Vulnerability - Regular Expression Denial of Service

[dtiziani]

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Reference: https://nodesecurity.io/advisories/535

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mime                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 1.4.1 < 2.0.0 || >= 2.0.3                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ s3                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ s3 > mime                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/535                       │
└───────────────┴──────────────────────────────────────────────────────────────┘```

[ronin3]

The 'mime' version in package.json needs to be updated in s3 package , it seems currently the mime version is held at 1.2.x ( i.e. "mime": "~1.2.11"), we need >= 1.4.1 < 2.0.0 || >= 2.0.3 to get patch; https://github.com/broofa/node-mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d