Update Tedious to 18.2.1 to resolve Azure Identity vulnerabilities #1662
Comments
|
I'll take a look at what's needed to get the upgrade working. |
|
Though it doesn't seem the version constraints prevent the patched versions being used with the current version, unless I'm misreading the constraints? |
|
Looking at package.json I see: That would allow for updating to anything within the 16.x.x series, but not 18.x.x |
|
It's the transient dependencies, specifically @azure/identity dep, that are relevant here, those are transient dependencies, which are the problematic ones. |
|
Fixed in v11.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Older versions of Azure Identity are affected by CVE-2024-35255:
GHSA-m5vv-6r4h-3vj9
Current versions of mssql depend on tedious 16.
Tedious < 18.2.1 relies on the affected versions of Azure Identity:
tediousjs/tedious#1633
I see there was a dependabot task to update to 18.2.0 with a few failed tests, so it may not be a drop-in replacement:
#1639
The text was updated successfully, but these errors were encountered: