open-duelyst/duelyst

[P1] Upgrade knex to 0.95.0+

Open

#54 opened on Sep 25, 2022

View on GitHub
 (3 comments) (0 reactions) (0 assignees)JavaScript (526 forks)batch import
backendhelp wantedsecurity

Repository metrics

Stars
 (3,443 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Knex.js, our SQL query builder, has a few minor vulnerabilities in the current 0.19.5 version:

  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
    introduced by:
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > extglob@2.0.4 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > nanomatch@1.2.13 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > extglob@2.0.4 > expand-brackets@2.1.4 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0

We should upgrade to 0.95.0 by following this guide: https://github.com/knex/knex/blob/master/UPGRADING.md#upgrading-to-version-0950

This may require changes to code in the cli, scripts, server, test, and worker directories.

Contributor guide