Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mongodb Denial of Service #66

Open
rfossella opened this issue Feb 25, 2021 · 6 comments
Open

Mongodb Denial of Service #66

rfossella opened this issue Feb 25, 2021 · 6 comments

Comments

@rfossella
Copy link

Hello,
Running npm audit for mongodb-migrations v0.85 throws the following warning. Is there/will there be a package update? Or best way to address this? Thanks!

node v12.13.0
npm@6.14.11

npm audit

High            Denial of Service
  Package         mongodb
  Patched in      >=3.1.13
  Dependency of   mongodb-migrations
  Path            mongodb-migrations > mongodb
  More info       https://npmjs.com/advisories/1203

Package.json dependencies

"dependencies": {
    "bluebird": "^3.4.1",
    "lodash": "^4.13.0",
    "mkdirp": "^0.5.1",
    "mongodb": "^2.2.1",
    "nomnom": "^1.6.2"
  },
@emirotin
Copy link
Owner

emirotin commented Feb 25, 2021 via email

@rfossella
Copy link
Author

thank you

@rfossella
Copy link
Author

Hello. Not sure if what I did was what you recommended - i.e. forked, updated, created pull request? If not, then can you explain?
Thanks.

@emirotin
Copy link
Owner

emirotin commented Feb 27, 2021 via email

@rfossella
Copy link
Author

Hmm. My very preliminary tests looked ok. A more robust test is throwing errors

Unhandled rejection TypeError: this._db.collection is not a function
    at Migrator._coll (C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:58:23)
    at C:\Development\wamp64\www\MyApp\src\server\node_modules\mongodb-migrations\lib\mongodb-migrations.js:69:24
    at tryCatcher (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\util.js:16:23)
    at Promise._settlePromiseFromHandler (C:\Development\wamp64\www\MyApp\src\server\node_modules\bluebird\js\release\promise.js:547:31)
 
When I roll back to the published version (with mongodb 2.2.4) it works.

FYI: the remainder of my application uses 3.6.4

Maybe another conflicting package :\

I'll continue to check; if you have any ideas please let me know.  And thank you for extending yourself to me.  Appreciated!

@emirotin
Copy link
Owner

emirotin commented Feb 27, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants