Update to use latest mbtiles for sqlite3 vulnerability

maptiler / tileserver-gl

Vector and raster maps with GL styles. Server side rendering by MapLibre GL Native. Map tile server for MapLibre GL JS, Android, iOS, Leaflet, OpenLayers, GIS via WMTS, etc.

https://tileserver.readthedocs.io/en/latest/

Other

2.24k stars 639 forks source link

Update to use latest mbtiles for sqlite3 vulnerability #591

Closed ayohrling closed 2 years ago

ayohrling commented 2 years ago

There is a NIST bulletin for a vulnerability in the nodejs-sqlite3 module that is used. https://nvd.nist.gov/vuln/detail/CVE-2022-21227

This is resolved in version >=5.0.2; however, the current release (3.1.1) of tileserver-gl uses @mapbox/mbtiles version 0.11.0 which is coded to 4.x module dependency for sqlite3. There was a later release of mbtiles almost 2 years ago even, 0.12.1 that utilizes ^5.0.0 which allows for easy update of the sqlite3 module to a fixed version.

acalcutt commented 2 years ago

Fixed by https://github.com/maptiler/tileserver-gl/pull/602 , which was just merged and contains @mapbox/mbtiles 0.12.1