loopback-next
loopback-next copied to clipboard
loopbackio
chore: update dependency sqlite3 to v5.1.5 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| sqlite3 | 5.1.4 -> 5.1.5 |
GitHub Vulnerability Alerts
CVE-2022-43441
Impact
Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.
Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.
Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
Workarounds
- Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.
References
- Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Credits: Dave McDaniel of Cisco Talos
Release Notes
TryGhost/node-sqlite3 (sqlite3)
v5.1.5
What's Changed
- 🔒 Fixed code execution vulnerability due to Object coercion by @daniellockyer
- Updated bundled SQLite to v3.41.1 by @daniellockyer
- Fixed rpath linker option when using a custom sqlite by @jeromew in https://github.com/TryGhost/node-sqlite3/pull/1654
Full Changelog: https://github.com/TryGhost/node-sqlite3/compare/v5.1.4...v5.1.5
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Merging this would lead to breaking tests as reported here: https://github.com/TryGhost/node-sqlite3/issues/1694
Waiting for explanation from node-sqlite3 maintainers about this, I'll make necessary modification in the tests after that.
Pull Request Test Coverage Report for Build 9924477213
Details
- 0 of 0 changed or added relevant lines in 0 files are covered.
- No unchanged relevant lines lost coverage.
- Overall coverage remained the same at 54.772%
| Totals | |
|---|---|
| Change from base Build 9924456989: | 0.0% |
| Covered Lines: | 9566 |
| Relevant Lines: | 12465 |
