2026-06-18 - Digest leads: distinguish a DOCUMENTED OPT-IN fix from a HIDDEN incomplete-fix
Date: 2026-06-18 Leads: Capsule (WALK), Gitea (WALK), Multer (residual-but-documented-opt-in).
Lesson (the Multer nuance): a patched version can still be vulnerable in its DEFAULT config WITHOUT being a
stageable incomplete-fix - if the maintainers DOCUMENTED the opt-in. Multer 2.2.0 added limits.fieldNestingDepth
but enforces it ONLY when the app sets it (make-middleware.js: if hasOwnProperty(limits,'fieldNestingDepth')),
no default cap. Default config still DoS-able. BUT the advisory explicitly says "upgrade AND configure
limits.fieldNestingDepth" -> it's a KNOWN documented limitation. That's the line: a HIDDEN incomplete-fix
(PyJWT ftp-redirect, Django dead-cap, form-data contentType) = the patched version is silently still broken in
a way the advisory does NOT cover -> stageable. A DOCUMENTED opt-in (multer, hono CORS user-config) = the
limitation is acknowledged -> at most a "ship a safe default" hardening request, usually wontfix. Don't
over-claim the latter. ALWAYS read the advisory's own mitigation text before deciding stage-vs-flag.
Lesson (the 2 K8s/Gitea walks): coordinated CVE fixes by mature projects tend to be CENTRALIZED sweeps.
- Capsule re-fixed the singular/plural typo by listing namespaces/finalize (plural) in the ONE webhook config,
fail-closed, no selector bypass, handler decodes the object uniformly -> the subresource-routing class closed.
- Gitea centralized the maintainer-edit check in CanMaintainerWriteToBranch and called it at EVERY write
boundary (git pre-receive hook, web file editor, PR update, context helpers); the old vulnerable pattern
survived only in a DISPLAY-data computation (issue_view.go), not an authz gate.
Set-difference tell that confirms a sweep: the fixed function is the SOLE gate at all enforcement points, and
any leftover old-pattern code is non-authoritative (display/UI only). Verify the leftover is display-only
before discarding it (it could have been the gap).
Method: fetch the FIX PR diff via the API (/repos/o/r/pulls/N/files) to see exactly what changed + whether
it's centralized vs per-handler - faster + more reliable than guessing from the patched tree. (Gitea #37479.)