Skip to content

[Security] Bump sqlite3 from 5.1.4 to 5.1.5

Dependabot requested to merge dependabot-npm_and_yarn-sqlite3-5.1.5 into master

Bumps sqlite3 from 5.1.4 to 5.1.5. This update includes a security fix.

Vulnerabilities fixed

sqlite vulnerable to code execution due to Object coercion

Impact

Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.

Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

Patches

Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.

Workarounds

  • Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.

References

For more information

... (truncated)

Patched versions: 5.1.5 Affected versions: >= 5.0.0, < 5.1.5

Release notes

Sourced from sqlite3's releases.

v5.1.5

What's Changed

Full Changelog: https://github.com/TryGhost/node-sqlite3/compare/v5.1.4...v5.1.5

Commits
  • 6a806f8 v5.1.5
  • edb1934 Fixed code execution vulnerability due to Object coercion
  • 3a48888 Updated bundled SQLite to v3.41.1
  • c1440bd Fixed rpath linker option when using a custom sqlite (#1654)
  • 93affa4 Update microsoft/setup-msbuild action to v1.3
  • See full diff in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading