Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The package uses a vulnerable version of file-type #186

Open
Christian-Toney opened this issue Jul 25, 2022 · 3 comments
Open

The package uses a vulnerable version of file-type #186

Christian-Toney opened this issue Jul 25, 2022 · 3 comments

Comments

@Christian-Toney
Copy link

#185 could fix it, but will that break anything?
@orangeiris
Copy link

I'm having 2 moderate severity vulnerabilities because of this

@kitman20022002
Copy link

Same here

@jbinto
Copy link

jbinto commented Sep 21, 2022
edited
Loading

Upgrading file-type (e.g. through yarn resolutions) will not work, the API was changed to be async in 13.x, and since multer-s3 is heavily stream/callback based that's not a drop-in or trivial change.

That being said, I looked through the multer-s3 code. Default installations are not affected by the file-type vulnerability, unless your installation is opting into the AUTO_CONTENT_TYPE constant. That is the only place in the library where file-type is called.

@volnyansky volnyansky mentioned this issue Jan 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jbinto @kitman20022002 @orangeiris @Christian-Toney