Pinned dependencies (Security vulnerability in dicer - CVE-2022-24434)

[soulchild]

Is there a reason why all dependencies are pinned to specific versions? Whenever there's a patch-level fix for any of the dependencies, this package needs to be updated as well which kind of defeats the purpose. Also, the maintainer @Sliverb seems to be rather unresponsive, further complicating things in case a new release is necessary.

The reason I'm asking is because there's a nasty security vulnerability in dicer which is used by busboy which is used by multer, and when a fix gets eventually released (hopefully as a patch-level release, i.e. 1.4.x) this package won't pick it up automatically, requiring a manual fix and release.

Or am I missing something here?

[Sliverb]

Hi @soulchild

Sorry I have been MIA. The dependencies were pinned to make sure usage is consistent across pulls. Just a personal preference.

I'm unable to make the change right away, but if you are able to, can up create a PR to update the deps and remove the pins. I'll get it merged right away.

If you would also like to be a maintainer, happy to king you :)

Thanks for raising this issue