Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: upgrade multer to resolve vulnerability #11215

Merged
merged 1 commit into from
May 30, 2022
Merged

deps: upgrade multer to resolve vulnerability #11215

merged 1 commit into from
May 30, 2022

Conversation

vince-fugnitto
Copy link
Member

What it does

The pull-request fixes a known security vulnerability from dicer which was pulled by multer.
The changes include upgrading multer to a version which does not have the vulnerability as it no longer pulls dicer.

How to test

  1. perform yarn audit on master - there should be output regarding dicer.

    $ yarn audit
yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Crash in HeaderParser in dicer                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dicer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/filesystem                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @theia/filesystem > multer > busboy > dicer                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1070404                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

  2. perform yarn audit with this branch - there should no longer be any vulnerabilities reported.

    $ yarn audit
yarn audit v1.22.4
0 vulnerabilities found - Packages audited: 1987
Done in 1.39s.

Review checklist

Reminder for reviewers

Signed-off-by: vince-fugnitto [email protected]

@vince-fugnitto
deps: upgrade multer
0935d10 
The commit upgrades `multer` to fix a security vulnerability in `dicer`
which it previously used.

Signed-off-by: vince-fugnitto <[email protected]>
@vince-fugnitto vince-fugnitto added security issues related to security dependencies pull requests that update a dependency file labels May 30, 2022
msujew
msujew approved these changes May 30, 2022
View reviewed changes
Copy link
Member

@msujew msujew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Vince! I can confirm that the update resolves the yarn audit vulnerabilities 👍

paul-marechal
paul-marechal approved these changes May 30, 2022
View reviewed changes
Copy link
Member

@paul-marechal paul-marechal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The range looks weird but we can always update it later.

@paul-marechal
Copy link
Member

Ok, see expressjs/multer#1097 (comment) for the reason behind the weird range.

@vince-fugnitto vince-fugnitto merged commit ede3d6f into master May 30, 2022
@vince-fugnitto vince-fugnitto deleted the vf/multer branch May 30, 2022 15:20
@github-actions github-actions bot added this to the 1.27.0 milestone May 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-marechal paul-marechal paul-marechal approved these changes

@msujew msujew msujew approved these changes

Assignees
No one assigned
Labels
dependencies pull requests that update a dependency file security issues related to security
Projects
None yet
Milestone
1.27.0
Development

Successfully merging this pull request may close these issues.
3 participants
@vince-fugnitto @paul-marechal @msujew