Busboy package vulnerability #1173
Comments
|
This is adressed in #1097, and released as We cannot release it as |
jcscottiii
added a commit
to web-platform-tests/wpt.fyi
that referenced
this issue
Jan 12, 2023
So far the remaining vulns are for dev dependencies. This is to remediate the ones that can be safely. - https://github.com/web-platform-tests/wpt.fyi/security/dependabot/2 - diff 3.2.0 -> 3.5.0 - https://github.com/web-platform-tests/wpt.fyi/security/dependabot/1 - growl 1.9.2 -> 1.10.0 - https://github.com/web-platform-tests/wpt.fyi/security/dependabot/46 - multer 1.4.2 -> 1.4.5-lts.1 - More about how it fixes it: expressjs/multer#1173 (comment)
jcscottiii
added a commit
to web-platform-tests/wpt.fyi
that referenced
this issue
Jan 12, 2023
So far the remaining vulns are for dev dependencies. This is to remediate the ones that can be safely. - https://github.com/web-platform-tests/wpt.fyi/security/dependabot/2 - diff 3.2.0 -> 3.5.0 - https://github.com/web-platform-tests/wpt.fyi/security/dependabot/1 - growl 1.9.2 -> 1.10.0 - https://github.com/web-platform-tests/wpt.fyi/security/dependabot/46 - multer 1.4.2 -> 1.4.5-lts.1 - More about how it fixes it: expressjs/multer#1173 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I just want to mention that the current version of Multer uses a very old version of Busboy which uses Dicer.
This version of Dicer has this vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-24434
The latest version of Busboy 1.6.0 does not use Dicer anymore and it is save.
Would it be possible to update Busboy's version?
Kind regards
The text was updated successfully, but these errors were encountered: