Update Tedious to 18.2.1 to resolve Azure Identity vulnerabilities

tediousjs / node-mssql

Microsoft SQL Server client for Node.js

https://tediousjs.github.io/node-mssql

MIT License

2.22k stars 464 forks source link

Update Tedious to 18.2.1 to resolve Azure Identity vulnerabilities #1662

Closed timtucker-dte closed 2 weeks ago

timtucker-dte commented 2 weeks ago

Older versions of Azure Identity are affected by CVE-2024-35255: https://github.com/advisories/GHSA-m5vv-6r4h-3vj9

Current versions of mssql depend on tedious 16.

Tedious < 18.2.1 relies on the affected versions of Azure Identity: https://github.com/tediousjs/tedious/issues/1633

I see there was a dependabot task to update to 18.2.0 with a few failed tests, so it may not be a drop-in replacement: https://github.com/tediousjs/node-mssql/pull/1639

dhensby commented 2 weeks ago

I'll take a look at what's needed to get the upgrade working.

dhensby commented 2 weeks ago

Though it doesn't seem the version constraints prevent the patched versions being used with the current version, unless I'm misreading the constraints?

timtucker-dte commented 2 weeks ago

Looking at package.json I see: "tedious": "^16.4.0"

That would allow for updating to anything within the 16.x.x series, but not 18.x.x

dhensby commented 2 weeks ago

It's the transient dependencies, specifically @azure/identity dep, that are relevant here, those are transient dependencies, which are the problematic ones.

dhensby commented 2 weeks ago

Fixed in v11.0.0