Advisory GHSA-4pg4-qvpc-4q3h lists incorrect fixed version

[MikeKoval]

I have noticed an issue with the details provided in the advisory GHSA-4pg4-qvpc-4q3h regarding the fixed version.

Look, this pr to fix vulnerability expressjs/multer#1177 is present in both v1.4.5-lts.2 and v2.0.0:

https://github.com/expressjs/multer/commits/v1.4.5-lts.2
https://github.com/expressjs/multer/commits/v2.0.0

So i think v1.4.5-lts.2 is not affected, also npm audit does not complain about it.

Could you please review and update the advisory to reflect the correct information? Thank you.

[JonathanLEvans]

Hi @MikeKoval,

Sorry for the slow response and thank you for the contribution!

It looks like v1.4.5-lts.2 only received a partial fix. v1.4.5-lts.2 received expressjs/multer@a4be1d5. However, it was later noticed that the fix missed some cases so 2.0.0 was released with the complete fix. This is likely why the maintainer says the fixed version is 2.0.0.

If you think it would be helpful, we could include a note in the description explaining that v1.4.5-lts.2 only contains a partial fix.