koa-body icon indicating copy to clipboard operation
koa-body copied to clipboard
verified publisher icon koajs

Upgrade formidable to ^3.2.4 to address CVE-2022-29622

Open ankit-github opened this issue 3 years ago • 4 comments

ankit-github avatar May 30 '22 04:05 ankit-github

Would really like to see this getting merged at some point @MarkHerhold :) Can we help somehow?

alexandrebodin avatar Aug 10 '22 07:08 alexandrebodin

Hi there, we only declare that we require "formidable": "^2.0.1" (meaning all version 2's) in package.json and this upgrades us to formidable version 3. The CVE mentioned in the title states that the affected version is 3.1.4.

Furthermore, tests are failing. It looks like this team had to deal with the same issue.

npm t

> [email protected] test
> mocha test/unit/

internal/modules/cjs/loader.js:1102
      throw new ERR_REQUIRE_ESM(filename, parentPath, packageJsonPath);
      ^

Error [ERR_REQUIRE_ESM]: Must use import to load ES Module: /Users/Mark/projects/koa-body/node_modules/formidable/src/index.js
require() of ES modules is not supported.

MarkHerhold avatar Aug 10 '22 13:08 MarkHerhold

Indeed, I was looking for koa-body to support the v2 for formidable but you have a release on npm just didn't see it in the changelogs and github releases. Thanks for the quick reply 👍

alexandrebodin avatar Aug 10 '22 16:08 alexandrebodin

Actually @MarkHerhold Do you have a changelog for the v5 lying around?

alexandrebodin avatar Aug 11 '22 07:08 alexandrebodin