Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.0.2 is throwing high severity security; audit fix wants to downgrade to 4.2.0 #1483

Closed
StoneCypher opened this issue Aug 3, 2021 · 16 comments
Closed

5.0.2 is throwing high severity security; audit fix wants to downgrade to 4.2.0 #1483

StoneCypher opened this issue Aug 3, 2021 · 16 comments
Assignees
@kewde

Comments

@StoneCypher
Copy link

StoneCypher commented Aug 3, 2021
edited

5.0.2 is throwing high severity security. The underlying problem appears to be node-gyp.

Audit fix wants to downgrade to 4.2.0

Development machine is Windows 10 Pro running Git Bash

$ npm audit
# npm audit report

tar  <=3.2.2 || 4.0.0 - 4.4.14 || 5.0.0 - 5.0.6 || 6.0.0 - 6.1.1
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771
fix available via `npm audit fix --force`
Will install sqlite3@4.2.0, which is a breaking change
node_modules/tar
  node-gyp  <=3.8.0
  Depends on vulnerable versions of tar
  node_modules/node-gyp
    sqlite3  >=5.0.0
    Depends on vulnerable versions of node-gyp
    node_modules/sqlite3

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

image
@rwky
Copy link

rwky commented Aug 4, 2021

I've tested the master branch and this isn't a problem there, the master branch build is failing but that looks to be a missing python depencency in the CI env. The diff between master and 5.0.2 is minimal so if the CI could be fixed it should straight forward to cut a new release.

@dearzubi
Copy link

dearzubi commented Aug 7, 2021

Is anyone working on this?

@bennycode
Copy link

I am using sqlite3 v5.0.2 which defines node-gyp v3.x as peer dependency. Unfortunately, node-gyp 3.x (3.8.0) is currently 302 commits behind the latest node-gyp and uses the vulnerable dependency tar v2.2.2: GHSA-3jfq-g458-7qm9

I can see that the "master" branch of "node-sqlite3" already uses node-gyp v7.x. @kewde Can you please create a release for it?

@createthis
Copy link

@kewde Is the failure in master a temporary network error? https://ci.appveyor.com/project/Mapbox/node-sqlite3/builds/38143237/job/mwmk1n45rrd3s8gi

Can someone re-run the CI test suite to see if it was a temporary failure?

What is preventing the tagging of a new release?

@louislam
Copy link

louislam commented Aug 10, 2021
edited

I published my fork on npm which is using the latest source code of this repo.
https://github.com/louislam/node-sqlite3

npm install @louislam/sqlite3
npm remove sqlite3

// Replace require('sqlite') in source code
require('@louislam/sqlite')

You can use this as a temporary fix. Switch back to mapbox/node-sqlite3 once it got fixed.

@jan-swiecki
Copy link

Workaround:

npm install git@github.com:mapbox/node-sqlite3.git

@createthis
Copy link

createthis commented Aug 10, 2021
edited

Workaround:

npm install git@github.com:mapbox/node-sqlite3.git

Even better, tag the commit so that it can't change when someone merges a PR:

npm install git+https://github.com/mapbox/node-sqlite3.git#593c9d

@kewde kewde self-assigned this Aug 12, 2021
@kewde
Copy link
Collaborator

kewde commented Aug 12, 2021

Hi,

I will take a look at this ASAP.

@NehaNaithani
Copy link

Hi ,

I am also getting high vulnerability issue in 5.2.0 and npm audit fix downgrade the package to 4.2.0


│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite due to insufficient        │
│               │ absolute path sanitization                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.2 <4.0.0 || >=4.4.14  <5.0.0 || >=5.0.6 <6.0.0 ||      │
│               │ >=6.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1770                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.3 <4.0.0 || >=4.4.15  <5.0.0 || >=5.0.7 <6.0.0 ||      │
│               │ >=6.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1771                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Thanks

cokemine added a commit to cokemine/nodestatus that referenced this issue Aug 21, 2021
@cokemine
bump: bump dependences
fb7352e 
TryGhost/node-sqlite3#1483
@VonOx VonOx mentioned this issue Aug 22, 2021
Closed
8 tasks
@eatonphil eatonphil mentioned this issue Aug 23, 2021
Merged
@ijavid
Copy link

ijavid commented Aug 27, 2021

@kewde Any news on this?

brendannee added a commit to BlinkTagInc/node-gtfs that referenced this issue Sep 13, 2021
@brendannee
Dependency updates
50a5af1 
- pinned sqlite3 version to solve security issue: TryGhost/node-sqlite3#1483
@franok franok mentioned this issue Sep 14, 2021
Merged
robinWongM added a commit to robinWongM-archives/fast-ddns-server that referenced this issue Sep 23, 2021
@robinWongM
fix(deps): upgrade sqlite3 to specific commit
85a6852 
see TryGhost/node-sqlite3#1483
@sharedrory
Copy link

Almost 1 month later, I know things take time, is there any news on this?

@josep11
Copy link

josep11 commented Sep 28, 2021
edited

I published my fork on npm which is using the latest source code of this repo. https://github.com/louislam/node-sqlite3

npm install @louislam/sqlite3
npm remove sqlite3

// Replace require('sqlite') in source code
require('@louislam/sqlite')

You can use this as a temporary fix. Switch back to mapbox/node-sqlite3 once it got fixed.

For the workaround, I got 'Not found' from npm on trying to install with: npm i @louislam/sqlite

@louislam louislam mentioned this issue Oct 6, 2021
Closed
bastisk added a commit to karmakurier/tuckman-backend that referenced this issue Oct 6, 2021
@bastisk
bumps versions, tar vuln for sqlite3 still unfixed, see TryGhost/node…
5be13f1 
…-sqlite3#1483
@puja-saraswat
Copy link

Hi Team,
Is there any update for this issue? We are waiting for the solution to resolve the CVE-2021-32804 vulnerability

@bbrk24 bbrk24 mentioned this issue Nov 20, 2021
Closed
@platrofa
Copy link

Hi,
is there any new release planned to solve the node-gyp vulnerability?

@grenik
Copy link

grenik commented Nov 29, 2021

Looks like there is a solution in #1493 (comment)

This was referenced Dec 15, 2021
Closed
Closed
Closed
@demiankatz demiankatz mentioned this issue Jan 14, 2022
Closed
@daniellockyer
Copy link
Member

I believe this should be fixed in v5.0.3 🙂

~/code/node-sqlite3 λ git describe --tags
v5.0.3
~/code/node-sqlite3 λ yarn audit
yarn audit v1.22.15
0 vulnerabilities found - Packages audited: 335
✨  Done in 0.49s.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kewde kewde

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests