NPM found 2 high severity vulnerabilities in NeDB, require manual review

[alexbruno]

npm audit

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ underscore                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.12.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nedb                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nedb > binary-search-tree > underscore                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1674                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ underscore                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.12.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nedb                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nedb > underscore                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1674                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 high severity vulnerabilities in 604 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

[yetzt]

sadly, this project is dead.

[michaelkornblum]

So I guess we have to use nodes fs module now?

[alexbruno]

So sad... Looking for alternatives, I'm now trying Level/level (leveljs.org), a simple Node.js wrapper for LevelDB. It is not the same... In fact it is totally another paradigm, but I think it can be a good replace.

[yetzt]

i made a drop-in-replacement for myself: https://www.npmjs.com/package/@yetzt/nedb

[michaelkornblum]

@yetzt, thank you so very much for patching this.

[alexbruno]

Ok guys, what about this?

I'm coding a Koa server web app running on Microsoft Azure cloud, with a lot of CSV data imported to a local embeded NoSQL DB at build time, using data to populate server-side dynamic HTML and respond to API search requests.

It was developed with NeDB. Some users reported slow responses and I really noticed it with some tests.

But now I just droped NeDB and replaced it by a LevelDB wrapper and now the application is blazing fast.

I really feel the difference and testing with Lighthouse I can see a performance boost.

Maybe it is because LevelDB is a C++ lib (like SQLite is a C lib), running operations at low level, wrapped into NPM module.

I strongly recommend LevelDB, it works in other "level".

[victorsouzaleal]

Ok guys, what about this?

I'm coding a Koa server web app running on Microsoft Azure cloud, with a lot of CSV data imported to a local embeded NoSQL DB at build time, using data to populate server-side dynamic HTML and respond to API search requests.

It was developed with NeDB. Some users reported slow responses and I really noticed it with some tests.

But now I just droped NeDB and replaced it by a LevelDB wrapper and now the application is blazing fast.

I really feel the difference and testing with Lighthouse I can see a performance boost.

Maybe it is because LevelDB is a C++ lib (like SQLite is a C lib), running operations at low level, wrapped into NPM module.

I strongly recommend LevelDB, it works in other "level".

Thanks, I was looking for an alternative since this project seems to have been abandoned

[yetzt]

ich just checked out linvodb3, which was forked from nedb and uses level for data storage. looks pretty much like a drop in replacement to me.

[rulrok]

@louischatriot Could you please look into this one? It is causing headaches for a project which depends on npm audits to pass.

[rmanibus]

Hello, I released a new version of nedb on my own fork to adress this issue: https://github.com/rmanibus/nedb

release 1.9.0 can be found here: https://www.npmjs.com/package/@rmanibus/nedb

It also support composite indexes:

    model.ensureIndex({ fieldName: ["field", "field2"], unique: true }, function (err) {
        if(err){
            debug("DB error: " + err);
        }
    });