Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update dependency sqlite3 to v5.1.5 [security] #9349

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore: update dependency sqlite3 to v5.1.5 [security] #9349

wants to merge 1 commit into from
+38 −12

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 22, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sqlite3 5.1.4 -> 5.1.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-43441

Impact

Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.

Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

Patches

Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.

Workarounds

  • Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.

References

For more information

If you have any questions or comments about this advisory:

Credits: Dave McDaniel of Cisco Talos

Release Notes

TryGhost/node-sqlite3 (sqlite3)

v5.1.5

Compare Source

What's Changed

Full Changelog: TryGhost/node-sqlite3@v5.1.4...v5.1.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from samarpanB as a code owner March 22, 2023 17:53
@renovate renovate bot added dependencies Pull requests that update a dependency file SECURITY labels Mar 22, 2023
@renovate renovate bot requested a review from a team March 22, 2023 17:53
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 12031d6 to 9bbb278 Compare March 22, 2023 18:05
@renovate renovate bot changed the title chore: update dependency sqlite3 [security] chore: update dependency sqlite3 to v5.1.5 [security] Mar 22, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to v5.1.5 [security] chore: update dependency sqlite3 to 5.1.5 [security] Mar 22, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to 5.1.5 [security] chore: update dependency sqlite3 to v5.1.5 [security] Mar 22, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to v5.1.5 [security] chore: update dependency sqlite3 to 5.1.5 [security] Mar 23, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to 5.1.5 [security] chore: update dependency sqlite3 to v5.1.5 [security] Mar 23, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to v5.1.5 [security] chore: update dependency sqlite3 to 5.1.5 [security] Mar 23, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to 5.1.5 [security] chore: update dependency sqlite3 to ^5.1.6 [security] Mar 23, 2023
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 9bbb278 to fc90a3a Compare March 23, 2023 04:05
@shubhamp-sf
Copy link
Contributor

shubhamp-sf commented Mar 23, 2023
edited
Loading

Merging this would lead to breaking tests as reported here: TryGhost/node-sqlite3#1694

Waiting for explanation from node-sqlite3 maintainers about this, I'll make necessary modification in the tests after that.

@renovate renovate bot changed the title chore: update dependency sqlite3 to ^5.1.6 [security] chore: update dependency sqlite3 to ^5.1.5 [security] Mar 23, 2023
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from fc90a3a to f0feefe Compare March 23, 2023 07:09
@renovate renovate bot changed the title chore: update dependency sqlite3 to ^5.1.5 [security] chore: update dependency sqlite3 to 5.1.5 [security] Mar 23, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to 5.1.5 [security] chore: update dependency sqlite3 to ^5.1.6 [security] Mar 23, 2023
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 2 times, most recently from 65f2138 to 7b46fe7 Compare March 23, 2023 08:45
@renovate renovate bot changed the title chore: update dependency sqlite3 to ^5.1.6 [security] chore: update dependency sqlite3 to ^5.1.5 [security] Mar 23, 2023
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 7b46fe7 to 8d264e8 Compare March 23, 2023 10:20
@renovate renovate bot changed the title chore: update dependency sqlite3 to ^5.1.5 [security] chore: update dependency sqlite3 to 5.1.5 [security] Mar 23, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to 5.1.5 [security] chore: update dependency sqlite3 to ^5.1.6 [security] Mar 23, 2023
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 8d264e8 to d2edf8d Compare March 23, 2023 12:17
@renovate renovate bot changed the title chore: update dependency sqlite3 to ^5.1.6 [security] chore: update dependency sqlite3 to 5.1.5 [security] Mar 23, 2023
@renovate renovate bot changed the title chore: update dependency sqlite3 to 5.1.5 [security] chore: update dependency sqlite3 to ^5.1.6 [security] Mar 23, 2023
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from d2edf8d to 03523bc Compare March 23, 2023 14:27
@renovate renovate bot changed the title chore: update dependency sqlite3 to ^5.1.6 [security] chore: update dependency sqlite3 to ^5.1.5 [security] Mar 23, 2023
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 03523bc to 028fe27 Compare March 23, 2023 16:30
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 4 times, most recently from 50f4985 to 2dc0746 Compare July 14, 2024 01:54
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from 2dc0746 to 3aa5959 Compare July 25, 2024 01:28
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 4 times, most recently from 031e76f to ea8245e Compare August 19, 2024 19:14
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 5 times, most recently from 7e7b8ef to 1d02227 Compare September 5, 2024 14:09
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 11 times, most recently from 9229483 to 634453e Compare September 16, 2024 13:55
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch 2 times, most recently from cb15ba2 to cc3649f Compare September 24, 2024 14:03
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from cc3649f to b278a84 Compare October 3, 2024 14:55
@renovate
chore: update dependency sqlite3 to v5.1.5 [security]
1856a52 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-sqlite3-vulnerability branch from b278a84 to 1856a52 Compare October 3, 2024 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samarpanB samarpanB Awaiting requested review from samarpanB samarpanB is a code owner

@raymondfeng raymondfeng Awaiting requested review from raymondfeng raymondfeng is a code owner

@achrinza achrinza Awaiting requested review from achrinza

@dhmlau dhmlau Awaiting requested review from dhmlau

@nflaig nflaig Awaiting requested review from nflaig

@nabdelgadir nabdelgadir Awaiting requested review from nabdelgadir

@marioestradarosa marioestradarosa Awaiting requested review from marioestradarosa

@mschnee mschnee Awaiting requested review from mschnee

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file SECURITY
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shubhamp-sf @coveralls