From d6a26b80936ebb444a083bb3acdde8296ce408eb Mon Sep 17 00:00:00 2001 From: renovate <29139614+renovate@users.noreply.github.com> Date: Thu, 5 Jun 2025 07:39:03 +0000 Subject: [PATCH] chore: bump up multer version to v2.0.1 [SECURITY] (#12716) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [multer](https://redirect.github.com/expressjs/multer) | [`2.0.0` -> `2.0.1`](https://renovatebot.com/diffs/npm/multer/2.0.0/2.0.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/multer/2.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/multer/2.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/multer/2.0.0/2.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/multer/2.0.0/2.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-48997](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg) ### Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.1` ### Workarounds None ### References https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 [https://github.com/expressjs/multer/issues/1233](https://redirect.github.com/expressjs/multer/issues/1233) [https://github.com/expressjs/multer/pull/1256](https://redirect.github.com/expressjs/multer/pull/1256) --- ### Release Notes
expressjs/multer (multer) ### [`v2.0.1`](https://redirect.github.com/expressjs/multer/blob/HEAD/CHANGELOG.md#201) [Compare Source](https://redirect.github.com/expressjs/multer/compare/v2.0.0...v2.0.1) - Fix [CVE-2025-48997](https://www.cve.org/CVERecord?id=CVE-2025-48997) ([GHSA-g5hg-p3ph-g8qg](https://redirect.github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg))
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). --- yarn.lock | 37 ++++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/yarn.lock b/yarn.lock index 410485aea8..467dbd5a93 100644 --- a/yarn.lock +++ b/yarn.lock @@ -19148,6 +19148,18 @@ __metadata: languageName: node linkType: hard +"concat-stream@npm:^2.0.0": + version: 2.0.0 + resolution: "concat-stream@npm:2.0.0" + dependencies: + buffer-from: "npm:^1.0.0" + inherits: "npm:^2.0.3" + readable-stream: "npm:^3.0.2" + typedarray: "npm:^0.0.6" + checksum: 10/250e576d0617e7c58e1c4b2dd6fe69560f316d2c962a409f9f3aac794018499ddb31948b1e4296f217008e124cd5d526432097745157fe504b5d9f3dc469eadb + languageName: node + linkType: hard + "concordance@npm:^5.0.4": version: 5.0.4 resolution: "concordance@npm:5.0.4" @@ -27077,7 +27089,7 @@ __metadata: languageName: node linkType: hard -"mkdirp@npm:^0.5.1, mkdirp@npm:^0.5.4": +"mkdirp@npm:^0.5.1, mkdirp@npm:^0.5.4, mkdirp@npm:^0.5.6": version: 0.5.6 resolution: "mkdirp@npm:0.5.6" dependencies: @@ -27253,7 +27265,7 @@ __metadata: languageName: node linkType: hard -"multer@npm:2.0.0, multer@npm:^2.0.0": +"multer@npm:2.0.0": version: 2.0.0 resolution: "multer@npm:2.0.0" dependencies: @@ -27268,6 +27280,21 @@ __metadata: languageName: node linkType: hard +"multer@npm:^2.0.0": + version: 2.0.1 + resolution: "multer@npm:2.0.1" + dependencies: + append-field: "npm:^1.0.0" + busboy: "npm:^1.6.0" + concat-stream: "npm:^2.0.0" + mkdirp: "npm:^0.5.6" + object-assign: "npm:^4.1.1" + type-is: "npm:^1.6.18" + xtend: "npm:^4.0.2" + checksum: 10/cb0dda65ae37be40968fc1f9ea492bdb4c20bd189ce427e11e95d333837193544606b82ef6431f2acd3cd11156164f215bdeb46f47847d29b6bf3a36ac736a8f + languageName: node + linkType: hard + "multicast-dns@npm:^7.2.5": version: 7.2.5 resolution: "multicast-dns@npm:7.2.5" @@ -30208,7 +30235,7 @@ __metadata: languageName: node linkType: hard -"readable-stream@npm:3, readable-stream@npm:^3.0.6, readable-stream@npm:^3.4.0, readable-stream@npm:^3.6.2": +"readable-stream@npm:3, readable-stream@npm:^3.0.2, readable-stream@npm:^3.0.6, readable-stream@npm:^3.4.0, readable-stream@npm:^3.6.2": version: 3.6.2 resolution: "readable-stream@npm:3.6.2" dependencies: @@ -33358,7 +33385,7 @@ __metadata: languageName: node linkType: hard -"type-is@npm:^1.6.4, type-is@npm:~1.6.18": +"type-is@npm:^1.6.18, type-is@npm:^1.6.4, type-is@npm:~1.6.18": version: 1.6.18 resolution: "type-is@npm:1.6.18" dependencies: @@ -34902,7 +34929,7 @@ __metadata: languageName: node linkType: hard -"xtend@npm:^4.0.0": +"xtend@npm:^4.0.0, xtend@npm:^4.0.2": version: 4.0.2 resolution: "xtend@npm:4.0.2" checksum: 10/ac5dfa738b21f6e7f0dd6e65e1b3155036d68104e67e5d5d1bde74892e327d7e5636a076f625599dc394330a731861e87343ff184b0047fef1360a7ec0a5a36a