mubsub nested dependency security issue

[HKDataGeek]

Issue

feathers-sync uses mubsub to work with MongoDB.mubsub:^1.4.0 itself requires mongodb: ^2.0.35 for which npm audit now reports a high risk security vulnerability. mubsub itself has been archived.

Question: Are there any plans on the feathers.js side to provide a feathers-sync version that works with MongoDB and that does not throw the security warning?

I have tried to force mubsub to use mongodb: 3.1.13 via npm-force-resolutions but that results in error messages because of breaking changes between mongodb versions 2 and 3.

Steps to reproduce

• [ ] Use feathers-sync:^1.1.3 with a MongoDB connection in your app.ts
• [ ] Run npm i && npm audit
• [ ] This should result in a npm audit security warning for the path feathers-sync > mubsub > mongodb
• [ ] Force mubsub to use version >=3.1.13 of mongodb (for example via npm-force-resolutions)
• [ ] Run your app and observe above described error message

Expected behavior

• N/A

Actual behavior

• See description above

System configuration

Tell us about the applicable parts of your setup.

Module versions (especially the part that's not working):

• @feathersjs/feathers: "~3.1.1",
• feathers-sync: "^1.1.3",

NodeJS version:

• 10.15.3

Operating System:

macOS High Sierra

Browser Version:

• N/A

React Native Version:

• N/A

Module Loader:

Does this refer to npm / yarn / etc.?

[daffl]

Since Mubsub appears to be no longer maintained the only way forward is probably to remove MongoDB support for now.

[HKDataGeek]

Thanks for the quick reply. Sorry to hear that MongoDB support would have to be removed.

Just as a quick side note / question: Monkey-patching mubsub to at least temporarily fix the issue seems to require only minor changes. I assume feathers wouldn't be interested in forking and maintaining mubsub under the feathers umbrella?

[kc-dot-io]

Thanks for reporting this!

[daffl]

I created a follow-up issue in #136. There appear to be several forks of mubsub but it was not easy to determine if they are maintained.

If someone wants to contribute a MongoDB adapter I gladly add it back but as mentioned in the other issue I am not using MongoDB at the moment and do not plan on addressing it at the moment.