Closed claasahl closed 2 years ago
The latest beta
tag series no longer requires prompt
but I'm sure those of us using the 0.11.x series would like to see this resolved on that branch.
There is a new version of prompt
with an updated async
version, however, as noted in this commit, prompt
still depends on an older version of winston
which requires the old vulnerable async
version:
https://github.com/flatiron/prompt/commit/4736c828879af1b35acb83928e12db3d02754a59
So I think prompt
needs to also update it's winston
dependency version and then db-migrate
will be good (once updated of course).
As seen here getting prompt
updated for winston
is going to be work: https://github.com/flatiron/prompt/pull/226
The master
branch of this project no longer uses prompt
, so if someone wanted to do some git history diving and find out what change removed that dependency maybe the maintainer would be open to backporting that to the v0.11.x branch.
The
master
branch of this project no longer usesprompt
, so if someone wanted to do some git history diving and find out what change removed that dependency maybe the maintainer would be open to backporting that to the v0.11.x branch.
Found it, a0432f1a6648cdc060e2d427fd1a5c8314c52c8d - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.
Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.
Thank you for examining this.
As a result of your research I tested 1.0.0-beta.18
on a couple of projects a large number of Postgres migrations, and it worked.
Would it be crazy to switch ... ? 😬
Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.
Thank you for examining this.
As a result of your research I tested
1.0.0-beta.18
on a couple of projects a large number of Postgres migrations, and it worked.Would it be crazy to switch ... ? 😬
We upgraded to the latest beta version in one of our projects with no problem so it's not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I'm not sure if it's a bug in our project or not. But if the beta version works for you then that's probably the fastest and easiest way to resolve the CVE issue.
Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.
Thank you for examining this. As a result of your research I tested
1.0.0-beta.18
on a couple of projects a large number of Postgres migrations, and it worked. Would it be crazy to switch ... ? grimacingWe upgraded to the latest beta version in one of our projects with no problem so it's not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I'm not sure if it's a bug in our project or not. But if the beta version works for you then that's probably the fastest and easiest way to resolve the CVE issue.
627 also has some statements on the stability of the beta series.
Considering making the jump to 1.0.0-beta.18 from 0.11.x. Did you happen to overcome the issues you were having in the project that was hanging during tests?
Winston published a new version 2.4.6
which fixes the vulnerability. Prompt is now taking the fixed version of winston so it seems the vulenerability is fixed on db-migrate@0.11.13
npm ls async
Thanks for the pointer @travivi This did the trick for me 👍
The latest version of
db-migrate
depends on a package with ahigh severity
vulnerability (https://github.com/advisories/GHSA-fwr7-v2mv-hh25). It is my understanding thatdb-migrate
does not directly use the affected packageasync
, but rather indirectly imports it viaprompt
.Please switch to an unaffected version of
prompt
or replace it altogether (e.g. https://github.com/db-migrate/node-db-migrate/pull/778).