search

typeorm / typeorm

ORM for TypeScript and JavaScript. Supports MySQL, PostgreSQL, MariaDB, SQLite, MS SQL Server, Oracle, SAP Hana, WebSQL databases. Works in NodeJS, Browser, Ionic, Cordova and Electron platforms.
http://typeorm.io
MIT License
33.7k stars 6.23k forks source link

TypeOrm mssql peer dependency issue related to CVE-2024-35255 #10946

Open MissaouiChedy opened 1 week ago

MissaouiChedy commented 1 week ago

Issue description

I am using TypeOrm 0.3.20 in a project with SQL Server.

npm audit is surfacing the following vulnerability related to @azure/identity:

# npm audit report 
@azure/identity  <4.2.1
Severity: moderate
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
fix available via `npm audit fix --force`
Will install mssql@11.0.0, which is a breaking change
node_modules/@azure/identity
  tedious  11.0.9 - 18.2.0
  Depends on vulnerable versions of @azure/identity
  node_modules/tedious
    mssql  7.2.1 - 10.0.4
    Depends on vulnerable versions of tedious
    node_modules/mssql
      typeorm  0.3.6-dev.0418ebc - 0.3.6-dev.ef025bd || >=0.3.7-dev.1b5aa62
      Depends on vulnerable versions of mssql
      node_modules/typeorm
4 moderate severity vulnerabilities

It is possible to mitigate the issue by upgrading mssql to 11.0.x, however this causes a peer dependency conflict with typeorm 0.3.20.

What would be the ramifications of allowing mssql 11 as peer dependency in typeorm ? I am open to contribute.

Expected Behavior

No peer dependency conflict with mssql 11.0.0

Actual Behavior

Peer dependency conflict with mssql 11.0.0

Steps to reproduce

In a sample project:

  1. Reference typeorm 0.3.20
  2. Reference mssql 11.0.0
  3. run npm install

My Environment

Dependency Version
Operating System Linux (Ubuntu)
Node.js version 22.2
Typescript version ^5.1.3
TypeORM version 0.3.20

Additional Context

Unfortunately, I was not able to follow the typeorm security policy as the support@typeorm.io e-mail is unreachable.

Relevant Database Driver(s)

Are you willing to resolve this issue by submitting a Pull Request?

Yes, I have the time, but I don't know how to start. I would need guidance.

Fatmoogle commented 1 week ago

Were you able to resolve the vulnerabilities on your end and still update mssql to v11.0.0?

MissaouiChedy commented 1 week ago

Were you able to resolve the vulnerabilities on your end and still update mssql to v11.0.0?

@Fatmoogle I am not sure I understand you correctly but yes I tried to npm audit fix + upgrade to mssql 11.0.0 but I get a dependency conflict.

Should I try to ignore the dependency conflict and test anyway ?