ejodet
commented
2 years ago Do you have an estimate on when this might be fixed (by adopting formidable 3.2.4)?
Closed SimonEspositoTG closed 2 years ago
ejodet
commented
2 years ago Do you have an estimate on when this might be fixed (by adopting formidable 3.2.4)?
titanism
commented
2 years ago Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community CJS support.
Ref:
dpace-cs
commented
2 years ago Looks like Formidable will not be backporting a fix and they recommend to upgrade to v3 as "the codebase between v3 and v2 is almost the same". https://github.com/node-formidable/formidable/issues/856#issuecomment-1150180165
titanism
commented
2 years ago We are going to wait until they release a new version with both CJS and ESM support (as @tunnckoCore has shared they plan to do). The vulnerability is not as severe as everyone is making it out to be. Please read the CVE completely.
tunnckoCore
commented
2 years ago tunnckoCore
commented
2 years ago Also, if someone PR to the v2 branch (master is v3), with the changes and my recent comments from this PR https://github.com/node-formidable/formidable/pull/857 we can land v2 patch version sooner than the v3 cjs/esm thing.
My comment on 856, was befote seeing this pr.
titanism
commented
2 years ago @tunnckoCore we can gladly award a bug bounty over PayPal if you're able to do this quicker than we can - a bit tied up at the moment!
tunnckoCore
commented
2 years ago I can try in the next few hours, or ultimately next 2-3 days.
titanism
commented
2 years ago @tunnckoCore np 😄 you rock 🤘
Also we've had a lot of success using np for releases (and generating nice release pages) (it doesn't auto-add to the CHANGELOG.md though, maybe you can use generate-changelog separately or deprecate the CHANGELOG.md in favor of Releases tab; which I've seen a lot of projects doing lately). Hard to maintain both let alone the code!
tunnckoCore
commented
2 years ago Yea.. There are plans to switching to monorepo for quite some time, and I'm curious to try Nrwl's Nx + Lerna.
Ultimately release v3 & v4 to latest soon, and drop and deprecate all olders versions altogether, because v2 is already 1 and a half years old, many should already switched.
Turns out managing multiple parallel versions on an old codebase (since node 0.6-8), millions of downloads, and team of two.. isn't working well haha..
titanism
commented
2 years ago The advisory has been revoked https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956.
titanism
commented
2 months ago 🚀 v9.0.0 released to npm 🚀
https://github.com/ladjs/superagent/releases/tag/v9.0.0
ref: https://github.com/ladjs/superagent/pull/1800
Forward Email https://forwardemail.net
Snyk has detected a critical level vulnerability in formidable versions <3.2.4. The vulnerability allows attackers to execute arbitrary code via a crafted filename.
https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956
superagent is currently compatible with version 2.0.1