NPM found 2 high severity vulnerabilities in NeDB, require manual review
alexbruno opened this issue · comments
npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary Code Execution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ underscore │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.12.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nedb │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nedb > binary-search-tree > underscore │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1674 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary Code Execution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ underscore │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.12.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nedb │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nedb > underscore │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1674 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 high severity vulnerabilities in 604 scanned packages
2 vulnerabilities require manual review. See the full report for details.
sadly, this project is dead.
So I guess we have to use nodes fs module now?
So sad...
Looking for alternatives, I'm now trying Level/level (leveljs.org), a simple Node.js wrapper for LevelDB.
It is not the same... In fact it is totally another paradigm, but I think it can be a good replace.
i made a drop-in-replacement for myself: https://www.npmjs.com/package/@yetzt/nedb
@yetzt, thank you so very much for patching this.
Ok guys, what about this?
I'm coding a Koa server web app running on Microsoft Azure cloud, with a lot of CSV data imported to a local embeded NoSQL DB at build time, using data to populate server-side dynamic HTML and respond to API search requests.
It was developed with NeDB. Some users reported slow responses and I really noticed it with some tests.
But now I just droped NeDB and replaced it by a LevelDB wrapper and now the application is blazing fast.
I really feel the difference and testing with Lighthouse I can see a performance boost.
Maybe it is because LevelDB is a C++ lib (like SQLite is a C lib), running operations at low level, wrapped into NPM module.
I strongly recommend LevelDB, it works in other "level".
Ok guys, what about this?
I'm coding a Koa server web app running on Microsoft Azure cloud, with a lot of CSV data imported to a local embeded NoSQL DB at build time, using data to populate server-side dynamic HTML and respond to API search requests.
It was developed with NeDB. Some users reported slow responses and I really noticed it with some tests.
But now I just droped NeDB and replaced it by a LevelDB wrapper and now the application is blazing fast.
I really feel the difference and testing with Lighthouse I can see a performance boost.
Maybe it is because LevelDB is a C++ lib (like SQLite is a C lib), running operations at low level, wrapped into NPM module.
I strongly recommend LevelDB, it works in other "level".
Thanks, I was looking for an alternative since this project seems to have been abandoned
ich just checked out linvodb3, which was forked from nedb and uses level for data storage. looks pretty much like a drop in replacement to me.
@louischatriot Could you please look into this one? It is causing headaches for a project which depends on npm audits to pass.
Hello, I released a new version of nedb on my own fork to adress this issue:
https://github.com/rmanibus/nedb
release 1.9.0 can be found here:
https://www.npmjs.com/package/@rmanibus/nedb
It also support composite indexes:
model.ensureIndex({ fieldName: ["field", "field2"], unique: true }, function (err) {
if(err){
debug("DB error: " + err);
}
});