open-duelyst/duelyst

[P1] Upgrade knex to 0.95.0+

Open

#54 opened on Sep 25, 2022

View on GitHub
 (3 comments) (0 reactions) (0 assignees)JavaScript (3,443 stars) (526 forks)batch import
backendhelp wantedsecurity

Description

Knex.js, our SQL query builder, has a few minor vulnerabilities in the current 0.19.5 version:

  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
    introduced by:
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > extglob@2.0.4 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > nanomatch@1.2.13 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
    knex@0.19.5 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > extglob@2.0.4 > expand-brackets@2.1.4 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0

We should upgrade to 0.95.0 by following this guide: https://github.com/knex/knex/blob/master/UPGRADING.md#upgrading-to-version-0950

This may require changes to code in the cli, scripts, server, test, and worker directories.

Contributor guide

Tech stack
javascriptnodejssql
Domain
backenddatabasesecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
knex.jsJavaScript
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
65
Research direction
The issue requires upgrading knex from 0.19.5 to 0.95.0+ following the official upgrade guide. The changes need to be made in the cli, scripts, server, test, and worker directories. It is advisable to first check the upgrade guide at https://github.com/knex/knex/blob/master/UPGRADING.md#upgrading to version 0950 and then update package.json and adapt code accordingly.