multer-s3 icon indicating copy to clipboard operation
multer-s3 copied to clipboard

Published 20 hours ago verified publisher icon anacronw

The package uses a vulnerable version of file-type

Open Christian-Toney opened this issue 2 years ago • 3 comments

#185 could fix it, but will that break anything?

Christian-Toney avatar Jul 25 '22 13:07 Christian-Toney

I'm having 2 moderate severity vulnerabilities because of this

orangeiris avatar Jul 26 '22 15:07 orangeiris

Same here

kitman20022002 avatar Sep 16 '22 01:09 kitman20022002

Upgrading file-type (e.g. through yarn resolutions) will not work, the API was changed to be async in 13.x, and since multer-s3 is heavily stream/callback based that's not a drop-in or trivial change.

That being said, I looked through the multer-s3 code. Default installations are not affected by the file-type vulnerability, unless your installation is opting into the AUTO_CONTENT_TYPE constant. That is the only place in the library where file-type is called.

jbinto avatar Sep 21 '22 15:09 jbinto