1. Delete node_modules folder and package-lock.json file
  2. Use npm's override feature to rewrite the multer dependency to 1.4.4-lts.1

Example:

{
    ...
    "overrides": {
        "multer": "^1.4.4-lts.1"
    },
    "dependencies": {
    ...
}

Remember to delete package-lock.json and node_modules and reinstall.

@pavleprica
Copy link

@hiagodotme just to expand that one, it has a requirement of npm >= 8.3.0. More on overriding

@hiagodotme
Copy link

Thanks @pavleprica as my npm was up to date I didn't pay attention to this detail.

@kamilmysliwiec kamilmysliwiec merged commit 5523139 into nestjs:master Jun 14, 2022
@kamilmysliwiec
Copy link
Member

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kamilmysliwiec kamilmysliwiec Awaiting requested review from kamilmysliwiec

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@sushant9096 @coveralls @ShaharAdskAcc @hiagodotme @pavleprica @kamilmysliwiec