-
Notifications
You must be signed in to change notification settings - Fork 44
security Issue with bl #114
Comments
it depends on some stuff in an old version of level, which pulls in bl at an old version. I don't think it would actually be possible to exploit this vulnerability via level-sublevel, and doing the work to update (with tests passing) just to make a warning disappear isn't worth it (since I'm not writing new code that uses level-sublevel anymore) but if you care to make a PR I'd be happy to merge. |
@dominictarr Just out of curiosity, what are you using these days for the same functionality without level-sublevel as a dependency? :) |
Answering my own question from the previous comment: https://github.com/flumedb/ |
tl;dr is that flume is more flexible with respect to the index designs that can be used, and (also very important) it has much better support for upgrading indexes. For example, if you changed the encoding used in a index, you just bump the index version, and it automatically regenerates the index at startup. |
@dominictarr thanks for the writeup! but we also got hit by this on vulnerability scans |
as I said, I'd be happy to merge a PR that fixes this, but fixing this myself isn't worth my time just to remove a false positive from some security scan thing. |
Hi, the new version npm tell me there is a security issue :
Moderate Memory Exposure
Package bl
Patched in >=0.9.5 <1.0.0 || >=1.0.1
Dependency of level-sublevel
Path level-sublevel > levelup > bl
More info https://nodesecurity.io/advisories/596
[!] 1 vulnerability found - Packages audited: 498 (0 dev, 0 optional)
Severity: 1 Moderate
The text was updated successfully, but these errors were encountered: