Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Address dependency on package with high severity security vulnerability

See original GitHub issue

The latest version of db-migrate depends on a package with a high severity vulnerability (https://github.com/advisories/GHSA-fwr7-v2mv-hh25). It is my understanding that db-migrate does not directly use the affected package async, but rather indirectly imports it via prompt.

Please switch to an unaffected version of prompt or replace it altogether (e.g. https://github.com/db-migrate/node-db-migrate/pull/778).

Issue Analytics

State:
Created a year ago
Reactions:8
Comments:8

Top GitHub Comments

1reaction

travivicommented, May 1, 2022

Winston published a new version 2.4.6 which fixes the vulnerability. Prompt is now taking the fixed version of winston so it seems the vulenerability is fixed on db-migrate@0.11.13

npm ls async

1reaction

mriedemcommented, Apr 23, 2022

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

Thank you for examining this.

As a result of your research I tested 1.0.0-beta.18 on a couple of projects a large number of Postgres migrations, and it worked.

Would it be crazy to switch … ? 😬

We upgraded to the latest beta version in one of our projects with no problem so it’s not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I’m not sure if it’s a bug in our project or not. But if the beta version works for you then that’s probably the fastest and easiest way to resolve the CVE issue.

#627 also has some statements on the stability of the beta series.

Top Results From Across the Web

Auditing package dependencies for security vulnerabilities

A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package's users by enabling ...

Fixing security vulnerabilities in npm dependencies in less ...

2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...

How to Fix Security Vulnerabilities with NPM - IFS Blog

Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues. If...

How to Fix Your Security Vulnerabilities with NPM Overrides

Finally, using yarn dependency resolutions or adding npm-force-resolutions package are both viable solutions but npm overrides can easily solve ...

How to fix npm vulnerabilities manually? - Stack Overflow

'npm audit fix' will increment the version of dependency in package.json which might lead to breaking of code. So better way is to...