Closed titanism closed 2 years ago
Can this be merged and released ASAP? A lot of people using this library have to sort out this vulnerability quickly.
We can't upgrade because the latest version of formidable is ESM only.
We can't upgrade because the latest version of formidable is ESM only.
That's a shame. People will have to move to other libraries.
Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community support.
Ref:
Hi there.
I'm one of the 2 maintainers of formidable
for the last few years.
Working on upgrades, and when v3 land on latest will definitely have both CJS and ESM version.
You can still use v2, this CVE is complete joke and I'm getting tired. Didn't knew it's continuing, plus I don't have response/access to the email where I was talking with some people relating is it or is it not vulnerable.
I'm not sure how superagent
uses formidable
, but you can stay on v2 for some more short time and just switch to use options.filename
and "secure" the things.
No worries at all and not a big deal! Just ping us whenever the release is out.
Thanks @tunnckoCore and have an awesome day 🔥
The releases page doesn't show it, but the changelog suggests v3.5.0
may resolve this issue and allow for the upgrade.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.
#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - yarn.lock #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![critical severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/c.png "critical severity") | **776/1000****Why?** Recently disclosed, Has a fix available, CVSS 9.8 | Arbitrary File Upload
[SNYK-JS-FORMIDABLE-2838956](https://snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised. Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/titanism/project/e7321481-dea8-428d-aaeb-e78f34e4953c?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/titanism/project/e7321481-dea8-428d-aaeb-e78f34e4953c?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"c3dd54bb-1141-47c0-b6ed-b8197ff25abf","prPublicId":"c3dd54bb-1141-47c0-b6ed-b8197ff25abf","dependencies":[{"name":"formidable","from":"2.0.1","to":"3.2.4"}],"packageManager":"yarn","projectPublicId":"e7321481-dea8-428d-aaeb-e78f34e4953c","projectUrl":"https://app.snyk.io/org/titanism/project/e7321481-dea8-428d-aaeb-e78f34e4953c?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-FORMIDABLE-2838956"],"upgrade":["SNYK-JS-FORMIDABLE-2838956"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore","merge-advice-badge-shown"],"priorityScoreList":[776]}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Learn about vulnerability in an interactive lesson of Snyk Learn.](https://learn.snyk.io?loc=fix-pr)