[Snyk] Upgrade express-fileupload from 0.0.5 to 1.2.0

[snyk-bot]

Snyk has created this PR to upgrade express-fileupload from 0.0.5 to 1.2.0.

✨ Snyk has automatically assigned this pull request, set who gets assigned.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 35 versions ahead of your current version.
• The recommended version was released 3 months ago, on 2020-08-14.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Prototype Pollution SNYK-JS-EXPRESSFILEUPLOAD-595969	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept
	Denial of Service (DoS) SNYK-JS-EXPRESSFILEUPLOAD-473997	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: express-fileupload

• 1.2.0 - 2020-08-14
  

  Bug Fixes

  #241 Cleanup temporary files - @nusu

• 1.1.10 - 2020-08-06
  

  Updates:

  Additional prototype-pollution security fix when using processNested (#239)

• 1.1.9 - 2020-07-31
  

  Updates:

  Second prototype pollution security vulnerability fix when using processNested (#236)

• 1.1.8 - 2020-07-29
  

  Updates:

  Fixed prototype pollution security vulnerability when using processNested (#236)

• 1.1.7-alpha.4 - 2020-07-16
  

  Updates:

  • Updated README.md thanks to @tycrek , @eartharoid, @Code42Cate
  • Some code refactoring to make it lighter and more readable.
  • Updated dependencies.

  Fixes:

  • Fix empty file issue(#226)
  • Fix temp file write timing issue(#184). Thanks to @somewind
  • Add empty file name check for parseFileName, issue(#187).
  • Write Timing Crash #192
  • when file.on('data') event timeouts, the case isn't handled properly #202
  • Do not create empty temporary files for empty file fields #191
• 1.1.7-alpha.3 - 2020-04-08
  

  Update package.json

• 1.1.7-alpha.2 - 2020-04-06
  

  Add complete flag for upload handlers

• 1.1.7-alpha.1 - 2020-04-03
  

  fix: Add empty file name check for parseFileName.

• 1.1.6 - 2019-11-19
  

  Updates

  • Add debug option and debug logging output for upload process.
  • Invoke cleanup in case of abortOnLimit=true to delete temporary file when limit reached(#155 ).
  • if possible, module uses fs.rename instead of copying + deleting to move uploaded files(#158).
  • Add busboy unpipe when closing connection. Thanks to @shel.
  • uploadTimeout(default is 60000 msec) option.
  • Add timeout check for data handler, which triggers cleanup of the temp files in case of no data come during time configured in option uploadTimeout.
  • Fixing vulnerability: middleware checks filename and cut off it if length more then 255 characters.
• 1.1.6-alpha.6 - 2019-10-22
  

  Fixing vulnerability if file name length to big.

• 1.1.6-alpha.5 - 2019-09-19
• 1.1.6-alpha.4 - 2019-09-12
• 1.1.6-alpha.3 - 2019-09-11
• 1.1.6-alpha.2 - 2019-09-10
• 1.1.6-alpha.1 - 2019-09-10
• 1.1.5 - 2019-06-07
• 1.1.4 - 2019-04-02
• 1.1.3-alpha.2 - 2019-03-25
• 1.1.3-alpha.1 - 2019-03-12
• 1.1.2-alpha.1 - 2019-03-06
• 1.1.1-alpha.3 - 2019-02-18
• 1.1.1-alpha.2 - 2019-02-08
• 1.1.1-alpha.1 - 2018-12-28
• 1.0.0 - 2018-10-18
• 1.0.0-alpha.1 - 2018-09-22
• 0.4.0 - 2018-01-24
• 0.3.0 - 2017-10-07
• 0.2.0 - 2017-08-28
• 0.1.4 - 2017-06-30
• 0.1.3 - 2017-04-30
• 0.1.2 - 2017-03-09
• 0.1.1 - 2017-02-18
• 0.1.0 - 2017-02-18
• 0.0.7 - 2017-02-10
• 0.0.6 - 2017-01-14
• 0.0.5 - 2016-04-22

from express-fileupload GitHub release notes

Commit messages

Package name: express-fileupload

• 1216f4f minor version bump
• 6458793 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths #241 from nusu/remove-empty-files
• 8716fd6 log
• 8ae6868 space after if --with eslint --fix
• 67adcc8 space after if
• eb1a0d8 remove unrelevant code 🤔
• dfb9b1a remove empty file
• 4fa3bf9 Update README.md
• 9f22db7 version bump
• 9fca550 Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths #240 from AmazingMech2418/patch-1
• 1530cf5 Make Travis happy
• e43bfcf Fix typo
• 8bf7427 Update processNested.js
• fd40389 version bump
• 94c9cf9 prototype pollution fix add qs, just to see what it'll do #2
• 829f395 version bump
• db49535 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #237 from richardgirges/fix-236-proto-pollution
• d81bee9 Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested
• e9848fc Update package-lock.json
• d536cfb Update package.json
• c7a6b9c Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path #233 from RomanBurunkov/master
• a53b93f Update tests to support empty files
• d8c00c5 Add empty files support for tempFileHandler
• b24233d Comment extra condition in fileFactory(issue Test #1), add more logging

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs