Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update busboy #1044

Closed
wants to merge 1 commit into from
Closed

chore: update busboy #1044

wants to merge 1 commit into from

Conversation

Achneoder
Copy link

Updates busboy to latest version

Targets DeprecationWarning: Buffer() and #1041

@LinusU
Copy link
Member

LinusU commented Nov 8, 2021

Since this is a breaking change we cannot release it in a 1.x version, and I believe that this have already been updated in the 2.x line (see #399).

Thanks for taking the time with the PR though ☺️

@LinusU LinusU closed this Nov 8, 2021
@Achneoder
Copy link
Author

I know that it's fixed in version 2, but since this is a potential security issue, I think it's worth to consider releasing a new version fixing this.

You mentioned yourself that you don't know when v2.0 gets released (#1042 (comment)) and according to the commits, it looks like v2.0 is in development for ~ 5 years now.

Dropping support for really old and not yet anymore maintained Node versions by creation a new minor version for multer doesn't look like a big deal to me in contrast to the potential (and also annoying) security issue by using new Buffer() - which is also already deprecated since Node 6.
But to be honest, I don't have any usage statistics for different Node versions and it might be that Node versions between 0.10.0 and 4.5.0 are still heavily used.

@LinusU
Copy link
Member

LinusU commented Nov 9, 2021

[...] the potential (and also annoying) security issue by using new Buffer() - which is also already deprecated since Node 6.

Using new Buffer(...) isn't inherently unsafe, it's just when it's being used in some specific ways. If you believe that there is actually a security issue here, please report it in accordance with this guide:

https://github.com/expressjs/express/blob/master/Security.md

Dropping support for really old and not yet anymore maintained Node versions by creation a new minor version for multer doesn't look like a big deal to me [...]

I think that following semver is really important, especially for projects being used by so many. It's not fun to have your project break because a dependency wasn't following it...

You mentioned yourself that you don't know when v2.0 gets released (#1042 (comment)) and according to the commits, it looks like v2.0 is in development for ~ 5 years now.

All the features for Multer 2.0 is done, and the release candidates should be stable. I can recommend using 2.x now, and report any feedback, good or bad, in that thread. Once I see that it's working for some people I would feel confident releasing it...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Achneoder @LinusU