The current SQLite persistent storage relies on the sqlite3 package which is unmaintained. This introduces a high-severity vulnerability via its dependency on tar (<=7.5.2):
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ node-tar is Vulnerable to Arbitrary File Overwrite and │
│ │ Symlink Poisoning via Insufficient Path Sanitization │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ tar │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.2 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=7.5.3 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ flexsearch > sqlite3 > tar │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-8qq5-rm4j-mr97 │
└─────────────────────┴────────────────────────────────────────────────────────┘
Since sqlite3 is unmaintained this vulnerability is unlikely to be patched upstream.
Proposal:
Replace sqlite3 with better-sqlite3
The current SQLite persistent storage relies on the
sqlite3package which is unmaintained. This introduces a high-severity vulnerability via its dependency on tar (<=7.5.2):Since
sqlite3is unmaintained this vulnerability is unlikely to be patched upstream.Proposal:
Replace
sqlite3withbetter-sqlite3