Open sewellstephens opened 2 months ago
I was able to replicate this with this package.jon
.
{
"name": "multer-1254",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"multer": "^1.4.2"
}
}
Snyk is alerting for SNYK-JS-DICER-2311764, but in the Multer page is not shown. I found that confusing at the beginning, but doing a further research I got a better understanding.
By checking the dependencies we can see that busboy@0.2.14
depends on dicer@0.2.5
(see). Multer depends on busboy@^0.2.11
(see)
"node_modules/busboy": {
"version": "0.2.14",
"resolved": "https://registry.npmjs.org/busboy/-/busboy-0.2.14.tgz",
"integrity": "sha512-InWFDomvlkEj+xWLBfU3AvnbVYqeTWmQopiW0tWWEy5yehYm2YkGEc59sUmw/4ty5Zj/b0WHGs1LgecuBSBGrg==",
"dependencies": {
"dicer": "0.2.5",
"readable-stream": "1.1.x"
},
"engines": {
"node": ">=0.8.0"
}
}
Currently there is no fix available for dicer
(I was not able to find an open discussion too), so maybe we can upgrade busboy
to v1.0.0
(see comparation details) as this version remove dicer
and includes streamsearch
but this will drop Node.js support to >=10.16.0
for multer
.
Said that ... I am not very familiar with multer
internals or busboy
, so maybe this CVE is not affecting us due the way we are using the dependencies? :thinking:
1.4.2 is deprecated. Update to 1.4.5-lts.1 as it uses busboy 1.0.0 which resolves the vulnerability 👍
Discussed in https://github.com/expressjs/multer/discussions/1253