fix(deps): update dependency sqlite3 to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sqlite3	4.2.0 → 5.1.5

---

Denial-of-Service when binding invalid parameters in sqlite3

CVE-2022-21227 / GHSA-9qrh-qjmc-5w2p

More information

Details

Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of sqlite3 v5.0.0, v5.0.1 and v5.0.2 are affected by this. This issue is fixed in v5.0.3. All users are recommended to upgrade to v5.0.3 or later. Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters as a workaround.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-9qrh-qjmc-5w2p
• https://github.com/TryGhost/node-sqlite3/issues/1440
• https://github.com/TryGhost/node-sqlite3/issues/1449
• https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a
• https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645
• https://nvd.nist.gov/vuln/detail/CVE-2022-21227
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470
• https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645
• https://github.com/advisories/GHSA-9qrh-qjmc-5w2p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

sqlite vulnerable to code execution due to Object coercion

CVE-2022-43441 / GHSA-jqv5-7xpx-qj74

More information

Details

Impact

Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.

Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

Patches

Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.

Workarounds

• Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.

References

• Commit: TryGhost/node-sqlite3@edb1934

For more information

If you have any questions or comments about this advisory:

• Email us at security@ghost.org

Credits: Dave McDaniel of Cisco Talos

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74
• https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781
• https://nvd.nist.gov/vuln/detail/CVE-2022-43441
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1645
• https://github.com/advisories/GHSA-jqv5-7xpx-qj74

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

TryGhost/node-sqlite3 (sqlite3)

v5.1.5

Compare Source

What's Changed

• 🔒 Fixed code execution vulnerability due to Object coercion by @​daniellockyer
• Updated bundled SQLite to v3.41.1 by @​daniellockyer
• Fixed rpath linker option when using a custom sqlite by @​jeromew in #​1654

Full Changelog: TryGhost/node-sqlite3@v5.1.4...v5.1.5

v5.1.4

Compare Source

What's Changed

• Fixed glibc compatibility by downgrading CI to Ubuntu 20 by @​daniellockyer in #​1664

Full Changelog: TryGhost/node-sqlite3@v5.1.3...v5.1.4

v5.1.3

Compare Source

What's Changed

• Updated bundled SQLite to v3.40.0 by @​daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.1.2...v5.1.3

v5.1.2

Compare Source

What's Changed

• Updated bundled SQLite to v3.39.4 by @​daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.1.1...v5.1.2

v5.1.1

Compare Source

What's Changed

• Added Darwin ARM64 binaries by @​daniellockyer in #​1594

A huge thanks to MacStadium for providing an M1 Mac Mini so we can offer ARM64 binaries.

Full Changelog: TryGhost/node-sqlite3@v5.1.0...v5.1.1

v5.1.0

Compare Source

✨ We're very excited to announce node-sqlite3's first minor release of v5, packed with features and improvements.

If you encounter any problems, please open a detailed issue using the templates.

What's Changed

• Updated bundled SQLite to v3.39.3 by @​daniellockyer
• Added ability to receive updates from sqlite3_update_hook by @​soukand in #​1267
• Added support for setting SQLite limits by @​paulfitz in #​1548
• Added library types file by @​bpasero in #​1527
• Added package-lock.json to .gitignore by @​JoelEinbinder in #​1628
• Fixed remaining method declarations by @​alexanderfloh in #​1633
• Fixed importing sqlite3#verbose using destructuring syntax by @​mahdi-farnia in #​1632

New Contributors

• @​JoelEinbinder made their first contribution in #​1628
• @​mahdi-farnia made their first contribution in #​1632
• @​soukand made their first contribution in #​1267

Full Changelog: TryGhost/node-sqlite3@v5.0.11...v5.1.0

v5.0.11

Compare Source

What's Changed

• Restored compatibility for Alpine 3.15 by @​daniellockyer in #​1626

Full Changelog: TryGhost/node-sqlite3@v5.0.10...v5.0.11

v5.0.10

Compare Source

What's Changed

• Updated bundled SQLite to v3.39.2 by @​daniellockyer
• Addressed CodeQL warnings by @​bpasero in #​1614

New Contributors

• @​bpasero made their first contribution in #​1614

Full Changelog: TryGhost/node-sqlite3@v5.0.9...v5.0.10

v5.0.9

Compare Source

What's Changed

• Updated bundled SQLite to v3.39.1 by @​daniellockyer
• Fixed method declarations to conform with napi default for methods by @​alexanderfloh in #​1510
• Fixed propagation of async hook ids through callbacks by @​alexanderfloh in #​1511
• Updated sqlcipher homebrew CPPFLAGS location by @​frovere in #​1613

New Contributors

• @​alexanderfloh made their first contribution in #​1510
• @​frovere made their first contribution in #​1613

Full Changelog: TryGhost/node-sqlite3@v5.0.8...v5.0.9

v5.0.8

Compare Source

What's Changed

• Reverted 5063367, which was causing a segfault with certain queries (#​1605 and #​1606)

Full Changelog: TryGhost/node-sqlite3@v5.0.7...v5.0.8

v5.0.7

Compare Source

What's Changed

• Updated bundled SQLite to v3.38.4 by @​daniellockyer in #​1604
• Improved performance by fetching column names once by @​daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.0.6...v5.0.7

v5.0.6

Compare Source

What's Changed

• Updated bundled SQLite to v3.38.3 by @​daniellockyer in #​1593. This fixes an upstream bug in SQLite that was reported here: #​1589
• Added Node 18 to CI by @​daniellockyer in #​1587

Full Changelog: TryGhost/node-sqlite3@v5.0.5...v5.0.6

v5.0.5

Compare Source

What's Changed

• Fixed building on certain systems (#​1584) by @​daniellockyer
• General repository maintenance by @​daniellockyer

Thank you to everyone reporting issues with building sqlite3 or the prebuilt binaries 🙂 If you encounter an problem, please search open and closed issues for existing reports or open a new issue with as much system information as possible.

Full Changelog: TryGhost/node-sqlite3@v5.0.4...v5.0.5

v5.0.4

Compare Source

What's Changed

• Added prebuilt Linux musl binaries - @​daniellockyer
• Added prebuilt Linux ARM64 binaries - @​daniellockyer
• Fixed older glibc compatibility - @​daniellockyer

Full Changelog: TryGhost/node-sqlite3@v5.0.3...v5.0.4

v5.0.3

Compare Source

What's Changed

• Updated bundled SQLite to v3.38.2 - @​daniellockyer
• Enabled math functions in compiler options - @​kewde
• Updated node-gyp to v8.x - @​daniellockyer
• Re-enabled Node-API v6 builds - @​daniellockyer
• Fixed segfault of invalid toString() object by @​kewde in #​1450
• Fixed building on MacOS Monterey 12.3 - @​daniellockyer
• Replaced Python extraction script with JS by @​xPaw in #​1570
• Switched prebuilt binary hosting to GitHub Releases - @​daniellockyer

Known Problems

• #​1578 - the minimum glibc version for prebuilt binaries was bumped to 2.29. We hope to bring this back down within the next few releases but you will need to compile from source if your system ships with a lower version.
• Prebuilt binaries for Linux do not work on musl systems. This should be fixed with 8b2cdd9 but you will need to compile from source to use v5.0.3.

Full Changelog: TryGhost/node-sqlite3@v5.0.2...v5.0.3

v5.0.2

Compare Source

• disable N-API v6

v5.0.1

Compare Source

• dep: node-addon-api to ^3.0.0 #​1367
• bug: bad comparison of c string #​1347
• build: Install files to be deployed #​1352
• sqlite3: upgrade to 3.32.3 #​1351
• bug: worker threads crash #​1367
• bug: segfaults #​1368
• typo: broken link to MapBox site #​1369

v5.0.0

Compare Source

• prebuilt: Node 14 support, dropped support for all version of Node < 10 #​1304
• prebuilt: add electron 7.2 #​1324
• napi: refactor codebase to use N-API instead of NAN (+ various improvements) #​1304
• trace: don't require throw to add trace info for verbose #​1317
• ci: remove permission setting #​1319

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.