Open avilches opened 5 months ago
have you tested and confirmed that this is not breaking any functionality? please list the breaking changes since your suggested version patch is major version.
please list the breaking changes since your suggested version patch is major version.
Unfortunately it doesn't look like tunnel-ssh has detailed release notes or a changelog. The 5.0.0 release commit has this single entry in the README: https://github.com/agebrock/tunnel-ssh/blob/ee4086d6147f8c216570a2a3b1614e16882d7104/README.md#breaking-change-in-500
Please note that release 5.0.0 uses a complete different approch for configuration and is not compatible to prio versions.
That doesn't help much. Maybe the rest of the README helps in identifying what's changed in tunnel-ssh 5.x and how it's used in this repo (db-migrate). Not being a maintainer of this repo I can't say how it's being used. I mean, I can see this code:
Which makes it look like tunnel-ssh is an optional dependency for this project, is that correct?
I don't see anything about that tunnel config in the db-migrate docs, so is it safe to assume that if you're using db-migrate but not using the tunnel
config then tunnel-ssh
and thus ssh2
and the vulnerability do not apply? @wzrdtales
Vulnerability: CVE-2023-48795
The vulnerability is solved upgrading ssh to 1.15. This is a transitive dependency from tunnel-ssh. Upgrade tunnel-ssh to version 5 already upgrades the ssh to 1.15