-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Tedious to 18.2.1 to resolve Azure Identity vulnerabilities #1662
Comments
I'll take a look at what's needed to get the upgrade working. |
Though it doesn't seem the version constraints prevent the patched versions being used with the current version, unless I'm misreading the constraints? |
Looking at package.json I see: That would allow for updating to anything within the 16.x.x series, but not 18.x.x |
It's the transient dependencies, specifically @azure/identity dep, that are relevant here, those are transient dependencies, which are the problematic ones. |
Fixed in v11.0.0 |
Older versions of Azure Identity are affected by CVE-2024-35255:
GHSA-m5vv-6r4h-3vj9
Current versions of mssql depend on tedious 16.
Tedious < 18.2.1 relies on the affected versions of Azure Identity:
tediousjs/tedious#1633
I see there was a dependabot task to update to 18.2.0 with a few failed tests, so it may not be a drop-in replacement:
#1639
The text was updated successfully, but these errors were encountered: