Pinned dependencies (Security vulnerability in dicer - CVE-2022-24434) #24
Assignees
Labels
Comments
|
Hi @soulchild Sorry I have been MIA. The dependencies were pinned to make sure usage is consistent across pulls. Just a personal preference. I'm unable to make the change right away, but if you are able to, can up create a PR to update the deps and remove the pins. I'll get it merged right away. If you would also like to be a maintainer, happy to king you :) Thanks for raising this issue |
Sliverb
added
enhancement
dependencies
soulchild
added a commit
to soulchild/multer-azure-blob-storage
that referenced
this issue
Jul 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there a reason why all dependencies are pinned to specific versions? Whenever there's a patch-level fix for any of the dependencies, this package needs to be updated as well which kind of defeats the purpose. Also, the maintainer @Sliverb seems to be rather unresponsive, further complicating things in case a new release is necessary.
The reason I'm asking is because there's a nasty security vulnerability in dicer which is used by busboy which is used by multer, and when a fix gets eventually released (hopefully as a patch-level release, i.e. 1.4.x) this package won't pick it up automatically, requiring a manual fix and release.
Or am I missing something here?
The text was updated successfully, but these errors were encountered: