DoS vulnerability from dicer@0.2.5
mrded opened this issue · 15 comments
Hello,
Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:
Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in dicer@0.2.5
introduced by multer@1.4.4 > busboy@0.2.14 > dicer@0.2.5
No upgrade or patch available
Updating busboy@^1.0.0 drops the dependency on dicer (where the vuln comes from).
Thanks
@mrded Thanks for raising this PR 1097. Request the team to merge this soon. As github is also reporting a high vulnerability which will get fixed with this busboy version upgrade. GHSA-wm7h-9275-46v2
High Crash in HeaderParser in dicer
Package dicer
Patched in No patch available
Dependency of multer
Path multer > busboy > dicer
We need that fix, i don't like Severity: high, a warning is fine not red notifications.
I need this
This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.
What versions of Node are compatible?
What versions of Node are compatible?
v10.16.0 or newer
This is fixed in version
1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as1.4.5without the-lts.1postfix.
Has this been done or we should do npm i multer@1.4.5-lts.1?
@LinusU perhaps a good reason to release it as 2.0 to indicate a breaking change (removing support for older node versions)?
Is any way to resolve this issue?
@bryanph there is already another 2.0 release line with multiple releases
@ZhaoKunLong @ashish1497 yes, npm i multer@1.4.5-lts.1 should fix this 👍