Security vulnerability CVE-2020-26301 in ssh2 via dependency tunnel-ssh

[GlieseRay]

I'm submitting a...

• [ ] Bug report
• [ ] Feature request
• [x] Question

Current behavior

The ssh2 version is fixed in tunnel-ssh which is one of the dependency of db-migrate. That version of ssh2 (0.5.4) has a security vulnerability reported in https://nvd.nist.gov/vuln/detail/CVE-2020-26301 and also in tunnel-ssh https://github.com/agebrock/tunnel-ssh/issues/88.

It seems tunnel-ssh has not been active for a long time, so just wondering is there is a plan to replace tunnel-ssh or something else. Thanks

└─┬ db-migrate@0.11.12
  └─┬ tunnel-ssh@4.1.4
    └── ssh2@0.5.4 

Expected behavior

Minimal reproduction of the problem with instructions

What is the motivation / use case for changing the behavior?

Environment

db-migrate version: X.Y.Z
plugins with versions: X.Y.Z
db-migrate driver with versions: 

Additional information:
- Node version: XX  
- Platform:  

Others:

[GlieseRay]

Good news, tunnel-ssh has just updated the dependencies ssh2 to 1.4.0, can we also have an update here ? Thanks!

https://github.com/agebrock/tunnel-ssh/commit/39a4f21a66745aa92d42a065a923e9ced567f7e9

[GlieseRay]

"tunnel-ssh": "^4.0.0" will bring the latest tunnel-ssh in and could fix this issue. So close this one.