multer audit findings

[joebowbeer]

According to GitHub Security Advisory, this repo's dependency on multer@1.4.5-lts.1 should raise three high severity alerts that are resolved in multer@2.0.1:

https://github.com/expressjs/multer/security

However, if I clone backstage/demo and run yarn npm audit -R --severity high then I don't see these reported.

I wonder why this is?

In any event, I think these high severity alerts can be addressed by updating express-openapi-validator

yarn why multer
└─ express-openapi-validator@npm:5.1.1
   └─ multer@npm:1.4.5-lts.1 (via npm:^1.4.5-lts.1)

Their updated multer dependency was released in v5.5.3

cdimascio/express-openapi-validator#1069 (comment)

[awanlin]

HI @joebowbeer, thanks for the heads up we use both Renovate and Dependabot on this repo so we should get a PR to address this created by those tools. Currently I'm blocked from merging any of these PR due to some TypeScript errors from GitHub Octokit dependencies that I'm working to resolve.

[awanlin]

Oh, also, just to be safe this code base isn't intended to be the starting point for a new Backstage instance or for a POC. I highly recommend following the Getting Started guide: https://backstage.io/docs/getting-started/ 👍

[joebowbeer]

Thanks for the heads up re. create-app.

This issue is wearing a few hats.

In our own deployment, I noticed that yarn npm audit is not reporting this but it does show up in our Dependabot Security report, as I expect it does in yours.

I guess I should report this to the yarn devs.

[joebowbeer]

Reported to yarn devs.

I learned that npm audit may not flag pre-release versions such as multer@1.4.5-lts.1

I also learned how to get the environment filter to work:

yarn npm audit -AR --severity high --environment production

[awanlin]

Managed to get the Octokit issue sorted and I'm slowly merging in the various PRs that have been generated, once that clears I'll check in on this package specifically. I'll admit I don't use the audit command, I'll generally go straight to yarn why to better understand where something is being used and/or coming from.