Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 15 additions & 24 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"express-ws": "5.0.2",
"ipcheck": "0.1.0",
"minimist": "1.2.8",
"multiparty": "4.2.3",
"multiparty": "4.3.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for hardcoded multiparty version references across the codebase
rg -n 'multiparty@4\.2\.3' --type-add 'config:*.{json,js,ts,yml,yaml,toml,dockerfile,Dockerfile}' --type config

Repository: flamingo-stack/meshcentral

Length of output: 458


🏁 Script executed:

#!/bin/bash
# Verify multiparty 4.3.0 exists and check for security advisories
echo "=== Checking npm registry for multiparty 4.3.0 ==="
npm view [email protected] version 2>/dev/null || echo "Version 4.3.0 not found"

echo -e "\n=== Checking for security advisories ==="
npm audit --package-lock-only --json | jq '.vulnerabilities.multiparty // "No vulnerabilities found in npm audit"'

echo -e "\n=== Checking GitHub security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "multiparty") {
    nodes {
      advisory {
        summary
        severity
        identifiers { type value }
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}'

Repository: flamingo-stack/meshcentral

Length of output: 1325


Critical: Fix hardcoded [email protected] in meshcentral.js
package.json bumps multiparty to 4.3.0 (line 51), but meshcentral.js still hardcodes [email protected] in the modules list (line 4466). The cited advisories (CVE-2026-8159/8161/8162) affect <= 4.2.3 and are first patched in 4.3.0, so this version skew can leave the vulnerable version installed at runtime—update the hardcoded entry to [email protected].

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 51, The modules list in meshcentral.js contains a
hardcoded dependency string "[email protected]" which is inconsistent with
package.json (multiparty 4.3.0) and leaves the older vulnerable version
installable; update the entry in the modules array from "[email protected]" to
"[email protected]" (search for the literal "[email protected]" in meshcentral.js
and change it), and verify the change aligns with the package.json entry so
runtime installs the patched 4.3.0 release.

"node-forge": "1.3.2",
"otplib": "12.0.1",
"ua-client-hints-js": "0.1.2",
Expand Down
Loading