deprecated node-pre-gyp@0.11.0 - 5 high severity vulnerabilities

[ehamery]

Any idea how I can fix this?
Why am I getting node-pre-gyp@0.11.0 and not mapbox/node-pre-gyp ?

% npm i sqlite3       
npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated tar@2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported

> sqlite3@5.0.2 install /tmp/test/node_modules/sqlite3
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download 
[sqlite3] Success: "/tmp/test/node_modules/sqlite3/lib/binding/napi-v3-darwin-x64/node_sqlite3.node" is installed via remote
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN test@1.0.0 No description
npm WARN test@1.0.0 No repository field.

+ sqlite3@5.0.2
added 122 packages from 171 contributors and audited 122 packages in 6.202s

3 packages are looking for funding
  run `npm fund` for details

found 5 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

% npm list --depth=1   
test@1.0.0 /tmp/test
└─┬ sqlite3@5.0.2
  ├── node-addon-api@3.2.1
  ├── node-gyp@3.8.0
  └── node-pre-gyp@0.11.0

% npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite on Windows via             │
│               │ insufficient relative path sanitization                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.18                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-5955-9wpr-37jh            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning using symbolic   │
│               │ links                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.18                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-qq89-hq3f-393p            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning using symbolic   │
│               │ links                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.16                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-9r2w-394v-53qc            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite due to insufficient        │
│               │ absolute path sanitization                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-3jfq-g458-7qm9            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sqlite3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sqlite3 > node-gyp > tar                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-r628-mhmh-qjhw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 high severity vulnerabilities in 123 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

[LegendOfGIT]

Same here.
Please update your sub-dependency as soon as possible.

Luckily it currently only affects our development.
We do not use sqlite for production.

[Steve-Mcl]

Hi sqlite3 devs.

When installing sqlite3 from NPM I get V5.0.2 (which matches the version number in the current package.json) however I note you have updated the repo package.json deps on Oct 8, 2021

When do you see a version bump and npm publish happening please?

Thanks, Steve.

[shakedo]

Same here, when a new version will be published ?

[daniellockyer]

I'm working on fixing up the repo after recently taking over. I will ship a new version soon 🙂

Given this is fixed in main, I'm going to close this for now