ev-rvs
commented
2 years ago Is there an ETA on merging this patched fix? There is a severe vulnerability that requires dependent package versions to be updated within this package - thanks @BrenoMazieiro for submitting this pull request.
Some dependencies has security problems and should be updated.
CVE-2019-10757 high severity Vulnerable versions: < 0.19.5 Patched version: 0.19.5 knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.