Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 15 additions & 24 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"express-ws": "5.0.2",
"ipcheck": "0.1.0",
"minimist": "1.2.8",
"multiparty": "4.2.3",
"multiparty": "4.3.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for hardcoded multiparty version references across the codebase
rg -n 'multiparty@4\.2\.3' --type-add 'config:*.{json,js,ts,yml,yaml,toml,dockerfile,Dockerfile}' --type config

Repository: flamingo-stack/meshcentral

Length of output: 458


🏁 Script executed:

#!/bin/bash
# Verify multiparty 4.3.0 exists and check for security advisories
echo "=== Checking npm registry for multiparty 4.3.0 ==="
npm view multiparty@4.3.0 version 2>/dev/null || echo "Version 4.3.0 not found"

echo -e "\n=== Checking for security advisories ==="
npm audit --package-lock-only --json | jq '.vulnerabilities.multiparty // "No vulnerabilities found in npm audit"'

echo -e "\n=== Checking GitHub security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "multiparty") {
    nodes {
      advisory {
        summary
        severity
        identifiers { type value }
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}'

Repository: flamingo-stack/meshcentral

Length of output: 1325


Critical: Fix hardcoded multiparty@4.2.3 in meshcentral.js
package.json bumps multiparty to 4.3.0 (line 51), but meshcentral.js still hardcodes multiparty@4.2.3 in the modules list (line 4466). The cited advisories (CVE-2026-8159/8161/8162) affect <= 4.2.3 and are first patched in 4.3.0, so this version skew can leave the vulnerable version installed at runtime—update the hardcoded entry to multiparty@4.3.0.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 51, The modules list in meshcentral.js contains a
hardcoded dependency string "multiparty@4.2.3" which is inconsistent with
package.json (multiparty 4.3.0) and leaves the older vulnerable version
installable; update the entry in the modules array from "multiparty@4.2.3" to
"multiparty@4.3.0" (search for the literal "multiparty@4.2.3" in meshcentral.js
and change it), and verify the change aligns with the package.json entry so
runtime installs the patched 4.3.0 release.

"node-forge": "1.3.2",
"otplib": "12.0.1",
"ua-client-hints-js": "0.1.2",
Expand Down
Loading