Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

【安全风险】egg-multipart 的底层依赖dicer全版本都有风险,请求出个新包解决一下 #4977

Closed
PockeyMaster opened this issue Jul 15, 2022 · 5 comments · Fixed by #5023
Closed

【安全风险】egg-multipart 的底层依赖dicer全版本都有风险,请求出个新包解决一下 #4977

PockeyMaster opened this issue Jul 15, 2022 · 5 comments · Fixed by #5023
Assignees
@hyj1991
Labels
Inactive

Comments

@PockeyMaster
Copy link

What happens?

如题
egg-multipart最新的版本2.13.1,依赖路径为 co-busboy: ^1.4.0 -> busboy: ^0.2.8 -> dicer: 0.2.5
dicer 这个依赖包全版本有 安全风险,详情https://nvd.nist.gov/vuln/detail/CVE-2022-24434
请求出个新包解决一下

最小可复现仓库

请使用 npm init egg --type=simple bug 创建,并上传到你的 GitHub 仓库

复现步骤,错误日志以及相关配置

相关环境信息

  • 操作系统
  • Node 版本
  • Egg 版本
@atian25
Copy link
Member

atian25 commented Jul 15, 2022

@hyj1991 看看怎么升级下

busybus 要求 10.x,mscdex/busboy#266

@hyj1991
Copy link
Member

hyj1991 commented Jul 15, 2022
edited

这个包升级了,就得提升 egg 2.x 的整体最低依赖了,感觉有风险,不过也许也可以等因为升级 busboy 导致最低 node 版本无法使用的人来提 issue?

@atian25
Copy link
Member

atian25 commented Jul 15, 2022

@hyj1991 两害权其轻吧,发 minor

  • co-busboy 提 PR 发大版本,升级 busbosy 到 1.x,最低版本要求 10.x
  • egg-multipay 提 PR 发 minor 版本,升级 co-busboy,,最低版本要求 10.x
  • egg 提 PR 发 minor 版本,最低版本要求 10.x

@atian25
Copy link
Member

atian25 commented Jul 15, 2022

@PockeyMaster 欢迎 PR~

This was referenced Sep 16, 2022
Closed
Closed
@atian25
Copy link
Member

atian25 commented Sep 16, 2022
edited

This was referenced Sep 16, 2022
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hyj1991 hyj1991

Labels
Inactive
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: update egg-multipart 2.x -> 3.x eggjs/egg
4 participants
@atian25 @hyj1991 @egg-bot @PockeyMaster