591 - SQLite3 Vulnerability #593
Conversation
This updates the `@mapbox/mbtiles` version in package.json to utilize `0.12.1` released about 2 years ago. This, in turn, utilizes `sqlite3` version `5.x` which has patched vulnerabilities. Closes maptiler#591
| "@mapbox/mbtiles": "0.11.0", | ||
| "@mapbox/mbtiles": "0.12.1", |
There was a problem hiding this comment.
This causes breaking issue as v0.12.x has dropped support for Node 10.
https://github.com/mapbox/node-mbtiles/blob/master/CHANGELOG.md#0120
There was a problem hiding this comment.
I mean, Node10 security support ended over a year ago, we really shouldn't be basing changes and updates (especially to vulnerability-related items) on past EOL Node versions...
There was a problem hiding this comment.
This should be tested on 14,16,18 based on current support lifecycle.
|
This should be fixed by #602 , which was just merged and contains @mapbox/mbtiles 0.12.1 As for the node 10 support, when I tested it it seemed to work, but with the move to maplibre-native we should probably suggest newer version of node anyway, like at least node 14 with 16 recommended. The new maplibre-native binaries are built for 14,16,18 (and 10 for legacy purposes to support migration) |
|
Fixed by #602 |
This updates the
@mapbox/mbtilesversion in package.json to utilize0.12.1released about 2 years ago. This, in turn, utilizessqlite3version
5.xwhich has patched vulnerabilities.Closes #591