The package uses a vulnerable version of file-type

[Christian-Toney]

185 could fix it, but will that break anything?

[orangeiris]

I'm having 2 moderate severity vulnerabilities because of this

[kitman20022002]

Same here

[jbinto]

Upgrading file-type (e.g. through yarn resolutions) will not work, the API was changed to be async in 13.x, and since multer-s3 is heavily stream/callback based that's not a drop-in or trivial change.

That being said, I looked through the multer-s3 code. Default installations are not affected by the file-type vulnerability, unless your installation is opting into the AUTO_CONTENT_TYPE constant. That is the only place in the library where file-type is called.