Skip to content
This repository has been archived by the owner on Feb 12, 2021. It is now read-only.

s3 relies on outdated mime package with security issue #190

Open
naderm opened this issue Sep 29, 2017 · 6 comments · May be fixed by #191
Open

s3 relies on outdated mime package with security issue #190

naderm opened this issue Sep 29, 2017 · 6 comments · May be fixed by #191

Comments

@naderm
Copy link

naderm commented Sep 29, 2017

It looks like node-s3-client requires mime@~1.2.11 which is vulnerable to a regular expression denial of service exploit. This exploit is fixed in mime@^1.4.1 or mime@^2.0.3
@carterbancroft carterbancroft linked a pull request Sep 29, 2017 that will close this issue
Open
@carterbancroft
Copy link

Yes, this is breaking our builds. I've submitted a PR to bump that version here #191

Can we merge this?

@matrus2
Copy link

matrus2 commented Oct 5, 2017

+1

@matrus2 matrus2 mentioned this issue Oct 19, 2017
Closed
@matrus2
Copy link

matrus2 commented Oct 25, 2017
edited
Loading

This repository seems to be dead. I am going to either change it to something else or fork it. Last commit was in Jan 19, 2017.

@matrus2
Copy link

matrus2 commented Oct 27, 2017

FYI: Fork with updated dependencies:

https://github.com/matrus2/node-s3-client

@breathe
Copy link

breathe commented Nov 7, 2017

Thank you @matrus2 -- your fork works for me (appears to resolve an unrelated bug I was hitting)!

Recommend -- are you planning to maintain the fork?

@matrus2
Copy link

matrus2 commented Nov 7, 2017

@breathe Yes, this is a plan.

@jniles jniles mentioned this issue Nov 28, 2017
Merged
@emerick emerick mentioned this issue Aug 14, 2018
Closed
DrGirlfriend pushed a commit to adobe/asset-compute-sdk that referenced this issue Apr 29, 2020
@alexkli
replacing s3 with s3-client to fix mime vulnerability
1ca19ac 
andrewrk/node-s3-client#190
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update Mime to fix https://nodesecurity.io/advisories/535 carterbancroft/node-s3-client
4 participants
@carterbancroft @breathe @naderm @matrus2