node-red-node-sqlite 1.0.1 reports 5 high severity vulnerabilities

[pierredewilde]

Node-RED v2.0.6

$ node -v
v14.18.1

$ npm -v
6.14.15

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities
 in 178 scanned packages

$ npm install node-red-node-sqlite
npm WARN deprecated tar@2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported

> sqlite3@5.0.2 install /Users/Pierre/.node-red/node_modules/sqlite3
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download 
[sqlite3] Success: "/Users/Pierre/.node-red/node_modules/sqlite3/lib/binding/napi-v3-darwin-x64/node_sqlite3.node" is installed via remote
+ node-red-node-sqlite@1.0.1
added 82 packages from 161 contributors and audited 260 packages in 10.746s

5 packages are looking for funding
  run `npm fund` for details

found 5 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite on Windows via             │
│               │ insufficient relative path sanitization                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.18                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-5955-9wpr-37jh            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning using symbolic   │
│               │ links                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.18                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-qq89-hq3f-393p            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning using symbolic   │
│               │ links                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.16                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-9r2w-394v-53qc            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite due to insufficient        │
│               │ absolute path sanitization                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-3jfq-g458-7qm9            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Creation/Overwrite via insufficient symlink   │
│               │ protection due to directory cache poisoning                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-sqlite                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-sqlite > sqlite3 > node-gyp > tar              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-r628-mhmh-qjhw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 high severity vulnerabilities in 260 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

Environment:

• Node-RED 2.0.6
• node-red-node-sqlite 1.0.1
• node.js 14.18.1
• npm 6.14.15
• macOS 10.15.7
• Chrome 95.0.4638.54

[hardillb]

These all stem from the required sqlite3 package. We are using version 5.0.3 which is the latest available.

There is already an upstream issue for this and a PR to fix it that has been merged but appears not to have been released yet.

Until this ships there is nothing we can do about it.

Also as the tar package is only used during building the node (using node-gyp) when it is installed it is very unlikely to present any problems during use.

[Steve-Mcl]

@hardillb is this something we can address now?

[hardillb]

Yes, we can probably bump it