NPM package dicer DoS vulnerability

jaydenseric / graphql-upload

Middleware and an Upload scalar to add support for GraphQL multipart requests (file uploads via queries and mutations) to various Node.js GraphQL servers.

https://npm.im/graphql-upload

MIT License

1.42k stars 131 forks source link

NPM package dicer DoS vulnerability #363

Closed makandz closed 1 year ago

makandz commented 1 year ago

There seems to be a vulnerability within dicer with no known fix from the Snyk Vulnerability Database (https://security.snyk.io/vuln/SNYK-JS-DICER-2311764)

There appears to be a PR open on dicer to resolve this but it's been open since 2021 with no merge. https://github.com/mscdex/dicer/pull/22

Is this known and are there any plans to move away from dicer to an alternative?

makandz commented 1 year ago

I should also probably mention that this package dicer is coming from busboy

makandz commented 1 year ago

🤦 ignore this, turns out I was on an older version of graphql-upload.