Snyk vulnerability through formidable dependency

[s-huh]

Hi, Snyk is identifying an Arbitrary File Upload vulnerability in my project (deemed as Critical) introduced through: [email protected] > [email protected] > [email protected]. It seems to have been fixed in [email protected]. Are there any plans to update this dependency to eliminate this vulnerability?

[JamesIrish]

Likewise, same problem with our application too. npm audit shows the issue as critical and our attempts to use npm-force-resolutions and npm audit fix combinations haven't yielded great results. We can get around it with npm-force-resolutions but that introduces other issues! If this can be fixed in the sumo package that would be ideal. Thanks.

[JamesIrish]

Just linking to the open issue on superagent to update their dependency on formidable: ladjs/superagent#1725

[bpolanczyk]

I'll take a look and issue a patch release soon. Thanks for finding that out!

[scottdickerson]

@bpolanczyk any updates on this? it would be great to be able to upgrade without forcing a local resolution. Thank you!

[markhughes]

This is still flagging

[domcorso-nib]

Does anyone have a resolution for this?

We're getting this as a critical severity as of this morning:
GHSA-8cp3-66vr-3r4c

I've also raised an issue with SuperAgent:
ladjs/superagent#1799