🚨 [security] [backend] Update multer 1.4.3 → 2.0.2 (major) #419
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ multer (1.4.3 → 2.0.2) · Repo · Changelog
Security Advisories 🚨
🚨 Multer vulnerable to Denial of Service via unhandled exception from malformed request
🚨 Multer vulnerable to Denial of Service via unhandled exception
🚨 Multer vulnerable to Denial of Service via memory leaks from unclosed streams
🚨 Multer vulnerable to Denial of Service from maliciously crafted requests
Release Notes
2.0.2
2.0.1
2.0.0
1.4.4 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 68 commits:
🔖 2.0.2🥅 improve error handling🔖 2.0.1Fixes https://github.com/expressjs/multer/issues/1233. Makes multer handle missing field names.ci: apply security best practices (#1311)📝 list languages in table to prevent GH right-aligning list due to RTL languagedeps: update dependencies to latest versions (#1328)♻️ use version tag for CI, fix CI badge, fix references to master/main📝 fix badges in translation files (#1321)ci: change branch referenceci: change branch referencedocs: update badge links in docs (#1273)docs: remove reference to `--save` npm flag (#929)chore: fix typo (#993)Merge pull request #1317 from expressjs/master-v2-merge-fixMerge branch 'master' into v2📝 fix changelog information (#1316)🐛 drain stream. fixes regression in node 18, remove old CI, set minimum node version, fix readme badges, add .npmrcdocs: update readme badges (#1268)ci: add CodeQL (SAST) (#1289)ci: use `ubuntu-latest` as default runner (#1308)ci: add ci pipeline to `lts` branch (#1302)docs: remove unfortunate abbreviation from readme (#1299)chore: upgrade scorecard workflow pinned action versions (#1290)Merge pull request #1294 from expressjs/lu-test-1177test: add test for out-of-band error eventversion: 1.4.5-lts.2history: 1.4.5-lts.2test: add test for out-of-band error eventMerge pull request #1177 from max-mathieu/fix/unhandled-busboy-errordocs: improve readability (#1255)Fix out-of-band error event from busboyci: replace travis with github action (#1259)ci: add support for OSSF scorecard reporting (#1260)docs: update texts in pt-br and remove duplicated references in ko (#1252)docs: replace link (#1251)Merge pull request #1232 from eugene0928/masterdoc: fix typodoc: uzb lang addeddoc: uzbek languageMerge pull request #1204 from vitorRibeiro7/masterUpdate README-pt-br.mdUpdate README-pt-br.mdUpdate README-pt-br.mdUpdate README-pt-br.mdUpdate README-pt-br.mdMerge pull request #1182 from AlanLg/masterTweak indentationTranslated to frenchMerge pull request #1174 from juliomontenegro/masterImproved documentation translation to SpanishMerge pull request #1169 from Mohamed-Abdelfattah/masterUpdate README.md to fix issue #1114Merge pull request #762 from 3imed-jaberi/arabic-translationsync with latest update ..Merge branch 'master' into arabic-translationversion: 1.4.5-lts.1history: 1.4.5-lts.1version: 1.4.4-lts.1history: 1.4.4-lts.1fix(cve): bump busboy to fix CVE-2022-24434version: 1.4.4history: 1.4.4Handle missing field names (#913)Fix spelling misstakes in README-es.mdMerge pull request #803 from khacpv/masterMerge branch 'master' into masterMerge pull request #948 from Collabos/masterCommits
See the full diff on Github. The new version differs by 31 commits:
package: bump version to v1.6.0multipart: ignore remaining data instead of forcefully endingpackage: bump version to v1.5.0multipart: handle empty data from streamsearchreadme: fix deprecated os.tmpDir in examplelib: add support for default param charset for non-extended paramspackage: bump version to v1.4.0lib: make the module easier to bundle againreadme: fix README `mimeType` parameter inconsistencypackage: bump version to v1.3.0multipart: fully reset state on successful header parsepackage: bump version to v1.2.0multipart: only skip parts with bad headerspackage: bump version to v1.1.0test: fix lint issuemultipart: fix file stream stalling with lookbehind datareadme: fix markdown renderingreadme: fix examplereadme: add link to v1.0.0 changespackage: bump version to v1.0.0lib,test: rewrite implementationci: add node v12lib: don't decode params with encodings twicebump versionreadme: fix node version to match package.jsonlib: simplify basename()bump versionci: update node brancheslib,test: remove readable-stream, use new Buffer APImultipart: fix hang when upstream stops readingreadme: remove pledgie linkCommits
See the full diff on Github. The new version differs by 2 commits:
2.0.0readable-stream@3.0.2 (#61)Sorry, we couldn't find anything useful about this release.
Release Notes
3.6.2
3.6.0
3.5.0
2.3.8
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Commits
See the full diff on Github. The new version differs by 10 commits:
package: bump version to v1.1.0package: update dev dependency versionslib: simplify range checks and data copyinglib: improve performancelib: add destroy() and additional callback argumentpackage: bump version to 1.0.0ci: add workflows for test running and lintingmodernize and optimize code, add tests and a lint configlib: more DRYlintCommits
See the full diff on Github. The new version differs by 55 commits:
Bumped v1.3.0.Merge pull request #15 from feross/patch-1safe-buffer@~5.2.0Bumped v1.2.0.Merge pull request #12 from nodejs/use-npm-legacy-node-4Use npm legacy in node 4Merge pull request #11 from fabiosantoscode/patch-1Update package.jsonBumped v1.1.1Merge pull request #8 from goto-bus-stop/repo-urlUpdate repository URLs to reflect move to orgBumped v1.1.0.Merge pull request #6 from nodejs/update-8-9-4Back support for Node < 8.Added npm run ci.fixed tests in old nodes.Update to node 8.9.4.Merge pull request #7 from vsemozhetbyt/patch-1Added .travis.yml.doc: fix typo in README.mdMerge pull request #4 from nodejs/add-streams-wgadded streams-wg details1.0.3Merge pull request #6 from EsrefDurna/masterupdated package safe-buffer from 5.0.1 to 5.1.0Bumped v1.0.2.Merge pull request #5 from rvagg/do-not-depend-using-caretDo not depend on safe-buffer using caret.Bumped v1.0.1.Merge pull request #3 from calvinmetcalf/safe-bufferand correct node version, againsafe-bufferRemoved saucelabs badgeBumped v1.0.0.Merge pull request #2 from rvagg/update-to-latest-coreSupport for Node v0.8.Updated the LICENSE to the nodejs one.Updated README.Updated to node v7.8.0.remove build/ and test/ from packageremove build/ and test/ from packageignore build and test for deploys@0.11.10-1 fix missing Buffer.isEncoding on Node 0.8missing Buffer.isEncoding() on Node 0.8fix missing Buffer.isEncoding on Node 0.80.11.10pulled in changes from Node 0.11.100.10.24update package.json0.0.1added README, fixed LICENCE to match Joyent'sadded back Buffer as a require()current version + testsadded and adapted scraper from readable-streampackage.json etc, implementation ripped from browser-builtins🗑️ core-util-is (removed)
🗑️ dicer (removed)
🗑️ isarray (removed)
🗑️ process-nextick-args (removed)
👉 No CI detected
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands