search

emirotin / mongodb-migrations

A Node.js migration framework for MongoDB
MIT License
258 stars 70 forks source link

Mongodb Denial of Service #66

Open rfossella opened 3 years ago

rfossella commented 3 years ago

Hello, Running npm audit for mongodb-migrations v0.85 throws the following warning. Is there/will there be a package update? Or best way to address this? Thanks!

node v12.13.0 npm@6.14.11

npm audit

High            Denial of Service
Package         mongodb
Patched in      >=3.1.13
Dependency of   mongodb-migrations
Path            mongodb-migrations > mongodb
More info       https://npmjs.com/advisories/1203

Package.json dependencies


"dependencies": {
"bluebird": "^3.4.1",
"lodash": "^4.13.0",
"mkdirp": "^0.5.1",
"mongodb": "^2.2.1",
"nomnom": "^1.6.2"
},
emirotin commented 3 years ago

This package is unmaintained. You can fork it and update the dependency

On Thu, Feb 25, 2021, 09:19 Robert Fossella notifications@github.com wrote:

Hello, Running npm audit for mongodb-migrations v0.85 throws the following warning. Is there/will there be a package update? Or best way to address this? Thanks!

node v12.13.0 npm@6.14.11

npm audit

High Denial of Service Package mongodb Patched in >=3.1.13 Dependency of mongodb-migrations Path mongodb-migrations > mongodb More info https://npmjs.com/advisories/1203

Package.json dependencies

"dependencies": { "bluebird": "^3.4.1", "lodash": "^4.13.0", "mkdirp": "^0.5.1", "mongodb": "^2.2.1", "nomnom": "^1.6.2" },

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/emirotin/mongodb-migrations/issues/66, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAMCG7SYJZ7ZP2FDA42CLTAXTXDANCNFSM4YF4MRQQ .

rfossella commented 3 years ago

thank you

rfossella commented 3 years ago

Hello. Not sure if what I did was what you recommended - i.e. forked, updated, created pull request? If not, then can you explain? Thanks.

emirotin commented 3 years ago

I'll try to find time to check it out What I actually meant is you can use your fork, it can be set as a dependency directly from github

Did you run the tests?

On Sat, Feb 27, 2021, 11:44 Robert Fossella notifications@github.com wrote:

Hello. Not sure if what I did was what you recommended - i.e. forked, updated, created pull request? If not, then can you explain? Thanks.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/emirotin/mongodb-migrations/issues/66#issuecomment-787037814, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAMCHX6MEZAXVBHFYCXZLTBCWH3ANCNFSM4YF4MRQQ .

rfossella commented 3 years ago

Hmm. My very preliminary tests looked ok. A more robust test is throwing errors


Unhandled rejection TypeError: this._db.collection is not a function
    at Migrator._coll (C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:58:23)
    at C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:69:24
    at tryCatcher (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\util.js:16:23)
    at Promise._settlePromiseFromHandler (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\promise.js:547:31)

When I roll back to the published version (with mongodb 2.2.4) it works.

FYI: the remainder of my application uses 3.6.4

Maybe another conflicting package :\

I'll continue to check; if you have any ideas please let me know.  And thank you for extending yourself to me.  Appreciated!
emirotin commented 3 years ago

I would assume a change of api given it's a major version update There's a test suite in the package

On Sat, Feb 27, 2021, 13:24 Robert Fossella notifications@github.com wrote:

Hmm. My very preliminary tests looked ok. A more robust test is throwing errors

Unhandled rejection TypeError: this._db.collection is not a function at Migrator._coll (C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:58:23) at C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:69:24 at tryCatcher (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\util.js:16:23) at Promise._settlePromiseFromHandler (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\promise.js:547:31)

When I roll back to the published version (with mongodb 2.2.4) it works.

FYI: the remainder of my application uses 3.6.4

Maybe another conflicting package :\

I'll continue to check; if you have any ideas please let me know. And thank you for extending yourself to me. Appreciated!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/emirotin/mongodb-migrations/issues/66#issuecomment-787050260, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEAMCAGDV7YQEMBO3G4F6TTBDB67ANCNFSM4YF4MRQQ .