Warning / Errors when using Multer latest version

[redimongo]

Describe the bug
When using multer version ^1.4.5-lts.1 as well as the latest version of this plugin we get the following error

npm WARN   multer@"^1.4.5-lts.1" from the root project
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer multer@"^1.4.2" from [email protected]
npm WARN node_modules/multer-gridfs-storage
npm WARN   multer-gridfs-storage@"^5.0.2" from the root project
npm WARN 
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/multer
npm WARN   peer multer@"^1.4.2" from [email protected]
npm WARN   node_modules/multer-gridfs-storage
npm WARN     multer-gridfs-storage@"^5.0.2" from the root project

Environment
"multer": "^1.4.5-lts.1",
"multer-gridfs-storage": "^5.0.2",

• I'm using multer-gridfs-storage version "multer": "^1.4.5-lts.1",

• My installed MongoDb version is "mongodb": "^4.5.0",

• I have Multer ^1.4.5-lts.1 installed to upload files

• The Node version used to run the code is v17.9.0

• I'm using Mongoose connection objects to create storage instances. The Mongoose version installed is ^6.3.5

To Reproduce
Create a project with this as your package.json

{
  "name": "projectname",
  "version": "0.1.0",
  "private": true,
  "scripts": {
    "dev": "next dev",
    "build": "next build",
    "start": "next start",
    "lint": "next lint"
  },
  "dependencies": {
    "@next-auth/mongodb-adapter": "^1.0.3",
    "@turf/circle": "^6.5.0",
    "@turf/turf": "^6.5.0",
    "axios": "^0.27.2",
    "bootstrap": "^5.1.3",
    "bootstrap-daterangepicker": "^3.1.0",
    "crypto-js": "^4.1.1",
    "d3-request": "^1.0.6",
    "date-fns": "^2.28.0",
    "formidable": "^2.0.1",
    "gridfs-stream": "^1.1.1",
    "jquery": "^3.6.0",
    "mapbox-gl": "^2.8.2",
    "micro": "^9.3.4",
    "moment": "^2.29.3",
    "mongodb": "^4.5.0",
    "mongoose": "^6.3.5",
    "multer": "^1.4.5-lts.1",
    "multer-gridfs-storage": "^5.0.2",
    "multiparty": "^4.2.3",
    "next": "12.1.5",
    "next-auth": "^4.3.1",
    "next-connect": "^0.12.2",
    "react": "18.0.0",
    "react-bootstrap": "^2.3.1",
    "react-bootstrap-daterangepicker": "^7.0.0",
    "react-dom": "18.0.0",
    "react-map-gl": "^7.0.12",
    "recharts": "^2.1.10",
    "uuid": "^8.3.2"
  },
  "devDependencies": {
    "eslint": "8.13.0",
    "eslint-config-next": "12.1.5"
  }
}

Expected behavior
no error or warnings.

[redimongo]

@devconcept
Can we please roll this out, How would I do this without it being official? As who knows how long this will take to be approved?

I changed manually the version needed

"peerDependencies": {
"multer": "^1.4.5-lts.1"
},

But seems I can't remove the warning when I install new scripts.

[habur]

Looks like this issue is caused by the non-standard semver naming scheme multer has chosen to employ:

> semver.satisfies('1.4.5-lts.1', '^1.4.2')
false
> semver.satisfies('1.4.5', '^1.4.2')
true

Given that <1.4.5 is now considered insecure, bumping the dep version to =1.4.5-lts.1 would still be a good idea until the upstream(?) issue is resolved.

[redimongo]

Yes but how do you do that I changed it in the node_model folder but it won't recompile.

[habur]

Changing it in node_modules/multer-gridfs-storage/package.json probably won’t stick because the next time npm install is run, the change is being overwritten. I “solved” the issue by forking this repo, changing the dependency to ^1.4.5-lts, running npm i so that package-lock.json would be updated as well, committed and pushed. Then, in my actual project, I changed the dependency from "multer-gridfs-storage": "^5.0.2" to "multer-gridfs-storage": "github:habur/multer-gridfs-storage”. It’s not ideal since I now have to undo that as soon as either @devconcept updates anything, expressjs/multer reverts their decision on versioning schemes or npm and/or semver support MAJ.MIN.PAT-tag.# format.

[abitwise]

I mean why forking when there is already pull request here, please merge it