Update dependency pg-native to v3 [SECURITY]#62
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
from
March 25, 2023 03:07
c53f6f3 to
87ae231
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
April 3, 2023 11:37
ac72053 to
e1eff43
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
April 17, 2023 16:16
fb74184 to
383f176
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
3 times, most recently
from
June 4, 2023 08:16
5edf111 to
270a4fa
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
from
June 4, 2023 15:26
270a4fa to
82f2088
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
6 times, most recently
from
June 19, 2023 11:34
1fc5de5 to
5cd4ab5
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
June 29, 2023 13:40
36c8969 to
40eb432
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
4 times, most recently
from
July 9, 2023 12:21
93828f5 to
3c1c515
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
4 times, most recently
from
July 19, 2023 17:33
8f0b554 to
9739b42
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
4 times, most recently
from
August 1, 2023 18:13
d66f986 to
efd1875
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
from
August 9, 2023 14:56
efd1875 to
15d47b4
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
4 times, most recently
from
October 15, 2023 17:25
8742a66 to
49009ca
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
October 23, 2023 16:18
4d1fd10 to
26f1e8f
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
November 6, 2023 11:07
0e74f65 to
a4e2bde
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
November 16, 2023 14:15
a044a66 to
fe39a8e
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
December 3, 2023 14:20
045329a to
42b7d87
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
December 12, 2023 12:14
7ef3f6f to
114d1dc
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
4 times, most recently
from
January 4, 2024 17:17
65c8e38 to
7096fad
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
January 9, 2024 16:09
a0385ea to
0445b54
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
January 16, 2024 16:15
7c92ddd to
1761523
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
January 28, 2024 15:58
d6f5314 to
6e70066
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
2 times, most recently
from
February 4, 2024 12:12
0bddfea to
8f28149
Compare
renovate
Bot
force-pushed
the
renovate/npm-pg-native-vulnerability
branch
3 times, most recently
from
February 29, 2024 11:36
96cabfa to
7dea183
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.10.0→^3.0.1pg-native and libpq vulnerable to uncontrolled resource consumption
CVE-2022-25852 / GHSA-j32j-2hxv-rqf7
More information
Details
pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
brianc/node-postgres (pg-native)
v3.0.1Compare Source
v3.0.0Compare Source
stream.closetostream.destroywhich is the official way to terminate a readable stream. This is a breaking change if you rely on thestream.closemethod on pg-query-stream...though should be just a find/replace type operation to upgrade as the semantics remain very similar (not exactly the same, since internals are rewritten, but more in line with how streams are "supposed" to behave).config.batchSizeandconfig.highWaterMarkto both do the same thing: control how many rows are buffered in memory. TheReadableStreamwill manage exactly how many rows are requested from the cursor at a time. This should give better out of the box performance and help with efficient async iteration.v2.2.0Compare Source
v2.0.1Compare Source
v2.0.0Compare Source
For more information see #353
If you are unhappy with these changes you can always override the built in type parsing fairly easily.
v1.10.1Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.