Closed SimonEspositoTG closed 2 years ago
Do you have an estimate on when this might be fixed (by adopting formidable 3.2.4)?
Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community CJS support.
Ref:
Looks like Formidable will not be backporting a fix and they recommend to upgrade to v3 as "the codebase between v3 and v2 is almost the same". https://github.com/node-formidable/formidable/issues/856#issuecomment-1150180165
We are going to wait until they release a new version with both CJS and ESM support (as @tunnckoCore has shared they plan to do). The vulnerability is not as severe as everyone is making it out to be. Please read the CVE completely.
Also, if someone PR to the v2 branch (master is v3), with the changes and my recent comments from this PR https://github.com/node-formidable/formidable/pull/857 we can land v2 patch version sooner than the v3 cjs/esm thing.
My comment on 856, was befote seeing this pr.
@tunnckoCore we can gladly award a bug bounty over PayPal if you're able to do this quicker than we can - a bit tied up at the moment!
I can try in the next few hours, or ultimately next 2-3 days.
@tunnckoCore np 😄 you rock 🤘
Also we've had a lot of success using np for releases (and generating nice release pages) (it doesn't auto-add to the CHANGELOG.md though, maybe you can use generate-changelog separately or deprecate the CHANGELOG.md in favor of Releases tab; which I've seen a lot of projects doing lately). Hard to maintain both let alone the code!
Yea.. There are plans to switching to monorepo for quite some time, and I'm curious to try Nrwl's Nx + Lerna.
Ultimately release v3 & v4 to latest soon, and drop and deprecate all olders versions altogether, because v2 is already 1 and a half years old, many should already switched.
Turns out managing multiple parallel versions on an old codebase (since node 0.6-8), millions of downloads, and team of two.. isn't working well haha..
The advisory has been revoked https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956.
🚀 v9.0.0 released to npm 🚀
https://github.com/ladjs/superagent/releases/tag/v9.0.0
ref: https://github.com/ladjs/superagent/pull/1800
Forward Email https://forwardemail.net
Snyk has detected a critical level vulnerability in formidable versions <3.2.4. The vulnerability allows attackers to execute arbitrary code via a crafted filename.
https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956
superagent is currently compatible with version 2.0.1