npm module formidable@2.0.1 marked as latest

[leonidio-com]

Support plan

• Which support plan is this issue covered by? (Community, Sponsor, Enterprise): Community
• Currently blocking your project/work? (yes/no): yes
• Affecting a production system? (yes/no): yes

Context

• Node.js version: 14
• Release Line of Formidable (Legacy, Current, Next): Next
• Formidable exact version: 2.0.1
• Environment (node, browser, native, OS): node
• Used with (popular names of modules): dependency of superagent

What are you trying to achieve or the steps to reproduce?

Our security scans find a vulnerability in formidable@2.0.1 (CVE-2022-29622).

const some = 'properly formatted code example';

What was the result you got?

formidable@2.0.1 is pulled in by superagent@7.1.6 in our product.
Even though superagent@7.1.6 is very new it still pulls formidable@2.0.1
Looking at that page here: https://www.npmjs.com/package/formidable
we can see that formidable@2.0.1 marked as latest - this might explain why superagent@7.1.6 pulls formidable@2.0.1 instead of formidable@3.2.4

What result did you expect?

We expect all the products to pull the latest and greatest formidable with all the CVE's fixed.

[tunnckoCore]

yes. that's how it works.

It's not marked as latest for a reason.

check #856, #862, and superagent's one ladjs/superagent#1725 (comment) and ladjs/superagent#1724.

The vulnerability is not as severe as everyone is making it out to be.

They are not that effected.