[Snyk] Security upgrade formidable from 2.0.1 to 3.2.4

[titanism]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - yarn.lock #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **776/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 9.8 | Arbitrary File Upload
[SNYK-JS-FORMIDABLE-2838956](https://snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised. Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/titanism/project/e7321481-dea8-428d-aaeb-e78f34e4953c?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/titanism/project/e7321481-dea8-428d-aaeb-e78f34e4953c?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"c3dd54bb-1141-47c0-b6ed-b8197ff25abf","prPublicId":"c3dd54bb-1141-47c0-b6ed-b8197ff25abf","dependencies":[{"name":"formidable","from":"2.0.1","to":"3.2.4"}],"packageManager":"yarn","projectPublicId":"e7321481-dea8-428d-aaeb-e78f34e4953c","projectUrl":"https://app.snyk.io/org/titanism/project/e7321481-dea8-428d-aaeb-e78f34e4953c?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-FORMIDABLE-2838956"],"upgrade":["SNYK-JS-FORMIDABLE-2838956"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore","merge-advice-badge-shown"],"priorityScoreList":[776]}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Learn about vulnerability in an interactive lesson of Snyk Learn.](https://learn.snyk.io?loc=fix-pr)

[ronanwatkins]

Can this be merged and released ASAP? A lot of people using this library have to sort out this vulnerability quickly.

[titanism]

We can't upgrade because the latest version of formidable is ESM only.

[ronanwatkins]

We can't upgrade because the latest version of formidable is ESM only.

That's a shame. People will have to move to other libraries.

[titanism]

Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community support.

Ref:

• https://github.com/node-formidable/formidable/commit/81dd350835e14dccca667fc46bc5c35f16f1b5ec
• https://github.com/visionmedia/superagent/pull/1724

[tunnckoCore]

Hi there.

I'm one of the 2 maintainers of formidable for the last few years.

Working on upgrades, and when v3 land on latest will definitely have both CJS and ESM version.

You can still use v2, this CVE is complete joke and I'm getting tired. Didn't knew it's continuing, plus I don't have response/access to the email where I was talking with some people relating is it or is it not vulnerable.

I'm not sure how superagent uses formidable, but you can stay on v2 for some more short time and just switch to use options.filename and "secure" the things.

[titanism]

No worries at all and not a big deal! Just ping us whenever the release is out.

Thanks @tunnckoCore and have an awesome day 🔥

[corydeppen]

The releases page doesn't show it, but the changelog suggests v3.5.0 may resolve this issue and allow for the upgrade.

[jwarykowski]

Hey @titanism/ @tunnckoCore, this appears to have been reviewed and updated recently again. There doesn't appear to be a PR to update this library and after doing some investigation this was revoked previously.

Does the same apply here?