search

chill117 / express-mysql-session

A MySQL session store for the express framework in node
MIT License
313 stars 106 forks source link

Update mysql2 Version to Address High Severity Vulnerability #152

Open Kareszrk opened 1 month ago

Kareszrk commented 1 month ago

Description

This pull request updates the mysql2 module version in package.json and package-lock.json to address a high severity vulnerability. The modifications ensure that the application no longer depends on a vulnerable version of mysql2 used by the express-mysql-session module.

Changes Made

  1. Updated package.json:

    • Changed the version of the mysql2 module to a version higher than 3.9.8 to address the security vulnerability.

  2. Updated package-lock.json:

    • Corresponding changes in package-lock.json to reflect the updated mysql2 module version.

Reason for Changes

The express-mysql-session module was using a version of mysql2 that is vulnerable to prototype pollution, as identified by the following advisory:

The npm audit report indicated the following issues:

By updating the mysql2 module version, this pull request resolves these high severity vulnerabilities and enhances the security of the application.

Audit Report Summary

# npm audit report

mysql2  <3.9.8
Severity: high
mysql2 vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-pmh2-wpjm-fj45
fix available via `npm audit fix --force`
Will install express-mysql-session@2.1.8, which is a breaking change
node_modules/express-mysql-session/node_modules/mysql2
  express-mysql-session  >=3.0.0
  Depends on vulnerable versions of mysql2
  node_modules/express-mysql-session

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Additional Notes

stuarthimmer-loop commented 1 week ago

What is blocking this from being merged?

Kareszrk commented 1 week ago

That is a good question

stuarthimmer-loop commented 2 days ago

@chill117 Anything preventing this from being approved and merged?