Skip to content

[Bug]: Upgrade formidable to latest #35823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tunnckoCore opened this issue May 1, 2025 · 2 comments · May be fixed by #35825
Open

[Bug]: Upgrade formidable to latest #35823

tunnckoCore opened this issue May 1, 2025 · 2 comments · May be fixed by #35825
Assignees
@mxschmitt
Labels
v1.53

Comments

@tunnckoCore
Copy link

Version

none

Steps to reproduce

none

Expected behavior

none

Actual behavior

none

Additional context

Lead maintainer of formidable here. We are trying to push people to upgrade.

Any particular reason why you're using v2? I don't see anything that requires that version, you're using the pretty standard API - but very deprecated and weird formidable.IncomingForm (remains from legacy). Everything except v3 is deprecated and vulnerable.

Please upgrade to latest, and prepare for v4 which is written in TypeScript and modern stack & APIs like Fetch/Request/Response/ReadableStream, and there is no buffering or writing to disk. You can try the formidable@next dist-tag and consider supporting us.

Trying to ditch people of the v1 for years, yet it has 2 million downloads and many vulnerabilities.

I'm seeing you're using it in testing, but still. At least upgrade to v3, and more standard API like formidable(options) and .parse.

Environment

any
@mxschmitt mxschmitt self-assigned this May 1, 2025
@mxschmitt mxschmitt added the v1.53 label May 1, 2025
@mxschmitt mxschmitt linked a pull request May 1, 2025 that will close this issue
Draft
@mxschmitt
Copy link
Member

Hey! I tried upgrading from v2 to v3 and one thing which broke us is the change in

node-formidable/formidable@c249922#diff-3282227cdd75cb13cc5eea121780e9b7ec04986fb12be6508237eab33e0c5bd8R217

parse and writeHeader is now async which means the data listeners to the request are added later on. This broke us because we already have some 'data' listeners. Looking at #35825 with more debugging notes. Looks like formidable v4 is async as well. If the 'data' listeners would get moved before the first async call, this would fix it for us! Do you think this is a contract formidable would accept making?

@mxschmitt mxschmitt mentioned this issue May 16, 2025
Open
@mxschmitt
Copy link
Member

Filed node-formidable/formidable#1011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mxschmitt mxschmitt

Labels
v1.53
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

test: update formidable to v3 mxschmitt/playwright
2 participants
@tunnckoCore @mxschmitt