Node-sqlite3: SQLite binaries should be upgraded to latest patched sqlite 3.32.1, due critical and high vulnerabilities

Created on 2 Jun 2020  路  4Comments  路  Source: mapbox/node-sqlite3

Hi Mapbox team,

Recently our company internal docker image scanner reported a bunch of critical and high vulnerabilities related to the sqlite binaries version 3.31.1 which is used by the sqlite3 npm package version 4.2.0.

The list of vulnerabilities is:

Is there any planned activity to perform the upgrade of the latest sqlite distribution version 3.32.1 from 2020-05-25?

Looking forward your soon feedback.

Thank you in advance.

Most helpful comment

Hi @ErisDS ,
The PR https://github.com/mapbox/node-sqlite3/pull/1351 was already merged. It contains the upgrade to SQLite 3.32.3.

The only missing part is to make the release 5.0.1. Hope that will not last ages.

All 4 comments

Hey, I also have the same issue that I really need to get rid of these vulnerabilities. Is there any plan when to upgrade the sqlite version to some newer and less vulnerable one?

Ah, just saw https://github.com/mapbox/node-sqlite3/pull/1341 and the comment that it will be release soon, thx :-)

One more PR #1353 that points to the latest sqlite distribution 3.32.3

Updating to the latest 3.32 versions would also mean that by default the variable limit increases from 999 to 32766 which would be amazing.

https://www.sqlite.org/releaselog/3_32_0.html

Hi @ErisDS ,
The PR https://github.com/mapbox/node-sqlite3/pull/1351 was already merged. It contains the upgrade to SQLite 3.32.3.

The only missing part is to make the release 5.0.1. Hope that will not last ages.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cool-firer picture cool-firer  路  3Comments

rstojkovic picture rstojkovic  路  3Comments

ORESoftware picture ORESoftware  路  3Comments

NilSet picture NilSet  路  3Comments

llc1123 picture llc1123  路  3Comments