Security Issue in Dependency - CVE-2022-24434

[mheironimus-rgare]

NPM audit, and other security vulnerability scanning tools, are indicating the following issue in version 3.7.1 of s3rver:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Crash in HeaderParser in dicer                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dicer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ s3rver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ s3rver > busboy > dicer                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wm7h-9275-46v2            │
└───────────────┴──────────────────────────────────────────────────────────────┘

My understanding is the issue (GHSA-wm7h-9275-46v2) was addressed in busboy v1.0.0 (mscdex/busboy#250 (comment)). Could a new version of s3rver be released that uses a newer version of busboy to address this issue?

[jpike88]

@jamhall this is quite a serious vulnerability. Are we able to have this resolved? If I make a PR will you merge it?

[parajbs]

hi @jpike88 and @jamhall,

I also think this is a pretty serious vulnerability.

@jpike88, did you manage to solve it?
And can you make an RP, I think @jamhall will thank you and if it works, take over.

If not, then it would definitely be a help for all other developers.

I would also help, but I don't have enough time to find out for myself.

[jpike88]

I don’t think the maintainer is very interested in maintaining this, look how many PRs are open and unaddressed. Best thing to do is just fork it

[parajbs]

hello @jpike88,

it was similar last year until "jamhall" released a new version.
I think he collects some PRs until it's worth releasing a new version.

Somewhere it was said that a version 4.0 should follow, but not when.

We can ask @leontastic if he is in contact with @jamhall and if it makes sense to open a PR here.

But if I were you, I would open a PR here, then all developers can help, and the result is useful for everyone.
With a fork it would not appear in the original of "jamhall", where it also has to be corrected.

But your decision. Let me know and I'll help.
Maybe @mheironimus-rgare can help too.