Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Knex to v2.4.2 & Run npm audit #2125

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Update Knex to v2.4.2 & Run npm audit #2125

wants to merge 8 commits into from

Conversation

kellnerd
Copy link

@kellnerd kellnerd commented Apr 11, 2023
edited

Introduction

Update to the latest, non-vulnerable version of the Knex query builder.

Motivation

GHSA-4jv9-3563-23j3

Proposed solution

I performed this update in two steps: First I tested the existing commits for the update to v1 from #2120, then I updated to v2 and ran the test suite again, which required me to exchange the sqlite3 package again (see 5ece77d).
Finally I performed an npm audit to update a few other dependencies with security issues.

Current PR Issues

The only remaining security issues are related to dependencies of the website, i.e.
bookshelf-jsdoc-theme, which are not relevant for my (or other downstream users) use case.

t1eb4n and others added 8 commits February 15, 2022 01:56
@t1eb4n
Updating to latest version of knex
2baafea
@t1eb4n
Fixing knex version dependency
42add5f
@csouth
Update .travis.yml
827ed9e 
Removing Node 10 as Knex requires at least 12, and 16 is the most recent LTS
@kellnerd
Update package-lock.json accordingly
489029a
@kellnerd
Update knex to v2.4.2
4c2a944
@kellnerd
npm audit fix
aaea663
@kellnerd
Switch back to the official sqlite3 package instead of the vscode fork
5ece77d 
While the fork got rid of a few unneeded dependencies, the latest knex
version needs the official package in order to run the SQLite tests.
Partially reverts 2baafea
@kellnerd
npm audit fix --force
0da7c79 
The only remaining security issues are dependencies of the website, i.e.
bookshelf-jsdoc-theme, which are not relevant for us.
@kellnerd kellnerd mentioned this pull request Apr 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kellnerd @t1eb4n @csouth