posibility of a 5.0.3 release with less strict node-gyp version dependency #1493
Comments
|
There doesn't seem to be any breaking changes in "resolutions": {
"node-gyp": "^8"
} |
|
Hello. This vulnerability of the |
|
Looking forward to a fix for the tar dependency. |
|
node-gyp the version is too low! this effects other packages,it like a cancer |
|
Please update |
|
@564064202 @sharedrory it is updated already but only on master/main branch. There is no new tagged version released yet.
|
|
@teklakct Thank you. I looked at the commit history and since the current release there have been some bug fixes and the (pre)node-gyp update. While your suggestion works, I think something like a vulnerability fix requires its own emergency release. |
|
Yes, it should but I cannot wait so we decide to specify commit instead |
|
Oh sorry I wasn't clear. Yes people that want to have it fixed asap should use that method (or fork) but I meant its the developers/maintainers responsibility to keep the dependencies up-to-date. |
sqlite3 is fetched from GitHub because the maintainers haven't yet published a node-gyp update to npm: TryGhost/node-sqlite3#1493
|
please publish to npm |
sqlite3 is fetched from GitHub because the maintainers haven't yet published a node-gyp update to npm: TryGhost/node-sqlite3#1493
|
Will the fix be published soon? |
|
Haven't tried it yet, but it seems vscode folks published a fork with security fixes https://www.npmjs.com/package/@vscode/sqlite3 |
|
@rickbergfalk thanks for the heads up, it works for me. I also learned about npm aliases which made it easier to switch: "sqlite3": "npm:@vscode/sqlite3@^5.0.7", |
Tried this one and works perfectly fine for me. |
…to security issues with package "sqlite3", ref: TryGhost/node-sqlite3#1493
|
please publish master to npm! 🙏 |
In particular this leads to using a reasonably recent `tar` package, fixing vulnerabilities in the old one it was using. Upstream has already bumped this to node-gyp 7.x in their master branch, but haven't posted a release to NPM: TryGhost/node-sqlite3#1493 Empirically node-gyp 8.x, the latest, works fine. That's also reported by someone on that issue thread: TryGhost/node-sqlite3#1493 (comment) May as well go for that, then. (There was no 8.x yet when the version specified in sqlite3 was bumped to 7.x.) Some other people on that thread report using a fork made by the VS Code developers, which posted some releases in November. But that fork seems pretty clearly intended for VS Code's own internal use, with no promises for broader consumption: microsoft/vscode-node-sqlite3#14 (comment) so that doesn't seem like an improvement over upstream.
In particular this leads to using a reasonably recent `tar` package, fixing vulnerabilities in the old one it was using. Upstream has already bumped this to node-gyp 7.x in their master branch, but haven't posted a release to NPM: TryGhost/node-sqlite3#1493 Empirically node-gyp 8.x, the latest, works fine. That's also reported by someone on that issue thread: TryGhost/node-sqlite3#1493 (comment) May as well go for that, then. (There was no 8.x yet when the version specified in sqlite3 was bumped to 7.x.) Some other people on that thread report using a fork made by the VS Code developers, which posted some releases in November. But that fork seems pretty clearly intended for VS Code's own internal use, with no promises for broader consumption: microsoft/vscode-node-sqlite3#14 (comment) so that doesn't seem like an improvement over upstream.
|
Any updates when this pkg will be update? Apparently the fix was in 3fb3715 |
Microsoft maintains a fork of the sqlite3 package at https://github.com/microsoft/vscode-node-sqlite3 Switching to that allows us to drop various very old dependencies, removing 5 high security alerts in the process. References: TryGhost/node-sqlite3#1493 (comment) Signed-off-by: David Mehren <git@herrmehren.de>
Microsoft maintains a fork of the sqlite3 package at https://github.com/microsoft/vscode-node-sqlite3 Switching to that allows us to drop various very old dependencies, removing 5 high security alerts in the process. References: TryGhost/node-sqlite3#1493 (comment) Signed-off-by: David Mehren <git@herrmehren.de>
Microsoft maintains a fork of the sqlite3 package at https://github.com/microsoft/vscode-node-sqlite3 Switching to that allows us to drop various very old dependencies, removing 5 high security alerts in the process. References: TryGhost/node-sqlite3#1493 (comment) Signed-off-by: David Mehren <git@herrmehren.de>
|
Hello, Is there a reason why this vulnerability fix hasn't been released yet? Seems the problem was resolved in the code base? Thank you |
refs #1493 refs nodejs/node-gyp#2474 - `node-gyp` 7.x has a minimum `tar` version of 6.0.2, which has a security vulnerability listed against it - `node-gyp` 8.x updates the minimum to 6.1.2, which contains the fix - `node-gyp` 8.x should still allow us to use Node 10, so we're good with Node compatibility - it also seems to fix the `PYTHON` env variable being set, which helps fix the build for MacOS Monterey (coming in the next commit)
refs #1493 refs nodejs/node-gyp#2474 - `node-gyp` 7.x has a minimum `tar` version of 6.0.2, which has a security vulnerability listed against it - `node-gyp` 8.x updates the minimum to 6.1.2, which contains the fix - `node-gyp` 8.x should still allow us to use Node 10, so we're good with Node compatibility - it also seems to fix the `PYTHON` env variable being set, which helps fix the build for MacOS Monterey (coming in the next commit)
|
|
|
Thanks @daniellockyer! |
Hi, @kewde , there are two high severity vulnerabilities introduced by tar@2.2.2:
Issue Description
I noticed that a vulnerability is introduced in sqlite3@5.0.2:
Vulnerability CVE-2021-32804 and CVE-2021-32803 (high severity) affects package tar (versions:<3.2.2,>=4.0.0 <4.4.14,>=5.0.0 <5.0.6,>=6.0.0 <6.1.1): https://snyk.io/vuln/SNYK-JS-TAR-1536531 and https://snyk.io/vuln/SNYK-JS-TAR-1536528
The above vulnerable package is referenced by sqlite3@5.0.2 via:
sqlite3@5.0.2 ➔ node-gyp@3.8.0 ➔ tar@2.2.2Since sqlite3@5.0.2 (214,273 downloads per week) is referenced by 8,775 downstream projects (e.g., websql 2.0.2 (latest version), @sap/cds-dk 4.4.1 (latest version), typeorm-model-generator 0.4.5 (latest version), ueberdb2 1.4.13 (latest version), indexeddbshim 8.0.0 (latest version)), the above vulnerabilities can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:
(1)
@grouparoo/core@0.5.2 ➔ sqlite3@5.0.2 ➔ node-gyp@3.8.0 ➔ tar@2.2.2(2)
@contrast/test-bench-utils@3.20.1-alpha.0 ➔ sqlite3@5.0.2 ➔ node-gyp@3.8.0 ➔ tar@2.2.2......
If sqlite3@5.0.* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.
Given the large number of downstream users, could you help update your package to remove the vulnerability from sqlite3@5.0.2 ?
Fixing suggestions
In sqlite3@5.0.3, maybe you can kindly try to perform the following upgrade :
node-gyp 3.x ➔ ^4.0.0;Note:
node-gyp@4.0.0(>=4.0.0) directly depends on tar@4.4.19 which has fixed the vulnerability CVE-2021-32804 and CVE-2021-32803.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards,
^_^
The text was updated successfully, but these errors were encountered: