-
-
Notifications
You must be signed in to change notification settings - Fork 815
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
5.0.2 is throwing high severity security; audit fix wants to downgrade to 4.2.0 #1483
Comments
I've tested the master branch and this isn't a problem there, the master branch build is failing but that looks to be a missing python depencency in the CI env. The diff between master and 5.0.2 is minimal so if the CI could be fixed it should straight forward to cut a new release. |
Is anyone working on this? |
I am using sqlite3 v5.0.2 which defines node-gyp v3.x as peer dependency. Unfortunately, node-gyp 3.x (3.8.0) is currently 302 commits behind the latest node-gyp and uses the vulnerable dependency tar v2.2.2: GHSA-3jfq-g458-7qm9 I can see that the "master" branch of "node-sqlite3" already uses node-gyp v7.x. @kewde Can you please create a release for it? |
@kewde Is the failure in master a temporary network error? https://ci.appveyor.com/project/Mapbox/node-sqlite3/builds/38143237/job/mwmk1n45rrd3s8gi Can someone re-run the CI test suite to see if it was a temporary failure? What is preventing the tagging of a new release? |
I published my fork on npm which is using the latest source code of this repo.
// Replace require('sqlite') in source code
require('@louislam/sqlite') You can use this as a temporary fix. Switch back to mapbox/node-sqlite3 once it got fixed. |
Workaround:
|
Even better, tag the commit so that it can't change when someone merges a PR: npm install git+https://github.com/mapbox/node-sqlite3.git#593c9d |
Hi, I will take a look at this ASAP. |
Hi , I am also getting high vulnerability issue in
Thanks |
@kewde Any news on this? |
- pinned sqlite3 version to solve security issue: TryGhost/node-sqlite3#1483
Almost 1 month later, I know things take time, is there any news on this? |
For the workaround, I got 'Not found' from npm on trying to install with: |
Hi Team, |
Hi, |
Looks like there is a solution in #1493 (comment) |
I believe this should be fixed in v5.0.3 🙂
|
5.0.2 is throwing high severity security. The underlying problem appears to be
node-gyp
.Audit fix wants to downgrade to 4.2.0
Development machine is Windows 10 Pro running Git Bash
The text was updated successfully, but these errors were encountered: