multer icon indicating copy to clipboard operation
multer copied to clipboard
verified publisher icon expressjs

Releases Backlog (2.1.0 and 3.0.0)

Open bjohansebas opened this issue 6 months ago • 2 comments

Next 2.1.0

The changes

Current changelog: https://github.com/expressjs/multer/compare/v2.0.0...v2:

Current changelog * [x] add Arabic translation for README .. by @3imed-jaberi in https://github.com/expressjs/multer/pull/762 * [x] Update README.md to fix issue #1114 by @Mohamed-Abdelfattah in https://github.com/expressjs/multer/pull/1169 * [x] Improved documentation translation to Spanish by @juliomontenegro in https://github.com/expressjs/multer/pull/1174 * [x] Translated to french by @AlanLg in https://github.com/expressjs/multer/pull/1182 * [x] Improve the Brazilian Portuguese translation by @vitorRibeiro7 in https://github.com/expressjs/multer/pull/1204 * [x] doc: uzbek language by @eugene0928 in https://github.com/expressjs/multer/pull/1232 * [x] Fix a mistake with README-pt-br.md by @Igor-CA in https://github.com/expressjs/multer/pull/1251 * [x] Update in Readme-pt-br and fix in Readme-ko by @carlosstenzel in https://github.com/expressjs/multer/pull/1252 * [x] chore: add support for OSSF scorecard reporting by @inigomarquinez in https://github.com/expressjs/multer/pull/1260 * [x] ci: replace travis with github action by @inigomarquinez in https://github.com/expressjs/multer/pull/1259 * [x] docs: improve readability by @Sreejit-Sengupto in https://github.com/expressjs/multer/pull/1255 * [x] test: add test for out-of-band error event by @LinusU in https://github.com/expressjs/multer/pull/1294 * [x] chore: upgrade scorecard workflow pinned action versions by @carpasse in https://github.com/expressjs/multer/pull/1290 * [x] Documentation: remove unfortunate abbreviation from readme by @MaddyGuthridge in https://github.com/expressjs/multer/pull/1299 * [x] ci: use `ubuntu-latest` as default runner by @UlisesGascon in https://github.com/expressjs/multer/pull/1308 * [x] ci: add CodeQL (SAST) by @bjohansebas in https://github.com/expressjs/multer/pull/1289 * [x] Update readme badges by @bjohansebas in https://github.com/expressjs/multer/pull/1268 * [x] 📝 fix changelog information by @ctcpip in https://github.com/expressjs/multer/pull/1316 * [x] master -> v2 by @ctcpip in https://github.com/expressjs/multer/pull/1317 * [x] chore: fix typo by @saucecodee in https://github.com/expressjs/multer/pull/993 * [x] Remove --save from README by @username1001 in https://github.com/expressjs/multer/pull/929 * [x] feat - update link badge in docs by @carlosstenzel in https://github.com/expressjs/multer/pull/1273

Next steps

  • [ ] triage all the PRs with the label v2.x and decide about them
    • [ ] https://github.com/expressjs/multer/pull/1327
  • [ ] Check the issues and decide if we need to add additional patches
    • [ ] https://github.com/expressjs/multer/issues/1132
    • [ ] https://github.com/expressjs/multer/issues/779
    • [ ] https://github.com/expressjs/multer/issues/1111
      • [ ] https://github.com/expressjs/multer/pull/429 (Maybe solution?)

3.0.0-alpha.1

Based on https://github.com/expressjs/multer/issues/1313#issuecomment-2901346950 we can just release 2.0.0-rc.4 as 3.0.0-alpha.1 to unblock the situation

Backlog

  • [x] https://github.com/expressjs/multer/pull/1320
  • [x] Release on npm (don't tag as latest) (@UlisesGascon )
  • [x] deprecate on npm 2.0.0-* versions (keep 2.0.0 as latest) (@UlisesGascon )

3.0.0

Releasing a new version and dropping support for older Node.js is now necessary for this module. Here's the list of remaining tasks to launch v3 (prev: v2.0.0-rc*), given that @LinusU has already done most of the work (https://github.com/expressjs/multer/pull/399):

  • [ ] Cherry pick relevant stuff from v2 line like CI pipelines, docs...
  • [ ] Move the package from ESM to CommonJS (https://github.com/expressjs/multer/pull/1304).
  • [ ] Verify AsyncLocalStorage (https://github.com/expressjs/multer/issues/1111)
  • [ ] Align Node.js support with Express v5 (https://github.com/expressjs/multer/pull/1303)
  • [ ] Update dependencies:
    • [ ] @fastify/busboy
    • [ ] append-field v2 -> v1 (For CommonJS support)

This is a draft of what I’ve seen is missing to release v3. @LinusU, do you have anything else pending?

bjohansebas avatar May 15 '25 16:05 bjohansebas

this needs to be multer v3, as v2 needs to go out with the v1 api due to a security issue that requires a breaking change

ctcpip avatar May 15 '25 21:05 ctcpip

Well... This can be more tricky than it seems (ref):

So far seems like we had break semver compatibility in [email protected] due a patch for CVE-2022-24434:

Multer 1.x is affected by CVE-2022-24434. This is fixed in v1.4.4-lts.1 which drops support for versions of Node.js before 6. Please upgrade to at least Node.js 6 and version 1.4.4-lts.1 of Multer. If you need support for older versions of Node.js, we are open to accepting patches that would fix the CVE on the main 1.x release line, whilst maintaining compatibility with Node.js 0.10. npm deprecation message

So... My suggestion on 1.x version line is the following:

  • [ ] Publish [email protected] with the following changes
    • [ ] Fix the engines in the pkg (based on the ADR is major, but actually I will like to consider this case as minor as an exception as we already break semver) https://github.com/expressjs/multer/pull/1306
    • [ ] Solve the CI issues Uncaught AssertionError [ERR_ASSERTION]: ifError got unwanted exception: write EPIPE (ref)
    • [ ] Potentially other PRs that can be port from v2
  • [ ] Deprecate the existing beta versions: 1.4.5-lts.2, 1.4.5-lts.1 and 1.4.4-lts.1
  • [ ] Announce when we drop support for [email protected], so the users can migrate to [email protected] gradually.

Then... the next major will be multer@2 and not multer@3.... WDYT?

UlisesGascon avatar May 16 '25 15:05 UlisesGascon