Address dependency on package with high severity security vulnerability

[claasahl]

The latest version of db-migrate depends on a package with a high severity vulnerability (GHSA-fwr7-v2mv-hh25). It is my understanding that db-migrate does not directly use the affected package async, but rather indirectly imports it via prompt.

Please switch to an unaffected version of prompt or replace it altogether (e.g. #778).

[mriedem]

The latest beta tag series no longer requires prompt but I'm sure those of us using the 0.11.x series would like to see this resolved on that branch.

There is a new version of prompt with an updated async version, however, as noted in this commit, prompt still depends on an older version of winston which requires the old vulnerable async version:

flatiron/prompt@4736c82

So I think prompt needs to also update it's winston dependency version and then db-migrate will be good (once updated of course).

[mriedem]

As seen here getting prompt updated for winston is going to be work: flatiron/prompt#226

The master branch of this project no longer uses prompt, so if someone wanted to do some git history diving and find out what change removed that dependency maybe the maintainer would be open to backporting that to the v0.11.x branch.

[mriedem]

The master branch of this project no longer uses prompt, so if someone wanted to do some git history diving and find out what change removed that dependency maybe the maintainer would be open to backporting that to the v0.11.x branch.

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

[CvBlixen]

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

Thank you for examining this.

As a result of your research I tested 1.0.0-beta.18 on a couple of projects a large number of Postgres migrations, and it worked.

Would it be crazy to switch ... ? 😬

[mriedem]

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

Thank you for examining this.

As a result of your research I tested 1.0.0-beta.18 on a couple of projects a large number of Postgres migrations, and it worked.

Would it be crazy to switch ... ? 😬

We upgraded to the latest beta version in one of our projects with no problem so it's not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I'm not sure if it's a bug in our project or not. But if the beta version works for you then that's probably the fastest and easiest way to resolve the CVE issue.

#627 also has some statements on the stability of the beta series.

[devarcher]

Found it, a0432f1 - which is listed as a breaking change so probably not something that would be backported to the v0.11.x series.

Thank you for examining this.
As a result of your research I tested 1.0.0-beta.18 on a couple of projects a large number of Postgres migrations, and it worked.
Would it be crazy to switch ... ? grimacing

We upgraded to the latest beta version in one of our projects with no problem so it's not crazy. However, we tried doing the same in another project which is pretty similar and for some reason we now get hangs in our tests. I'm not sure if it's a bug in our project or not. But if the beta version works for you then that's probably the fastest and easiest way to resolve the CVE issue.

#627 also has some statements on the stability of the beta series.

Considering making the jump to 1.0.0-beta.18 from 0.11.x. Did you happen to overcome the issues you were having in the project that was hanging during tests?

[travivi]

Winston published a new version 2.4.6 which fixes the vulnerability. Prompt is now taking the fixed version of winston so it seems the vulenerability is fixed on db-migrate@0.11.13

npm ls async

[claasahl]

Thanks for the pointer @travivi This did the trick for me 👍