Open coruscating opened 9 months ago
Any update on this?
For anyone else looking at this, we're not using the tunnel config with db-migrate so we're just overriding the transitive dependency in our package.json:
"overrides": {
"db-migrate": {
"tunnel-ssh": "^5.1.2"
}
}
I'm submitting a...
Current behavior
The vulnerability CVE-2023-48795 requires
ssh2
1.15 and above to fix: https://github.com/mscdex/ssh2/issues/1354The
tunnel-ssh
4.x series, which is a dependency ofdb-migrate
, only supportsssh2
up to 1.4.0: https://github.com/db-migrate/node-db-migrate/issues/755. This CVE can be resolved fordb-migrate
if thetunnel-ssh
dependency is upgraded to 5.x (or iftunnel-ssh
updates its 4.x dependencies, but it's been a year since 5.x was released).Expected behavior
The security vulnerability should be addressed.