Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning / Errors when using Multer latest version #490

Open
redimongo opened this issue Jun 11, 2022 · 5 comments · Fixed by abitwise/multer-gridfs-storage#1 · May be fixed by #492
Open

Warning / Errors when using Multer latest version #490

redimongo opened this issue Jun 11, 2022 · 5 comments · Fixed by abitwise/multer-gridfs-storage#1 · May be fixed by #492
Labels
bug A feature or code that is not working properly

Comments

@redimongo
Copy link

Describe the bug
When using multer version ^1.4.5-lts.1 as well as the latest version of this plugin we get the following error

npm WARN   multer@"^1.4.5-lts.1" from the root project
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer multer@"^1.4.2" from multer-gridfs-storage@5.0.2
npm WARN node_modules/multer-gridfs-storage
npm WARN   multer-gridfs-storage@"^5.0.2" from the root project
npm WARN 
npm WARN Conflicting peer dependency: multer@1.4.4
npm WARN node_modules/multer
npm WARN   peer multer@"^1.4.2" from multer-gridfs-storage@5.0.2
npm WARN   node_modules/multer-gridfs-storage
npm WARN     multer-gridfs-storage@"^5.0.2" from the root project

Environment
"multer": "^1.4.5-lts.1",
"multer-gridfs-storage": "^5.0.2",

  • I'm using multer-gridfs-storage version "multer": "^1.4.5-lts.1",

  • My installed MongoDb version is "mongodb": "^4.5.0",

  • I have Multer ^1.4.5-lts.1 installed to upload files

  • The Node version used to run the code is v17.9.0

  • I'm using Mongoose connection objects to create storage instances. The Mongoose version installed is ^6.3.5

To Reproduce
Create a project with this as your package.json

{
  "name": "projectname",
  "version": "0.1.0",
  "private": true,
  "scripts": {
    "dev": "next dev",
    "build": "next build",
    "start": "next start",
    "lint": "next lint"
  },
  "dependencies": {
    "@next-auth/mongodb-adapter": "^1.0.3",
    "@turf/circle": "^6.5.0",
    "@turf/turf": "^6.5.0",
    "axios": "^0.27.2",
    "bootstrap": "^5.1.3",
    "bootstrap-daterangepicker": "^3.1.0",
    "crypto-js": "^4.1.1",
    "d3-request": "^1.0.6",
    "date-fns": "^2.28.0",
    "formidable": "^2.0.1",
    "gridfs-stream": "^1.1.1",
    "jquery": "^3.6.0",
    "mapbox-gl": "^2.8.2",
    "micro": "^9.3.4",
    "moment": "^2.29.3",
    "mongodb": "^4.5.0",
    "mongoose": "^6.3.5",
    "multer": "^1.4.5-lts.1",
    "multer-gridfs-storage": "^5.0.2",
    "multiparty": "^4.2.3",
    "next": "12.1.5",
    "next-auth": "^4.3.1",
    "next-connect": "^0.12.2",
    "react": "18.0.0",
    "react-bootstrap": "^2.3.1",
    "react-bootstrap-daterangepicker": "^7.0.0",
    "react-dom": "18.0.0",
    "react-map-gl": "^7.0.12",
    "recharts": "^2.1.10",
    "uuid": "^8.3.2"
  },
  "devDependencies": {
    "eslint": "8.13.0",
    "eslint-config-next": "12.1.5"
  }
}

Expected behavior
no error or warnings.
@redimongo redimongo added the bug A feature or code that is not working properly label Jun 11, 2022
@zoeesilcock zoeesilcock mentioned this issue Jun 14, 2022
Open
zoeesilcock added a commit to zoeesilcock/multer-gridfs-storage that referenced this issue Jun 15, 2022
@zoeesilcock
Bump multer dependency to 1.4.5-lts.1
3a444a0 
This is meant to deal with CVE-2022-24434 and should also fix devconcept#490.
@zoeesilcock zoeesilcock linked a pull request Jun 15, 2022 that will close this issue
Open
7 tasks
@redimongo
Copy link
Author

redimongo commented Jun 28, 2022
edited

@devconcept
Can we please roll this out, How would I do this without it being official? As who knows how long this will take to be approved?

I changed manually the version needed

"peerDependencies": {
"multer": "^1.4.5-lts.1"
},

But seems I can't remove the warning when I install new scripts.

@habur
Copy link

habur commented Jul 29, 2022

Looks like this issue is caused by the non-standard semver naming scheme multer has chosen to employ:

> semver.satisfies('1.4.5-lts.1', '^1.4.2')
false
> semver.satisfies('1.4.5', '^1.4.2')
true

Given that <1.4.5 is now considered insecure, bumping the dep version to =1.4.5-lts.1 would still be a good idea until the upstream(?) issue is resolved.

@redimongo
Copy link
Author

Yes but how do you do that I changed it in the node_model folder but it won't recompile.

@habur
Copy link

habur commented Jul 29, 2022

Changing it in node_modules/multer-gridfs-storage/package.json probably won’t stick because the next time npm install is run, the change is being overwritten. I “solved” the issue by forking this repo, changing the dependency to ^1.4.5-lts, running npm i so that package-lock.json would be updated as well, committed and pushed. Then, in my actual project, I changed the dependency from "multer-gridfs-storage": "^5.0.2" to "multer-gridfs-storage": "github:habur/multer-gridfs-storage”. It’s not ideal since I now have to undo that as soon as either @devconcept updates anything, expressjs/multer reverts their decision on versioning schemes or npm and/or semver support MAJ.MIN.PAT-tag.# format.

@onebrother21 onebrother21 mentioned this issue Aug 10, 2022
Open
@abitwise
Copy link

I mean why forking when there is already pull request here, please merge it

@abitwise abitwise mentioned this issue Sep 27, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A feature or code that is not working properly
Projects
None yet
Milestone
No milestone
3 participants
@redimongo @abitwise @habur