Skip to content

chore: update busboy#1044

Closed
Achneoder wants to merge 1 commit intoexpressjs:masterfrom
Achneoder:master
Closed

chore: update busboy#1044
Achneoder wants to merge 1 commit intoexpressjs:masterfrom
Achneoder:master

Conversation

@Achneoder
Copy link
Copy Markdown

@Achneoder Achneoder commented Nov 8, 2021

Updates busboy to latest version

Targets DeprecationWarning: Buffer() and #1041

@LinusU
Copy link
Copy Markdown
Member

LinusU commented Nov 8, 2021

Since this is a breaking change we cannot release it in a 1.x version, and I believe that this have already been updated in the 2.x line (see #399).

Thanks for taking the time with the PR though ☺️

@LinusU LinusU closed this Nov 8, 2021
@Achneoder
Copy link
Copy Markdown
Author

Achneoder commented Nov 9, 2021

I know that it's fixed in version 2, but since this is a potential security issue, I think it's worth to consider releasing a new version fixing this.

You mentioned yourself that you don't know when v2.0 gets released (#1042 (comment)) and according to the commits, it looks like v2.0 is in development for ~ 5 years now.

Dropping support for really old and not yet anymore maintained Node versions by creation a new minor version for multer doesn't look like a big deal to me in contrast to the potential (and also annoying) security issue by using new Buffer() - which is also already deprecated since Node 6.
But to be honest, I don't have any usage statistics for different Node versions and it might be that Node versions between 0.10.0 and 4.5.0 are still heavily used.

@LinusU
Copy link
Copy Markdown
Member

LinusU commented Nov 9, 2021

[...] the potential (and also annoying) security issue by using new Buffer() - which is also already deprecated since Node 6.

Using new Buffer(...) isn't inherently unsafe, it's just when it's being used in some specific ways. If you believe that there is actually a security issue here, please report it in accordance with this guide:

https://github.com/expressjs/express/blob/master/Security.md

Dropping support for really old and not yet anymore maintained Node versions by creation a new minor version for multer doesn't look like a big deal to me [...]

I think that following semver is really important, especially for projects being used by so many. It's not fun to have your project break because a dependency wasn't following it...

You mentioned yourself that you don't know when v2.0 gets released (#1042 (comment)) and according to the commits, it looks like v2.0 is in development for ~ 5 years now.

All the features for Multer 2.0 is done, and the release candidates should be stable. I can recommend using 2.x now, and report any feedback, good or bad, in that thread. Once I see that it's working for some people I would feel confident releasing it...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Achneoder @LinusU