Update dependency sqlite3 to v5.1.5 [SECURITY] #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-sqlite3-vulnerability

renovate bot commented Jun 23, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
sqlite3	`5.0.0` -> `5.1.5`

GitHub Vulnerability Alerts

CVE-2022-21227

Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of sqlite3 v5.0.0, v5.0.1 and v5.0.2 are affected by this. This issue is fixed in v5.0.3. All users are recommended to upgrade to v5.0.3 or later. Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters as a workaround.

CVE-2022-43441

Impact

Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.

Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

Patches

Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.

Workarounds

Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.

References

Commit: TryGhost/node-sqlite3@edb1934

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Credits: Dave McDaniel of Cisco Talos

Release Notes

TryGhost/node-sqlite3 (sqlite3)

`v5.1.5`

What's Changed

🔒 Fixed code execution vulnerability due to Object coercion by @daniellockyer
Updated bundled SQLite to v3.41.1 by @daniellockyer
Fixed rpath linker option when using a custom sqlite by @jeromew in #1654

Full Changelog: TryGhost/node-sqlite3@v5.1.4...v5.1.5

`v5.1.4`

What's Changed

Fixed glibc compatibility by downgrading CI to Ubuntu 20 by @daniellockyer in #1664

Full Changelog: TryGhost/node-sqlite3@v5.1.3...v5.1.4

`v5.1.3`

What's Changed

Updated bundled SQLite to v3.40.0 by @daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.1.2...v5.1.3

`v5.1.2`

What's Changed

Updated bundled SQLite to v3.39.4 by @daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.1.1...v5.1.2

`v5.1.1`

What's Changed

Added Darwin ARM64 binaries by @daniellockyer in #1594

A huge thanks to MacStadium for providing an M1 Mac Mini so we can offer ARM64 binaries.

Full Changelog: TryGhost/node-sqlite3@v5.1.0...v5.1.1

`v5.1.0`

✨ We're very excited to announce node-sqlite3's first minor release of v5, packed with features and improvements.

If you encounter any problems, please open a detailed issue using the templates.

What's Changed

Updated bundled SQLite to v3.39.3 by @daniellockyer
Added ability to receive updates from sqlite3_update_hook by @soukand in #1267
Added support for setting SQLite limits by @paulfitz in #1548
Added library types file by @bpasero in #1527
Added package-lock.json to .gitignore by @JoelEinbinder in #1628
Fixed remaining method declarations by @alexanderfloh in #1633
Fixed importing sqlite3#verbose using destructuring syntax by @mahdi-farnia in #1632

New Contributors

@JoelEinbinder made their first contribution in #1628
@mahdi-farnia made their first contribution in #1632
@soukand made their first contribution in #1267

Full Changelog: TryGhost/node-sqlite3@v5.0.11...v5.1.0

`v5.0.11`

What's Changed

Restored compatibility for Alpine 3.15 by @daniellockyer in #1626

Full Changelog: TryGhost/node-sqlite3@v5.0.10...v5.0.11

`v5.0.10`

What's Changed

Updated bundled SQLite to v3.39.2 by @daniellockyer
Addressed CodeQL warnings by @bpasero in #1614

New Contributors

@bpasero made their first contribution in #1614

Full Changelog: TryGhost/node-sqlite3@v5.0.9...v5.0.10

`v5.0.9`

What's Changed

Updated bundled SQLite to v3.39.1 by @daniellockyer
Fixed method declarations to conform with napi default for methods by @alexanderfloh in #1510
Fixed propagation of async hook ids through callbacks by @alexanderfloh in #1511
Updated sqlcipher homebrew CPPFLAGS location by @frovere in #1613

New Contributors

@alexanderfloh made their first contribution in #1510
@frovere made their first contribution in #1613

Full Changelog: TryGhost/node-sqlite3@v5.0.8...v5.0.9

`v5.0.8`

What's Changed

Reverted 5063367, which was causing a segfault with certain queries (#1605 and #1606)

Full Changelog: TryGhost/node-sqlite3@v5.0.7...v5.0.8

`v5.0.7`

What's Changed

Updated bundled SQLite to v3.38.4 by @daniellockyer in #1604
Improved performance by fetching column names once by @daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.0.6...v5.0.7

`v5.0.6`

What's Changed

Updated bundled SQLite to v3.38.3 by @daniellockyer in #1593. This fixes an upstream bug in SQLite that was reported here: #1589
Added Node 18 to CI by @daniellockyer in #1587

Full Changelog: TryGhost/node-sqlite3@v5.0.5...v5.0.6

`v5.0.5`

What's Changed

Fixed building on certain systems (#1584) by @daniellockyer
General repository maintenance by @daniellockyer

Thank you to everyone reporting issues with building sqlite3 or the prebuilt binaries 🙂 If you encounter an problem, please search open and closed issues for existing reports or open a new issue with as much system information as possible.

Full Changelog: TryGhost/node-sqlite3@v5.0.4...v5.0.5

`v5.0.4`

What's Changed

Added prebuilt Linux musl binaries - @daniellockyer
Added prebuilt Linux ARM64 binaries - @daniellockyer
Fixed older glibc compatibility - @daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.0.3...v5.0.4

`v5.0.3`

What's Changed

Updated bundled SQLite to v3.38.2 - @daniellockyer
Enabled math functions in compiler options - @kewde
Updated node-gyp to v8.x - @daniellockyer
Re-enabled Node-API v6 builds - @daniellockyer
Fixed segfault of invalid toString() object by @kewde in #1450
Fixed building on MacOS Monterey 12.3 - @daniellockyer
Replaced Python extraction script with JS by @xPaw in #1570
Switched prebuilt binary hosting to GitHub Releases - @daniellockyer

Known Problems

#1578 - the minimum glibc version for prebuilt binaries was bumped to 2.29. We hope to bring this back down within the next few releases but you will need to compile from source if your system ships with a lower version.
Prebuilt binaries for Linux do not work on musl systems. This should be fixed with 8b2cdd9 but you will need to compile from source to use v5.0.3.

Full Changelog: TryGhost/node-sqlite3@v5.0.2...v5.0.3

`v5.0.2`

disable N-API v6

`v5.0.1`

dep: node-addon-api to ^3.0.0 #1367
bug: bad comparison of c string #1347
build: Install files to be deployed #1352
sqlite3: upgrade to 3.32.3 #1351
bug: worker threads crash #1367
bug: segfaults #1368
typo: broken link to MapBox site #1369

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot changed the title ~~Update dependency sqlite3 to 5.0.3 [SECURITY]~~ Update dependency sqlite3 to 5.1.5 [SECURITY]

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 6c98622 to 003a474 Compare

March 17, 2023 16:09

renovate bot changed the title ~~Update dependency sqlite3 to 5.1.5 [SECURITY]~~ Update dependency sqlite3 to v5.1.5 [SECURITY]

renovate bot changed the title ~~Update dependency sqlite3 to v5.1.5 [SECURITY]~~ Update dependency sqlite3 to v5.1.5 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-sqlite3-vulnerability branch

February 24, 2024 02:18

renovate bot changed the title ~~Update dependency sqlite3 to v5.1.5 [SECURITY] - autoclosed~~ Update dependency sqlite3 to v5.1.5 [SECURITY]

renovate bot reopened this

renovate bot restored the renovate/npm-sqlite3-vulnerability branch

February 24, 2024 05:08

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 003a474 to bf93a34 Compare

February 24, 2024 05:09

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 2 times, most recently from 4eb4219 to 1ca2184 Compare

January 30, 2025 18:15

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 1ca2184 to a438461 Compare

February 9, 2025 14:32

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from a438461 to 750512b Compare

March 3, 2025 18:09

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 750512b to 4738ba9 Compare

April 24, 2025 06:53

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 4738ba9 to 6facf77 Compare

May 19, 2025 17:43

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 6facf77 to 2a6719f Compare

June 22, 2025 12:30

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 2 times, most recently from 26e9bd3 to 7b27c36 Compare

August 13, 2025 14:14


          Update dependency sqlite3 to v5.1.5 [SECURITY]

ea40b91

renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 7b27c36 to ea40b91 Compare

September 25, 2025 15:02

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet