prisma-kysely icon indicating copy to clipboard operation
prisma-kysely copied to clipboard

Published 20 hours ago • verified publisher icon valtyr

Depending on vulnerable Prisma version

Open sizuf opened this issue 11 months ago • 1 comments
trafficstars

Apparently, the project depends on a vulnerable version of prisma/internals (5.3.1). This vulnerability is related to a Regular Expression Denial of Service (ReDoS) in cross-spawn.

I suggest updating to Prisma 6.0. However, my concern is whether the breaking changes in this upgrade will have any impact on this library.

sizuf avatar Dec 04 '24 17:12 sizuf

The minimum change necessary is to upgrade both @prisma/generator-helper and @prisma/internals to 5.7.0, which may be less risky.

This can be worked around with overrides. e.g. for npm:

  "overrides": {
    "@prisma/generator-helper": "5.7.0",
    "@prisma/internals": "5.7.0"
  }

Also, this is a duplicate of #96

kfranqueiro avatar Dec 06 '24 06:12 kfranqueiro