Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address dependency on package with high severity security vulnerability #779

Closed
claasahl opened this issue Apr 20, 2022 · 8 comments
Closed

Comments

@claasahl
Copy link

The latest version of db-migrate depends on a package with a high severity vulnerability (GHSA-fwr7-v2mv-hh25). It is my understanding that db-migrate does not directly use the affected package async, but rather indirectly imports it via prompt.

Please switch to an unaffected version of prompt or replace it altogether (e.g. #778).

@mriedem
Copy link
Contributor

mriedem commented Apr 22, 2022

The latest beta tag series no longer requires prompt but I'm sure those of us using the 0.11.x series would like to see this resolved on that branch.

There is a new version of prompt with an updated async version, however, as noted in this commit, prompt still depends on an older version of winston which requires the old vulnerable async version:

flatiron/prompt@4736c82

So I think prompt needs to also update it's winston dependency version and then db-migrate will be good (once updated of course).

mriedem added a commit to mriedem/prompt that referenced this issue Apr 22, 2022
@mriedem
Copy link
Contributor

mriedem commented Apr 22, 2022

As seen here getting prompt updated for winston is going to be work: flatiron/prompt#226

The master branch of this project no longer uses prompt, so if someone wanted to do some git history diving and find out what change removed that dependency maybe the maintainer would be open to backporting that to the v0.11.x branch.

@mriedem
Copy link
Contributor

mriedem commented Apr 22, 2022

The master branch of this project no longer uses prompt, so if someone wanted to do some git history diving and find out what change removed that dependency maybe the maintainer would be open to backporting that to the v0.11.x branch.

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

@CvBlixen
Copy link

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

Thank you for examining this.

As a result of your research I tested 1.0.0-beta.18 on a couple of projects a large number of Postgres migrations, and it worked.

Would it be crazy to switch ... ? 😬

@mriedem
Copy link
Contributor

mriedem commented Apr 23, 2022

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

Thank you for examining this.

As a result of your research I tested 1.0.0-beta.18 on a couple of projects a large number of Postgres migrations, and it worked.

Would it be crazy to switch ... ? 😬

We upgraded to the latest beta version in one of our projects with no problem so it's not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I'm not sure if it's a bug in our project or not. But if the beta version works for you then that's probably the fastest and easiest way to resolve the CVE issue.

#627 also has some statements on the stability of the beta series.

@devarcher
Copy link

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

Thank you for examining this.
As a result of your research I tested 1.0.0-beta.18 on a couple of projects a large number of Postgres migrations, and it worked.
Would it be crazy to switch ... ? grimacing

We upgraded to the latest beta version in one of our projects with no problem so it's not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I'm not sure if it's a bug in our project or not. But if the beta version works for you then that's probably the fastest and easiest way to resolve the CVE issue.

#627 also has some statements on the stability of the beta series.

Considering making the jump to 1.0.0-beta.18 from 0.11.x. Did you happen to overcome the issues you were having in the project that was hanging during tests?

@travivi
Copy link

travivi commented May 1, 2022

Winston published a new version 2.4.6 which fixes the vulnerability. Prompt is now taking the fixed version of winston so it seems the vulenerability is fixed on [email protected]

npm ls async
image

@claasahl
Copy link
Author

claasahl commented May 4, 2022

Thanks for the pointer @travivi This did the trick for me 👍

@claasahl claasahl closed this as completed May 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants