Skip to content

[Snyk] Fix for 2 vulnerabilities#12971

Open
sestinj wants to merge 1 commit into
mainfrom
snyk-fix-10be838f3564d7166883625b2fb9ef81
Open

[Snyk] Fix for 2 vulnerabilities#12971
sestinj wants to merge 1 commit into
mainfrom
snyk-fix-10be838f3564d7166883625b2fb9ef81

Conversation

@sestinj

@sestinj sestinj commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • core/package.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Infinite loop
SNYK-JS-TAR-17909068
  828  
high severity Allocation of Resources Without Limits or Throttling
SNYK-JS-TAR-17909152
  828  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

@sestinj sestinj requested a review from a team as a code owner July 10, 2026 08:17
@sestinj

sestinj commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Merge Risk: High

This update involves a major version upgrade for sqlite3 and a patch update for tar.

sqlite3 5.1.76.0.1

Risk: HIGH

This is a major version upgrade, but the most critical change is that the sqlite3 package is now officially unmaintained. While the v6.0.0 release itself does not introduce direct API breaking changes, it primarily consists of dependency updates.

Key Changes:

  • Unmaintained Status: The repository has been marked as unmaintained, meaning there will be no further updates, security patches, or support.
  • Dependencies: All dependencies have been bumped to their latest versions.

Recommendation:
Given that sqlite3 is no longer maintained, it is highly recommended to plan a migration to a different, actively maintained SQLite library. Some alternatives mentioned by the community include better-sqlite3. Continuing to use an unmaintained package for database operations poses a significant long-term security and operational risk.

Source: GitHub Release Notes, npm Package Page

tar 7.5.167.5.19

Risk: LOW

This is a patch version upgrade. According to semantic versioning, it should not contain any breaking changes, only bug fixes or minor enhancements. No breaking changes were noted in the package documentation for this range.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants