Upgrade sequelize package to >= 6.19.2 due to SQL Injection vulnerability

[bbbenjie]

Hi everyone, Back in May 2022, the people maintaining the sequelize package [1] have released the version 6.19.1 resp. 6.19.2 which addresses an SQL Injection vulnerability [2]. Any chance that Lighthouse CI will upgrade to one of the latest sequelize versions in order to mitigate this issue? Lighthouse CI is currently using versions matching "^4.44.3" (lighthouse-ci/packages/server/package.json). I haven't found any information that this quite old version is not affected.

Thanks, Benjamin

[1] https://github.com/sequelize/sequelize [2] https://github.com/sequelize/sequelize/issues/14519

[lukemaslany-next]

Hello, all.

Our vulnerability scanner is flagging the docker image patrickhulce/lhci-server:latest, which I believe is release 0.12.0, as containing multiple critical vulnerabilities in sequelize 4.4.4.

• CVE-2023-25813 - fixed in >=6.19.1 - I believe this is the one @bbbenjie is referring to?
• CVE-2023-22578 - fixed in >=6.29.0 [1][2]

I'm not sure if that is useful information, but I thought it prudent to mention in case we can jump straight to a sequelize version >=6.29.0 - avoiding the need to update twice? 🤷‍♂️

Cheers, Luke M.

[1] https://github.com/sequelize/sequelize/releases/tag/v6.29.0 [2] https://github.com/advisories/GHSA-f598-mfpv-gmfx

[bbbenjie]

Hi @lukemaslany-next, Indeed, the CVE-2023-25813 is about the issue I raised. Makes definitely sense to directly upgrade to sequelize >= 6.29.0 because of the 2nd CVE.

[rigperro]

Meanwhile, has anyone tried upgrading to Sequelize 6 on their own? umzug.up() call in sql.js just crashes the application with no error message

Edit: found https://github.com/GoogleChrome/lighthouse-ci/pull/878