Address dependency on package with high severity security vulnerability
See original GitHub issueThe latest version of db-migrate
depends on a package with a high severity
vulnerability (https://github.com/advisories/GHSA-fwr7-v2mv-hh25). It is my understanding that db-migrate
does not directly use the affected package async
, but rather indirectly imports it via prompt
.
Please switch to an unaffected version of prompt
or replace it altogether (e.g. https://github.com/db-migrate/node-db-migrate/pull/778).
Issue Analytics
- State:
- Created a year ago
- Reactions:8
- Comments:8
Top Results From Across the Web
Auditing package dependencies for security vulnerabilities
A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package's users by enabling ...
Read more >Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >How to Fix Security Vulnerabilities with NPM - IFS Blog
Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues. If...
Read more >How to Fix Your Security Vulnerabilities with NPM Overrides
Finally, using yarn dependency resolutions or adding npm-force-resolutions package are both viable solutions but npm overrides can easily solve ...
Read more >How to fix npm vulnerabilities manually? - Stack Overflow
'npm audit fix' will increment the version of dependency in package.json which might lead to breaking of code. So better way is to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Winston published a new version
2.4.6
which fixes the vulnerability. Prompt is now taking the fixed version of winston so it seems the vulenerability is fixed ondb-migrate@0.11.13
npm ls async
We upgraded to the latest beta version in one of our projects with no problem so it’s not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I’m not sure if it’s a bug in our project or not. But if the beta version works for you then that’s probably the fastest and easiest way to resolve the CVE issue.
#627 also has some statements on the stability of the beta series.