Closed timtucker-dte closed 2 weeks ago
I'll take a look at what's needed to get the upgrade working.
Though it doesn't seem the version constraints prevent the patched versions being used with the current version, unless I'm misreading the constraints?
Looking at package.json I see: "tedious": "^16.4.0"
That would allow for updating to anything within the 16.x.x series, but not 18.x.x
It's the transient dependencies, specifically @azure/identity dep, that are relevant here, those are transient dependencies, which are the problematic ones.
Fixed in v11.0.0
Older versions of Azure Identity are affected by CVE-2024-35255: https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
Current versions of mssql depend on tedious 16.
Tedious < 18.2.1 relies on the affected versions of Azure Identity: https://github.com/tediousjs/tedious/issues/1633
I see there was a dependabot task to update to 18.2.0 with a few failed tests, so it may not be a drop-in replacement: https://github.com/tediousjs/node-mssql/pull/1639