New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update mime to a version without a security vulnarability #212
Comments
oh wow. questions:
|
I guess we can do the upgrade, major semver ourselves, and kick the can on how we can make mime truly pluggable since I don't think anyone has actually tackled that problem yet |
Yes there is breaking change. If I update and run
|
@jfhbrook heh I thought I fixed #66 in #143 one and a half year ago ;) |
There was an idea about using mime-magic. Is that module out? |
yeah I was thinking about that! I don't remember why I didn't like the idea at the time. Maybe I was worried about cross-platform support? That seems squared with them shipping the windows binary. We already have to do a major change, so that's not an issue either |
Do we need a coding date in January to refactor mime types, middleware and make ecstatic SPA friendly? |
ahaha oh man, yeah maybe |
hehe... I'll be up for a weekend hackathon or something like that if life doesn't get in the way. |
yeah, gotcha. I did some digging, looks like this mighta gotten patched in v1? https://github.com/broofa/node-mime/releases |
hell yeah he backported the fix I'll have a release for this out today! |
2eb212d and published in 3.1.1. Thanks for lookin' out! |
I stumble on this: https://david-dm.org/jfhbrook/node-ecstatic while looking at https://github.com/jfhbrook/node-ecstatic/blob/master/CONTRIBUTING.md#a-few-other-minor-guidelines
That seems pretty bad since it's not a dev dep and we have many hooks to set custom mime types, which someone might set from an entrusted source.
The text was updated successfully, but these errors were encountered: