@mikro-orm/postgresql@4.5.10 has a security issue
Mykyta-Chernenko opened this issue · comments
Describe the bug
Our snyk test has found a vulnerability in version 2.6.13
Issues with no direct upgrade or patch:
✗ SQL Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-KNEX-3175610] in knex@0.21.19
introduced by pg-mem@2.6.13 > @mikro-orm/postgresql@4.5.10 > @mikro-orm/knex@4.5.10 > knex@0.21.19
This issue was fixed in versions: 2.4.0
✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
introduced by pg-mem@2.6.13 > @mikro-orm/postgresql@4.5.10 > @mikro-orm/knex@4.5.10 > knex@0.21.19 > liftoff@3.1.0 > findup-sync@3.0.0 > micromatch@3.1.10 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0
This issue was fixed in versions: 2.0.1
To Reproduce
Install the pgmem version 2.6.13
pg-mem version
2.6.13