-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] plans for replacement of unmaintained taffydb
dependency
#2013
Comments
I'm working on a permanent solution for this issue, and I hope to have more information to share within the next week or two. Stay tuned! (In the meantime, for what it's worth, I think this "vulnerability" is pretty meaningless. The "vulnerability" provides a sneaky, unintended way to access specific records in a TaffyDB database. But TaffyDB doesn't pretend to have any sort of access control; you can always get all records in the database by calling |
Okay, I wrote a drop-in replacement, If your JSDoc template doesn't work with JSDoc 4.0.0, follow the instructions in Use Salty in a JSDoc template. In most cases, this change is a one-line update to the template's Hope this meets your needs—please file a new issue if it doesn't! |
@hegemonic, congrats on the release! That was a relatively speedy fix too; much appreciated. |
The currently-depended-upon version of
taffydb
, which is the last version of this module since it has gone unmaintained, was issued a high-severity vulnerability:CVE-2019-10790
. This issue is to ask what plans you have to replace it (or whether there are any yet). Unfortunately, this is a rather deep dependency in my package's dependency tree, so we will have to coordinate to get everyone updated before we make our subsequent security releases.I really appreciate any help you can provide.
Input code
n/a
JSDoc configuration
n/a
JSDoc debug output
n/a
Expected behavior
n/a
Current behavior
n/a
Your environment
The text was updated successfully, but these errors were encountered: