search

kappa-db / kappa-core

Minimal peer-to-peer database, based on kappa architecture.
254 stars 22 forks source link

Update memdb examples #26

Open baal-lgln opened 1 month ago

baal-lgln commented 1 month ago

The memdb project repo states that it is superseded by level-mem which itself will soon be deprecated because it is superseded by memory-level.

Is there any way to update kappa-core (and the examples) to use memory-level? Or is this project dead and can anybody lead me to a good alternative?

hackergrrl commented 1 month ago

Hi @baal-lgln. Do you have some reason want to move away from memdb?

memdb continues to work fine, and there aren't any open security vulnerabilities. I don't see a reason to use a new module just for the sake of "it is newer".

baal-lgln commented 1 month ago

I can't confirm that there are no open security vulnerabilites. npm audit shows this for me:

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/levelup/node_modules/semver
node_modules/semver
  levelup  0.9.0 - 1.3.9
  Depends on vulnerable versions of semver
  node_modules/levelup
    memdb  *
    Depends on vulnerable versions of levelup
    node_modules/memdb

memdb itself depends on levelup which itself has also been deprecated because it is superseded by abstract-level and has therefore not seen an update in three years. We can't use dependencies that are failing our security pipelines and packages that depend on deprecated software (which depend on even more deprecated packages) will sooner or later become a security risk.

hackergrrl commented 1 month ago

Is there any way to update kappa-core (and the examples) to use memory-level?

Yes, I'm sure it's possible, but I haven't looked into it specifically.

Or is this project dead and can anybody lead me to a good alternative?

I can't speak to "dead" (since I'm here responding!) but I would not say that this stack is being actively maintained.

telamon commented 1 month ago

@baal-lgln I'd probably dismiss the output of npm-audit, it's mostly designed to keep servers alive. I only hacked briefly with kappa, but abstract-level has a quite a small/simple API, so i don't think it would take much to edit the calls. Can you see which module depends on mem-db?