Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update multer #1649

Merged
merged 2 commits into from Jun 1, 2022
Merged

fix: update multer #1649

merged 2 commits into from Jun 1, 2022

Conversation

SimenB
Copy link
Contributor

@SimenB SimenB commented Jun 1, 2022
edited

About the changes

Current version pulls in vulnerable dicer.

expressjs/multer#1072 (comment)

Important files

N/A

Discussion points

N/A

@vercel
Copy link

vercel bot commented Jun 1, 2022
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Updated
unleash-docs ⬜️ Ignored (Inspect) Jun 1, 2022 at 8:45AM (UTC)

@github-actions
Copy link

github-actions bot commented Jun 1, 2022

Coverage report

St.
 Category Percentage Covered / Total
🟢 Statements 91.38% 5323/5825
🟡 Branches 79.73% 838/1051
🟢 Functions 86.19% 1229/1426
🟢 Lines 91.33% 5201/5695
Show new covered files 🐣
St.
 File Statements Branches Functions Lines
🟢
... / anonymise.ts
 100% 100% 100% 100%
🟢
... / feature-environment-response.ts
 100% 100% 100% 100%
🟢
... / feature-environment-schema.ts
 100% 100% 100% 100%
Show files with reduced coverage 🔻
St.
 File Statements Branches Functions Lines
🟢
... / feature-toggle-client-store.ts
98.55% (-1.45% 🔻)
 76.67% 100%
98.55% (-1.45% 🔻)
🟢
... / user-admin.ts
84.62% (-2.29% 🔻)
66.67% (-13.33% 🔻)
71.43% (-11.9% 🔻)
85.56% (-1.35% 🔻)
🟢
... / features.ts
 92.31% 100% 89.47% 92.31%
🟡
... / openapi-service.ts
68.75% (-12.5% 🔻)
12.5% (-50% 🔻)
62.5% (-12.5% 🔻)
68.75% (-12.5% 🔻)

Test suite run success

887 tests passing in 125 suites.

Report generated by 🧪jest coverage report action from 814d2b8

sonatype-lift[bot]
sonatype-lift bot reviewed Jun 1, 2022
View reviewed changes
package.json
@@ -101,7 +101,7 @@
"make-fetch-happen": "^10.1.2",
"memoizee": "^0.4.15",
"mime": "^3.0.0",
"multer": "^1.4.4",
"multer": "^1.4.5-lts.1",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:

pkg:npm/multer@1.4.5-lts.1

0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components
    pkg:npm/multer@1.4.5-lts.1
      SEVERE Vulnerabilities (1)

        [sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        multer - Denial of Service (DoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 6.5

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

(at-me in a reply with help or ignore)

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still not fixed?

Copy link
Contributor Author

@SimenB SimenB Jun 1, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the vulnerability is in dicer (GHSA-wm7h-9275-46v2, which is now gone from the lockfile) via old busboy. I have no idea what vulnerability this tool thinks it has warned about it. Seems it doesn't link to any CVE?

sonatype-lift[bot]
sonatype-lift bot reviewed Jun 1, 2022
View reviewed changes
yarn.lock
version "1.4.4"
resolved "https://registry.yarnpkg.com/multer/-/multer-1.4.4.tgz#e2bc6cac0df57a8832b858d7418ccaa8ebaf7d8c"
integrity sha512-2wY2+xD4udX612aMqMcB8Ws2Voq6NIUPEtD1be6m411T4uDH/VtL9i//xvcyFlTVfRdaBsk7hV5tgrGQqhuBiw==
multer@^1.4.5-lts.1:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:

pkg:npm/multer@1.4.5-lts.1

0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components
    pkg:npm/multer@1.4.5-lts.1
      SEVERE Vulnerabilities (1)

        [sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        multer - Denial of Service (DoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 6.5

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

(at-me in a reply with help or ignore)

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@ivarconr ivarconr merged commit 0b6fdc1 into main Jun 1, 2022
@ivarconr ivarconr deleted the up-multer branch June 1, 2022 10:10
ivarconr pushed a commit that referenced this pull request Jun 2, 2022
@SimenB @ivarconr
fix: update multer (#1649)
1f64d1d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivarconr ivarconr ivarconr left review comments

@sonatype-lift sonatype-lift[bot] sonatype-lift left review comments

Assignees
No one assigned
Labels
None yet
Projects
Issues and PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@SimenB @ivarconr