Closed MuwuM closed 2 years ago
I didn't know async had the CVE, I removed it from @seald-io/nedb because it was old and unmaintained, but glad that I did!
Normally, the old callback-based API is retrocompatible in @seald-io/nedb v3 (I made it that way), bumping the version should just work.
Any time you'd call nedb-promises, you'd call a promisified & callbackified version of the promise-based API which is ugly, but, but at least it would solve the security issue.
For this I also opened PR #60 :)
Hi, sorry for the long wait, I didn't really have time to do anything lately I updated the codebase however to use the async API instead of callbacks with @seald-io/nedb@3
.
I released the changes with 6.1.0 on NPM.
The current version of nedb-promises is affected by CVE-2021-43138 .
the dependency to async was removed in version 3.0.0 of @seald-io/nedb .
Also @seald-io/nedb has a Promise-based API beginning from 3.0.0. Unfortunately this new API is not compatible with the implementation of nedb-promises, as it adds the
Async
suffix to all the method names.From my point of view, a lot of code of this repository could be refactored to internally use the
Async
methods.But more important would be to get rid of the security issue.