mongodb-migrations icon indicating copy to clipboard operation
mongodb-migrations copied to clipboard
verified publisher icon emirotin

Mongodb Denial of Service

Open rfossella opened this issue 4 years ago • 6 comments

Hello, Running npm audit for mongodb-migrations v0.85 throws the following warning. Is there/will there be a package update? Or best way to address this? Thanks!

node v12.13.0 [email protected]

npm audit

High            Denial of Service
  Package         mongodb
  Patched in      >=3.1.13
  Dependency of   mongodb-migrations
  Path            mongodb-migrations > mongodb
  More info       https://npmjs.com/advisories/1203

Package.json dependencies

"dependencies": {
    "bluebird": "^3.4.1",
    "lodash": "^4.13.0",
    "mkdirp": "^0.5.1",
    "mongodb": "^2.2.1",
    "nomnom": "^1.6.2"
  },

rfossella avatar Feb 25 '21 06:02 rfossella

This package is unmaintained. You can fork it and update the dependency

On Thu, Feb 25, 2021, 09:19 Robert Fossella [email protected] wrote:

Hello, Running npm audit for mongodb-migrations v0.85 throws the following warning. Is there/will there be a package update? Or best way to address this? Thanks!

node v12.13.0 [email protected]

npm audit

High Denial of Service Package mongodb Patched in >=3.1.13 Dependency of mongodb-migrations Path mongodb-migrations > mongodb More info https://npmjs.com/advisories/1203

Package.json dependencies

"dependencies": { "bluebird": "^3.4.1", "lodash": "^4.13.0", "mkdirp": "^0.5.1", "mongodb": "^2.2.1", "nomnom": "^1.6.2" },

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/emirotin/mongodb-migrations/issues/66, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAMCG7SYJZ7ZP2FDA42CLTAXTXDANCNFSM4YF4MRQQ .

emirotin avatar Feb 25 '21 08:02 emirotin

thank you

rfossella avatar Feb 26 '21 00:02 rfossella

Hello. Not sure if what I did was what you recommended - i.e. forked, updated, created pull request? If not, then can you explain? Thanks.

rfossella avatar Feb 27 '21 08:02 rfossella

I'll try to find time to check it out What I actually meant is you can use your fork, it can be set as a dependency directly from github

Did you run the tests?

On Sat, Feb 27, 2021, 11:44 Robert Fossella [email protected] wrote:

Hello. Not sure if what I did was what you recommended - i.e. forked, updated, created pull request? If not, then can you explain? Thanks.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/emirotin/mongodb-migrations/issues/66#issuecomment-787037814, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAMCHX6MEZAXVBHFYCXZLTBCWH3ANCNFSM4YF4MRQQ .

emirotin avatar Feb 27 '21 09:02 emirotin

Hmm. My very preliminary tests looked ok. A more robust test is throwing errors

Unhandled rejection TypeError: this._db.collection is not a function
    at Migrator._coll (C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:58:23)
    at C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:69:24
    at tryCatcher (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\util.js:16:23)
    at Promise._settlePromiseFromHandler (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\promise.js:547:31)
 
When I roll back to the published version (with mongodb 2.2.4) it works.

FYI: the remainder of my application uses 3.6.4

Maybe another conflicting package :\

I'll continue to check; if you have any ideas please let me know.  And thank you for extending yourself to me.  Appreciated!

rfossella avatar Feb 27 '21 10:02 rfossella

I would assume a change of api given it's a major version update There's a test suite in the package

On Sat, Feb 27, 2021, 13:24 Robert Fossella [email protected] wrote:

Hmm. My very preliminary tests looked ok. A more robust test is throwing errors

Unhandled rejection TypeError: this._db.collection is not a function at Migrator._coll (C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:58:23) at C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:69:24 at tryCatcher (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\util.js:16:23) at Promise._settlePromiseFromHandler (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\promise.js:547:31)

When I roll back to the published version (with mongodb 2.2.4) it works.

FYI: the remainder of my application uses 3.6.4

Maybe another conflicting package :\

I'll continue to check; if you have any ideas please let me know. And thank you for extending yourself to me. Appreciated!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/emirotin/mongodb-migrations/issues/66#issuecomment-787050260, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAMCAGDV7YQEMBO3G4F6TTBDB67ANCNFSM4YF4MRQQ .

emirotin avatar Feb 27 '21 10:02 emirotin