wzrdtales
commented
5 months ago have you tested and confirmed that this is not breaking any functionality? please list the breaking changes since your suggested version patch is major version.
Open avilches opened 5 months ago
wzrdtales
commented
5 months ago have you tested and confirmed that this is not breaking any functionality? please list the breaking changes since your suggested version patch is major version.
mriedem
commented
4 months ago please list the breaking changes since your suggested version patch is major version.
Unfortunately it doesn't look like tunnel-ssh has detailed release notes or a changelog. The 5.0.0 release commit has this single entry in the README: https://github.com/agebrock/tunnel-ssh/blob/ee4086d6147f8c216570a2a3b1614e16882d7104/README.md#breaking-change-in-500
Please note that release 5.0.0 uses a complete different approch for configuration and is not compatible to prio versions.
That doesn't help much. Maybe the rest of the README helps in identifying what's changed in tunnel-ssh 5.x and how it's used in this repo (db-migrate). Not being a maintainer of this repo I can't say how it's being used. I mean, I can see this code:
Which makes it look like tunnel-ssh is an optional dependency for this project, is that correct?
I don't see anything about that tunnel config in the db-migrate docs, so is it safe to assume that if you're using db-migrate but not using the tunnel config then tunnel-ssh and thus ssh2 and the vulnerability do not apply? @wzrdtales
Vulnerability: CVE-2023-48795
The vulnerability is solved upgrading ssh to 1.15. This is a transitive dependency from tunnel-ssh. Upgrade tunnel-ssh to version 5 already upgrades the ssh to 1.15