search

db-migrate / node-db-migrate

Database migration framework for node
Other
2.32k stars 361 forks source link

Update `tunnel-ssh` dependency for vulnerability CVE-2023-48795 #830

Open coruscating opened 9 months ago

coruscating commented 9 months ago

I'm submitting a...

Current behavior

The vulnerability CVE-2023-48795 requires ssh2 1.15 and above to fix: https://github.com/mscdex/ssh2/issues/1354

The tunnel-ssh 4.x series, which is a dependency of db-migrate, only supports ssh2 up to 1.4.0: https://github.com/db-migrate/node-db-migrate/issues/755. This CVE can be resolved for db-migrate if the tunnel-ssh dependency is upgraded to 5.x (or if tunnel-ssh updates its 4.x dependencies, but it's been a year since 5.x was released).

Expected behavior

The security vulnerability should be addressed.

MarkR87 commented 7 months ago

Any update on this?

mriedem commented 6 months ago

For anyone else looking at this, we're not using the tunnel config with db-migrate so we're just overriding the transitive dependency in our package.json:

"overrides": {
    "db-migrate": {
      "tunnel-ssh": "^5.1.2"
    }
  }