Skip to content

Comments

bump busboy up to solve DoS vulnerability#1096

Closed
mrded wants to merge 1 commit intoexpressjs:masterfrom
mrded:patch-1
Closed

bump busboy up to solve DoS vulnerability#1096
mrded wants to merge 1 commit intoexpressjs:masterfrom
mrded:patch-1

Conversation

@mrded
Copy link

@mrded mrded commented May 20, 2022

Hello,

Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:

Issues with no direct upgrade or patch:
  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in dicer@0.2.5
    introduced by multer@1.4.4 > busboy@0.2.14 > dicer@0.2.5
  No upgrade or patch available

This change removes dicer from multer's transitive dependency list.

@mrded mrded mentioned this pull request May 20, 2022
Closed
@mrded
Copy link
Author

mrded commented May 20, 2022

As expected, updating busboy 0.2.11 -> 1.0.0 breaks the tests, and need the code update.

@erano067
Copy link

erano067 commented May 21, 2022

Hey, I opened a pr for that that handle the breaking changes
I have another issues with busboy version. #1092

@jlourenc jlourenc mentioned this pull request May 21, 2022
Closed
@mrded
bump busboy up to solve DoS vulnerability
04c5db6 
This change removes dicer from multer's transitive dependency list.
https://security.snyk.io/vuln/SNYK-JS-DICER-2311764
@mrded
Copy link
Author

mrded commented May 23, 2022

Closing due to a better solution available: #1097

@mrded mrded closed this May 23, 2022
@mrded mrded deleted the patch-1 branch May 23, 2022 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrded @erano067