You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As far as I can see it, tar is only used here to extract sqlite3 itself that's bundled here.
Do you see any way to get rid of tar and therefore the vulnerability (maybe not bundling it into a tarball but a different format – if there is any that can be used in Node.js without requiring a different library that depends on chownr, that is)?
Edit: To clarify, I realize the vulnerability probably couldn't be exploited in this use case anyway, but if there was an easy way to get rid of it, I would prefer that. If only so that projects depending on better-sqlite3 don't have the vulnerability showing up on Snyk or other platforms and don't have to manually ignore them for builds to succeed.
The text was updated successfully, but these errors were encountered:
chownr has a TOCTOU vulnerability that apparently can't be fixed without an addition to Node.js itself.
It's introduced to better-sqlite3 through tar.
As far as I can see it, tar is only used here to extract sqlite3 itself that's bundled here.
Do you see any way to get rid of tar and therefore the vulnerability (maybe not bundling it into a tarball but a different format – if there is any that can be used in Node.js without requiring a different library that depends on chownr, that is)?
Edit: To clarify, I realize the vulnerability probably couldn't be exploited in this use case anyway, but if there was an easy way to get rid of it, I would prefer that. If only so that projects depending on better-sqlite3 don't have the vulnerability showing up on Snyk or other platforms and don't have to manually ignore them for builds to succeed.
The text was updated successfully, but these errors were encountered: