🛡️ chore: multer v2.0.0 for CVE-2025-47935 and CVE-2025-47944 (#7454)

* chore: bump multer to v2.0.0 to resolve CVE-2025-47935 and CVE-2025-47944 * chore: temp. remove helmet dependency to appease unused NPM package workflow
2025-12-24 20:30:13 +01:00 · 2025-05-19 19:22:43 -04:00 · 2025-05-19 19:22:43 -04:00 · 739b0d3012
commit 739b0d3012
parent 9c9fe4e03a
2 changed files with 32 additions and 41 deletions
--- a/api/package.json
+++ b/api/package.json
@ -71,7 +71,6 @@
    "firebase": "^11.0.2",
    "googleapis": "^126.0.1",
    "handlebars": "^4.7.7",
-    "helmet": "^8.1.0",
    "https-proxy-agent": "^7.0.6",
    "ioredis": "^5.3.2",
    "js-yaml": "^4.1.0",
@ -87,7 +86,7 @@
    "mime": "^3.0.0",
    "module-alias": "^2.2.3",
    "mongoose": "^8.12.1",
-    "multer": "^1.4.5-lts.1",
+    "multer": "^2.0.0",
    "nanoid": "^3.3.7",
    "nodemailer": "^6.9.15",
    "ollama": "^0.5.0",
--- a/package-lock.json
+++ b/package-lock.json
@ -87,7 +87,6 @@
        "firebase": "^11.0.2",
        "googleapis": "^126.0.1",
        "handlebars": "^4.7.7",
-        "helmet": "^8.1.0",
        "https-proxy-agent": "^7.0.6",
        "ioredis": "^5.3.2",
        "js-yaml": "^4.1.0",
@ -103,7 +102,7 @@
        "mime": "^3.0.0",
        "module-alias": "^2.2.3",
        "mongoose": "^8.12.1",
-        "multer": "^1.4.5-lts.1",
+        "multer": "^2.0.0",
        "nanoid": "^3.3.7",
        "nodemailer": "^6.9.15",
        "ollama": "^0.5.0",
@ -830,6 +829,18 @@
      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
    },
+    "api/node_modules/mkdirp": {
+      "version": "0.5.6",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz",
+      "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==",
+      "license": "MIT",
+      "dependencies": {
+        "minimist": "^1.2.6"
+      },
+      "bin": {
+        "mkdirp": "bin/cmd.js"
+      }
+    },
    "api/node_modules/mongodb": {
      "version": "6.14.2",
      "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.14.2.tgz",
@ -975,6 +986,24 @@
        "url": "https://opencollective.com/mongoose"
      }
    },
+    "api/node_modules/multer": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/multer/-/multer-2.0.0.tgz",
+      "integrity": "sha512-bS8rPZurbAuHGAnApbM9d4h1wSoYqrOqkE+6a64KLMK9yWU7gJXBDDVklKQ3TPi9DRb85cRs6yXaC0+cjxRtRg==",
+      "license": "MIT",
+      "dependencies": {
+        "append-field": "^1.0.0",
+        "busboy": "^1.0.0",
+        "concat-stream": "^1.5.2",
+        "mkdirp": "^0.5.4",
+        "object-assign": "^4.1.1",
+        "type-is": "^1.6.4",
+        "xtend": "^4.0.0"
+      },
+      "engines": {
+        "node": ">= 10.16.0"
+      }
+    },
    "api/node_modules/node-fetch": {
      "version": "2.6.7",
      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
@ -31511,15 +31540,6 @@
        "url": "https://opencollective.com/unified"
      }
    },
-    "node_modules/helmet": {
-      "version": "8.1.0",
-      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
-      "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.0.0"
-      }
-    },
    "node_modules/highlight.js": {
      "version": "11.8.0",
      "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-11.8.0.tgz",
@ -36384,34 +36404,6 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
    },
-    "node_modules/multer": {
-      "version": "1.4.5-lts.1",
-      "resolved": "https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz",
-      "integrity": "sha512-ywPWvcDMeH+z9gQq5qYHCCy+ethsk4goepZ45GLD63fOu0YcNecQxi64nDs3qluZB+murG3/D4dJ7+dGctcCQQ==",
-      "dependencies": {
-        "append-field": "^1.0.0",
-        "busboy": "^1.0.0",
-        "concat-stream": "^1.5.2",
-        "mkdirp": "^0.5.4",
-        "object-assign": "^4.1.1",
-        "type-is": "^1.6.4",
-        "xtend": "^4.0.0"
-      },
-      "engines": {
-        "node": ">= 6.0.0"
-      }
-    },
-    "node_modules/multer/node_modules/mkdirp": {
-      "version": "0.5.6",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz",
-      "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==",
-      "dependencies": {
-        "minimist": "^1.2.6"
-      },
-      "bin": {
-        "mkdirp": "bin/cmd.js"
-      }
-    },
    "node_modules/mustache": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/mustache/-/mustache-4.2.0.tgz",