search

tediousjs / node-mssql

Microsoft SQL Server client for Node.js
https://tediousjs.github.io/node-mssql
MIT License
2.23k stars 465 forks source link

Vulnrable semver dependency flagged by snyk #1496

Closed theseedubya closed 1 year ago

theseedubya commented 1 year ago

Snyk flags the semver ver 7.5.0 as vulnrable to ReDos. This can be addressed by updating to version 7.5.2

Expected behaviour:

Synk test to pass with no vulnrabilities

Actual behaviour:

Issues with no direct upgrade or patch: ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795] in semver@7.5.0 introduced by mssql@9.1.1 > tedious@15.1.3 > @azure/identity@2.1.0 > @azure/msal-node@1.17.2 > jsonwebtoken@9.0.0 > semver@7.5.0 This issue was fixed in versions: 7.5.2

Configuration:

n/A

Software versions

dhensby commented 1 year ago

As per responses other issues raised due to automated audits:

  1. This is the wrong repo to bring this up in, it is not a dependency of this library
  2. Have you reviewed the vulnerability to see if it actually applies / is used in a way that the vulnerability can be exploited when used in conjunction with this library
  3. "Expected behavior is that there are no vulnerabilities after installing mssql." - I disagree with this expected behaviour, there is no such expectation within this library.

Additional reading for those that are interested - https://overreacted.io/npm-audit-broken-by-design/

The crux of it is that there is no requirement for audits to come back with 0 results, the aim would be for there to be no exploitable security issues. If you believe there is an exploitable security issue, please raise that in the relevant library.