You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue does not affect multer since we are only consuming a stream from busboy which will always yield buffers, but it would be nice to have it not shown as vulnerable on nodescurity...
It seems like the issue was fixed in concat-stream 1.5.2, yet nodesecurity still shows all versions as vulnerable...
I think that the first that needs to happen is that 1.5.2 and upwards gets marked as fixed. We should also bump our dependency to ^1.5.2, I'll open a PR for that now...
Today I got a message from https://nodesecurity.io:
142 - Buffer Overread
Vulnerable: All - Patched: None - Path: multer@1.3.0 > concat-stream@1.6.0
How to fix
Consider using the --zero-fill-buffers command line argument to zero out buffer before using them.
Avoid passing numeric values to the write function.
I also submitted that issue to concat-stream: max-mapper/concat-stream#57
The text was updated successfully, but these errors were encountered: