DoS vulnerability from dicer@0.2.5

[mrded]

Hello,

Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:

Issues with no direct upgrade or patch:
  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in dicer@0.2.5
    introduced by multer@1.4.4 > busboy@0.2.14 > dicer@0.2.5
  No upgrade or patch available

Updating busboy@^1.0.0 drops the dependency on dicer (where the vuln comes from).

Thanks

[mrded]

#1096

[mrded]

Better solution: #1097

[krsubbar]

@mrded Thanks for raising this PR 1097. Request the team to merge this soon. As github is also reporting a high vulnerability which will get fixed with this busboy version upgrade. GHSA-wm7h-9275-46v2

[roneyantony]

High Crash in HeaderParser in dicer

Package dicer

Patched in No patch available

Dependency of multer

Path multer > busboy > dicer

[victorKariuki]

We need that fix, i don't like Severity: high, a warning is fine not red notifications.

[1yzz]

I need this

[LinusU]

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

[victorKariuki]

Thank you it works.

[123NeNaD]

What versions of Node are compatible?

[LinusU]

What versions of Node are compatible?

v10.16.0 or newer