Security: Upgrade multer from 1.4.5-lts.1 to 2.1.1 to fix DoS vulnerabilities

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
2026-03-13 06:55:37 +08:00 · 2026-03-07 13:36:45 +00:00 · 2026-03-07 13:36:45 +00:00 · 5800837ed5
commit 5800837ed5
parent aecdd7852b
2 changed files with 27 additions and 25 deletions
--- a/back/services/notify.ts
+++ b/back/services/notify.ts
@ -616,9 +616,11 @@ export default class NotificationService {
      if (emailHost) {
        transportConfig.host = emailHost;
-        transportConfig.port = emailPort
+        const parsedPort = emailPort ? parseInt(emailPort, 10) : NaN;
-          ? Math.max(1, Math.min(65535, parseInt(emailPort, 10) || 465))
+        transportConfig.port =
-          : 465;
+          !isNaN(parsedPort) && parsedPort >= 1 && parsedPort <= 65535
            ? parsedPort
            : 465;
        transportConfig.secure =
          emailSecure !== undefined && emailSecure !== ''
            ? emailSecure === 'true'
--- a/package.json
+++ b/package.json
@ -55,12 +55,15 @@
    }
  },
  "dependencies": {
    "@bufbuild/protobuf": "^2.10.0",
    "@grpc/grpc-js": "^1.14.0",
    "@grpc/proto-loader": "^0.8.0",
    "@keyv/sqlite": "^4.0.1",
    "@otplib/preset-default": "^12.0.1",
    "body-parser": "^1.20.3",
    "celebrate": "^15.0.3",
    "chokidar": "^4.0.1",
    "compression": "^1.7.4",
    "cors": "^2.8.5",
    "cron-parser": "^5.4.0",
    "cross-spawn": "^7.0.6",
@ -70,69 +73,66 @@
    "express-jwt": "^8.4.1",
    "express-rate-limit": "^7.4.1",
    "express-urlrewrite": "^2.0.3",
-    "undici": "^7.9.0",
+    "helmet": "^8.1.0",
    "hpagent": "^1.2.0",
    "http-proxy-middleware": "^3.0.3",
    "iconv-lite": "^0.6.3",
    "ip2region": "2.3.0",
    "js-yaml": "^4.1.0",
    "jsonwebtoken": "^9.0.2",
    "keyv": "^5.2.3",
    "lodash": "^4.17.21",
-    "multer": "1.4.5-lts.1",
+    "multer": "^2.1.1",
    "node-schedule": "^2.1.0",
    "nodemailer": "^6.9.16",
    "p-queue-cjs": "7.3.4",
-    "@bufbuild/protobuf": "^2.10.0",
+    "proper-lockfile": "^4.1.2",
    "ps-tree": "^1.2.0",
    "reflect-metadata": "^0.2.2",
    "request-ip": "3.3.0",
    "sequelize": "^6.37.5",
    "sockjs": "^0.3.24",
    "sqlite3": "git+https://github.com/whyour/node-sqlite3.git#v1.0.3",
    "toad-scheduler": "^3.0.1",
    "typedi": "^0.10.0",
    "undici": "^7.9.0",
    "uuid": "^11.0.3",
    "winston": "^3.17.0",
-    "winston-daily-rotate-file": "^5.0.0",
+    "winston-daily-rotate-file": "^5.0.0"
    "request-ip": "3.3.0",
    "ip2region": "2.3.0",
    "keyv": "^5.2.3",
    "@keyv/sqlite": "^4.0.1",
    "proper-lockfile": "^4.1.2",
    "compression": "^1.7.4",
    "helmet": "^8.1.0"
  },
  "devDependencies": {
    "moment": "2.30.1",
    "@ant-design/icons": "^5.0.1",
    "@ant-design/pro-layout": "6.38.22",
    "@codemirror/view": "^6.34.1",
    "@codemirror/state": "^6.4.1",
    "@codemirror/view": "^6.34.1",
    "@monaco-editor/react": "4.2.1",
    "@react-hook/resize-observer": "^2.0.2",
    "react-router-dom": "6.26.1",
    "@types/body-parser": "^1.19.2",
    "@types/compression": "^1.7.2",
    "@types/cors": "^2.8.12",
    "@types/cross-spawn": "^6.0.2",
    "@types/express": "^4.17.13",
    "@types/express-jwt": "^6.0.4",
    "@types/file-saver": "2.0.2",
    "@types/helmet": "^4.0.0",
    "@types/js-yaml": "^4.0.5",
    "@types/jsonwebtoken": "^8.5.8",
    "@types/lodash": "^4.14.185",
-    "@types/multer": "^1.4.7",
+    "@types/multer": "^2.1.0",
    "@types/node": "^17.0.21",
    "@types/node-schedule": "^1.3.2",
    "@types/nodemailer": "^6.4.4",
    "@types/proper-lockfile": "^4.1.4",
    "@types/ps-tree": "^1.1.6",
    "@types/qrcode.react": "^1.0.2",
    "@types/react": "^18.0.20",
    "@types/react-copy-to-clipboard": "^5.0.4",
    "@types/react-dom": "^18.0.6",
    "@types/request-ip": "0.0.41",
    "@types/serve-handler": "^6.1.1",
    "@types/sockjs": "^0.3.33",
    "@types/sockjs-client": "^1.5.1",
    "@types/uuid": "^8.3.4",
    "@types/request-ip": "0.0.41",
    "@types/proper-lockfile": "^4.1.4",
    "@types/ps-tree": "^1.1.6",
    "@uiw/codemirror-extensions-langs": "^4.21.9",
    "@uiw/react-codemirror": "^4.21.9",
    "@umijs/max": "^4.4.4",
@ -144,9 +144,9 @@
    "axios": "^1.4.0",
    "compression-webpack-plugin": "9.2.0",
    "concurrently": "^7.0.0",
    "react-hotkeys-hook": "^4.6.1",
    "file-saver": "2.0.2",
    "lint-staged": "^13.0.3",
    "moment": "2.30.1",
    "monaco-editor": "0.33.0",
    "nodemon": "^3.0.1",
    "prettier": "^2.5.1",
@ -162,7 +162,9 @@
    "react-dnd": "^16.0.1",
    "react-dnd-html5-backend": "^16.0.1",
    "react-dom": "18.3.1",
    "react-hotkeys-hook": "^4.6.1",
    "react-intl-universal": "^2.12.0",
    "react-router-dom": "6.26.1",
    "react-split-pane": "^0.1.92",
    "sockjs-client": "^1.6.0",
    "ts-node": "^10.9.2",
@ -170,8 +172,6 @@
    "tslib": "^2.4.0",
    "typescript": "5.2.2",
    "vh-check": "^2.0.5",
-    "virtualizedtableforantd4": "1.3.0",
+    "virtualizedtableforantd4": "1.3.0"
    "@types/compression": "^1.7.2",
    "@types/helmet": "^4.0.0"
  }
 }