Supply-chain: Review or rewrite the busboy library.

[bogeeee]

Currently, it is very "leet" code that's hard to inspect. What we need is at least some guarantee that it's side effect free.

https://www.npmjs.com/package/busboy

https://github.com/mscdex/busboy

---

This repo is using Opire - what does it mean? 👇

💸Everyone can add rewards for this issue commenting /reward 100 (replace 100 with the amount)
💪 If someone starts working on this issue to earn the rewards, they can comment /try to let everyone know!
🙌 And when they open the PR, they can comment /claim #6 either in the PR description or in a PR's comment

👀 Also, everyone can tip any user commenting /tip 20 @bogeeee (replace 20 with the amount, and @bogeeee with the user to tip)

If you want to learn more, go to our documentation

[bogeeee]

/reward 50

How to earn this $50.00 reward?

💪 Comment /try and start working on solving the issue!
🙌 And when you open the PR, comment /claim #6 either in the PR description or in a PR's comment

[Muhammad-Owais-Warsi]

Hey @bogeeee I thinks it's already very modular along with comments. Thanks :)

[AbdellahGo]

/try

Check if you're the only one trying 👇

You're the first one to try to solve this issue, go for it! 😉

[opirebot]

@bhardwajMehul created a $50.00 reward using Opire

How to earn this reward?

💪 Comment `/try` and start working on solving the issue! 🙌 Once your PR is open, comment `/claim #6` either in the PR description or within the comments.

[sonpt-afk]

/try

Check if you're the only one trying 👇

There are already people trying to solve this issue. You're welcome to tackle it independently, but we encourage you to reach out to the contributors that are trying to solve the issue if you'd like to collaborate with them.

The other contributor is: @AbdellahGo.

[Niharika0104]

@bogeeee here are some vulnerabilites reported about busyboy
mscdex/busboy#250
tsedio/tsed#1919
however when i ran npm audit in the project directory i got 0 vulnerabilites
https://secure.software/npm/packages/busboy i also check this website which will look for vulnerabilites and even this reported that it's safe to use.
Is this fine or should we do more in depth analysis or what's the next step??

[bogeeee]

@Niharika0104 Thx, for having a look. Ich checked them and these are solved in the meanwhile.
Next step would be actually a code analysis (manual review), as written in the title/description.

Also i drew back my opire reaward, because i think that it doesn't work the right way. I tried out opire but too many low-effort bounty hunters vs i'm having much pressure in responsibility / answering questions / helping and give fair rewards.
(Except i'm still standing to my reward for the 2 guys, currently trying / but not for new people)