The package uses a vulnerable version of file-type

Question

The package uses a vulnerable version of file-type

Christian-Toney opened this issue 2 years ago · 3 comments

Christian-Toney commented 2 years ago

#185 could fix it, but will that break anything?

kitman20022002 commented 2 years ago

Same here

Answer 1 · 2022-07-26T15:37:58.000Z

I'm having 2 moderate severity vulnerabilities because of this

Answer 2 · 2022-09-21T15:48:40.000Z

Upgrading file-type (e.g. through yarn resolutions) will not work, the API was changed to be async in 13.x, and since multer-s3 is heavily stream/callback based that's not a drop-in or trivial change.

That being said, I looked through the multer-s3 code. Default installations are not affected by the file-type vulnerability, unless your installation is opting into the AUTO_CONTENT_TYPE constant. That is the only place in the library where file-type is called.