darkmsph1t / _spartan

npm project to package & configure common security middleware && add security.js file to code repo
5 stars 0 forks source link

Bump express-fileupload from 1.1.4 to 1.1.9 in /example/example.com #115

Open dependabot[bot] opened 4 years ago

dependabot[bot] commented 4 years ago

Bumps express-fileupload from 1.1.4 to 1.1.9.

Release notes

Sourced from express-fileupload's releases.

1.1.9

Updates:

Second prototype pollution security vulnerability fix when using processNested (#236)

1.1.8

Updates:

Fixed prototype pollution security vulnerability when using processNested (#236)

1.1.7-alpha.4

Updates:

  • Updated README.md thanks to @tycrek , @eartharoid, @Code42Cate
  • Some code refactoring to make it lighter and more readable.
  • Updated dependencies.

Fixes:

  • Fix empty file issue(#226)
  • Fix temp file write timing issue(#184). Thanks to @somewind
  • Add empty file name check for parseFileName, issue(#187).
  • Write Timing Crash #192
  • when file.on('data') event timeouts, the case isn't handled properly #202
  • Do not create empty temporary files for empty file fields #191

1.1.6

Updates

  • Add debug option and debug logging output for upload process.
  • Invoke cleanup in case of abortOnLimit=true to delete temporary file when limit reached(#155 ).
  • if possible, module uses fs.rename instead of copying + deleting to move uploaded files(#158).
  • Add busboy unpipe when closing connection. Thanks to @shel.
  • uploadTimeout(default is 60000 msec) option.
  • Add timeout check for data handler, which triggers cleanup of the temp files in case of no data come during time configured in option uploadTimeout.
  • Fixing vulnerability: middleware checks filename and cut off it if length more then 255 characters.

v1.1.5

Updates

  • Add uri decoding for file names see uriDecodeFileNames option in docs.
  • createParentPath now creates folder recursevly, thanks to @closingin
  • Add fileSize to Buffer.concat that should increase performance for in memory uploads.
Commits
  • fd40389 version bump
  • 94c9cf9 prototype pollution fix #2
  • 829f395 version bump
  • db49535 Merge pull request #237 from richardgirges/fix-236-proto-pollution
  • d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype po...
  • e9848fc Update package-lock.json
  • d536cfb Update package.json
  • c7a6b9c Merge pull request #233 from RomanBurunkov/master
  • a53b93f Update tests to support empty files
  • d8c00c5 Add empty files support for tempFileHandler
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by richardgirges, a new releaser for express-fileupload since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/darkmsph1t/_spartan/network/alerts).