Do you have plans to upgrade the SQLite vulnerabilities

[jzonehu]

This package has been identified with the following CVEs:

CVE-2022-21227 CVE-2022-46908 CVE-2023-7104

It appears that the underlying libsqlc-ndk-native-driver.so needs to be upgraded from SQLite 3.40.0 to version 3.43.0 or higher. Do you have plans to perform this upgrade?

[MikeDimmickMnetics]

The opinion of the SQLite developers towards CVEs can be found here: https://www.sqlite.org/cves.html.

The three CVEs you have listed are listed there:

1. CVE-2022-21227 relates to the sqlite3 npm package, not this plugin, and not to the core SQLite engine.
2. CVE-2022-46908 relates to the command line sqlite3 program and the possibility that its --safe switch allows some unsafe syntax. This plugin doesn't include the CLI.
3. CVE-2023-7104 relates to the session extension, which is disabled by default. It has to be enabled at compile time. The distributed libsqlc-ndk-native-driver.so doesn't include it. The vulnerability is in a C-language API that this plugin doesn't use and doesn't expose.

[mirko77]

No updates for two years, so I would consider this repo archived at this point.