db-migrate / mongodb

mongodb driver for db-migrate
Other
25 stars 58 forks source link

mongodb: use driver 4.7.0 #50

Open rodmatos opened 2 years ago

rodmatos commented 2 years ago

Since this project is running on a old mongodb driver version, we should update it. Will address issue #51

EricThompson-PeopleReign commented 2 years ago

It would be great to get this merged in. There are Vulnerabilities in this package that can be remediated by this.

rodmatos commented 2 years ago

@EricThompson-PeopleReign: I haven't been able to get an answer from the maintainer, so I wouldn't be too hopeful.

wzrdtales commented 2 years ago

this merge request doesn't attempt to upgrade the version. also we will need to add gitlab actions to the repo now that travis non free. I also don't have an environment with MongoDB right now to do manual testing in case

rodmatos commented 2 years ago

@wzrdtales: I am aware of that. I am happy to contribute with the upgrade but the whole CI needs a revamp since it is using an outdated toolchain.

wzrdtales commented 2 years ago

which toolchain you talk about, if you mean vows, not really worth the effort in time, but feel free to replace it with what the other projects already use, hapi lab.

EricThompson-PeopleReign commented 2 years ago

I think moving away from vows would be a good idea. It also brings in some vulnerability issues unless it can be upgraded to 0.8.3, but apparently tests break if we do.

wzrdtales commented 2 years ago

vulnerabilities in dev dependencies don't matter much usually, they don't end up in the end product. Also you will need to learn to distinguish vulnerabilities. As a piece of advice, don't make everything an elephant.

We're talking about CVE of type ReDoS vulnerability, there couldn't be anything less relevant, in a dev dependency. If it is a RCE ok, that is also dangerous over there, even though not actually relevant in most case, since there has to be an actor to exploit which is very unlikely unless you're very specifically targeted by hackers.