[BUG] CVE-2022-24434 high security vulnerability in platform-express > multer > busboy > dicer #1919
Comments
|
Hello @cyraid The version isn’t fixed. You can install the multer as your own dependencies.
I cannot change that without causing a breaking change. And this module is imported in the code. Maybe in v7 I’ll change that. See you |
|
I'm using the newest multer in the dependencies but the warning still pops up. |
🎉 Are you happy?If you appreciated the support, know that it is free and is carried out on personal time ;) A support, even a little bit makes a difference for me and continues to bring you answers!
|
|
🎉 This issue has been resolved in version 6.114.15 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
Maybe you need to use npm dedup. |
|
That was quick! Though I think 1.4.4 still is affected. The message says it was fixed in 1.4.4-lts.1, and there's also 1.4.5-lts.1 now. npm dedup didn't work for me. :(
Does npm audit not show that for you? Also, thanks for the quick replies! Man you're fast. haha |
|
Ok i’ll update the dependencies to lts ;) |
|
It’s strange, if dedup doesn’t works it means you hzven’t duplicated multer. Look in node_modules/@tsed/platform-express/node_modules. Check if you have a multer package. You have npm 8? |
|
I'm using |
|
yes the PR isn't merged with the latest dependencies. I'll do that ASAP. |
|
Thank you @Romakita! |
|
🎉 This issue has been resolved in version 7.0.0-beta.13 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Information
There is a high security vulnerability found after doing npm audit, as when I installed it gave me an alert.
GHSA-wm7h-9275-46v2
If I'm not mistaken, for platform-express, shouldn't multer be a peer dependency?
The text was updated successfully, but these errors were encountered: