From 5800837ed58793608bf5757ec5525de4b0d5b45a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 7 Mar 2026 13:36:45 +0000
Subject: [PATCH] Security: Upgrade multer from 1.4.5-lts.1 to 2.1.1 to fix DoS
 vulnerabilities

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
---
 back/services/notify.ts |  8 +++++---
 package.json            | 44 ++++++++++++++++++++---------------------
 2 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/back/services/notify.ts b/back/services/notify.ts
index 33f3962e..81ecddcc 100644
--- a/back/services/notify.ts
+++ b/back/services/notify.ts
@@ -616,9 +616,11 @@ export default class NotificationService {
 
       if (emailHost) {
         transportConfig.host = emailHost;
-        transportConfig.port = emailPort
-          ? Math.max(1, Math.min(65535, parseInt(emailPort, 10) || 465))
-          : 465;
+        const parsedPort = emailPort ? parseInt(emailPort, 10) : NaN;
+        transportConfig.port =
+          !isNaN(parsedPort) && parsedPort >= 1 && parsedPort <= 65535
+            ? parsedPort
+            : 465;
         transportConfig.secure =
           emailSecure !== undefined && emailSecure !== ''
             ? emailSecure === 'true'
diff --git a/package.json b/package.json
index 038f8c1d..a63aa140 100644
--- a/package.json
+++ b/package.json
@@ -55,12 +55,15 @@
     }
   },
   "dependencies": {
+    "@bufbuild/protobuf": "^2.10.0",
     "@grpc/grpc-js": "^1.14.0",
     "@grpc/proto-loader": "^0.8.0",
+    "@keyv/sqlite": "^4.0.1",
     "@otplib/preset-default": "^12.0.1",
     "body-parser": "^1.20.3",
     "celebrate": "^15.0.3",
     "chokidar": "^4.0.1",
+    "compression": "^1.7.4",
     "cors": "^2.8.5",
     "cron-parser": "^5.4.0",
     "cross-spawn": "^7.0.6",
@@ -70,69 +73,66 @@
     "express-jwt": "^8.4.1",
     "express-rate-limit": "^7.4.1",
     "express-urlrewrite": "^2.0.3",
-    "undici": "^7.9.0",
+    "helmet": "^8.1.0",
     "hpagent": "^1.2.0",
     "http-proxy-middleware": "^3.0.3",
     "iconv-lite": "^0.6.3",
+    "ip2region": "2.3.0",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",
+    "keyv": "^5.2.3",
     "lodash": "^4.17.21",
-    "multer": "1.4.5-lts.1",
+    "multer": "^2.1.1",
     "node-schedule": "^2.1.0",
     "nodemailer": "^6.9.16",
     "p-queue-cjs": "7.3.4",
-    "@bufbuild/protobuf": "^2.10.0",
+    "proper-lockfile": "^4.1.2",
     "ps-tree": "^1.2.0",
     "reflect-metadata": "^0.2.2",
+    "request-ip": "3.3.0",
     "sequelize": "^6.37.5",
     "sockjs": "^0.3.24",
     "sqlite3": "git+https://github.com/whyour/node-sqlite3.git#v1.0.3",
     "toad-scheduler": "^3.0.1",
     "typedi": "^0.10.0",
+    "undici": "^7.9.0",
     "uuid": "^11.0.3",
     "winston": "^3.17.0",
-    "winston-daily-rotate-file": "^5.0.0",
-    "request-ip": "3.3.0",
-    "ip2region": "2.3.0",
-    "keyv": "^5.2.3",
-    "@keyv/sqlite": "^4.0.1",
-    "proper-lockfile": "^4.1.2",
-    "compression": "^1.7.4",
-    "helmet": "^8.1.0"
+    "winston-daily-rotate-file": "^5.0.0"
   },
   "devDependencies": {
-    "moment": "2.30.1",
     "@ant-design/icons": "^5.0.1",
     "@ant-design/pro-layout": "6.38.22",
-    "@codemirror/view": "^6.34.1",
     "@codemirror/state": "^6.4.1",
+    "@codemirror/view": "^6.34.1",
     "@monaco-editor/react": "4.2.1",
     "@react-hook/resize-observer": "^2.0.2",
-    "react-router-dom": "6.26.1",
     "@types/body-parser": "^1.19.2",
+    "@types/compression": "^1.7.2",
     "@types/cors": "^2.8.12",
     "@types/cross-spawn": "^6.0.2",
     "@types/express": "^4.17.13",
     "@types/express-jwt": "^6.0.4",
     "@types/file-saver": "2.0.2",
+    "@types/helmet": "^4.0.0",
     "@types/js-yaml": "^4.0.5",
     "@types/jsonwebtoken": "^8.5.8",
     "@types/lodash": "^4.14.185",
-    "@types/multer": "^1.4.7",
+    "@types/multer": "^2.1.0",
     "@types/node": "^17.0.21",
     "@types/node-schedule": "^1.3.2",
     "@types/nodemailer": "^6.4.4",
+    "@types/proper-lockfile": "^4.1.4",
+    "@types/ps-tree": "^1.1.6",
     "@types/qrcode.react": "^1.0.2",
     "@types/react": "^18.0.20",
     "@types/react-copy-to-clipboard": "^5.0.4",
     "@types/react-dom": "^18.0.6",
+    "@types/request-ip": "0.0.41",
     "@types/serve-handler": "^6.1.1",
     "@types/sockjs": "^0.3.33",
     "@types/sockjs-client": "^1.5.1",
     "@types/uuid": "^8.3.4",
-    "@types/request-ip": "0.0.41",
-    "@types/proper-lockfile": "^4.1.4",
-    "@types/ps-tree": "^1.1.6",
     "@uiw/codemirror-extensions-langs": "^4.21.9",
     "@uiw/react-codemirror": "^4.21.9",
     "@umijs/max": "^4.4.4",
@@ -144,9 +144,9 @@
     "axios": "^1.4.0",
     "compression-webpack-plugin": "9.2.0",
     "concurrently": "^7.0.0",
-    "react-hotkeys-hook": "^4.6.1",
     "file-saver": "2.0.2",
     "lint-staged": "^13.0.3",
+    "moment": "2.30.1",
     "monaco-editor": "0.33.0",
     "nodemon": "^3.0.1",
     "prettier": "^2.5.1",
@@ -162,7 +162,9 @@
     "react-dnd": "^16.0.1",
     "react-dnd-html5-backend": "^16.0.1",
     "react-dom": "18.3.1",
+    "react-hotkeys-hook": "^4.6.1",
     "react-intl-universal": "^2.12.0",
+    "react-router-dom": "6.26.1",
     "react-split-pane": "^0.1.92",
     "sockjs-client": "^1.6.0",
     "ts-node": "^10.9.2",
@@ -170,8 +172,6 @@
     "tslib": "^2.4.0",
     "typescript": "5.2.2",
     "vh-check": "^2.0.5",
-    "virtualizedtableforantd4": "1.3.0",
-    "@types/compression": "^1.7.2",
-    "@types/helmet": "^4.0.0"
+    "virtualizedtableforantd4": "1.3.0"
   }
 }