Skip to content

chore(deps): replace sqlite3 with better-sqlite3 #14744

Merged
pranavosu merged 1 commit intomainfrom
fix/190
Mar 6, 2026
Merged

chore(deps): replace sqlite3 with better-sqlite3 #14744
pranavosu merged 1 commit intomainfrom
fix/190

Conversation

@pranavosu
Copy link
Contributor

@pranavosu pranavosu commented Mar 5, 2026

Summary

Resolves Dependabot alert #190 — high severity path traversal vulnerability in tar (CVE-2026-29786).

Root Cause

tar was a transitive dependency pulled in by sqlite3, which was only used as a devDependency in @aws-amplify/datastore-storage-adapter for running tests in Node.js. The latest sqlite3 still pins tar@^6, and the CVE fix only exists in tar@7.5.10 with no backport to 6.x.

Fix

Rather than keeping a tar resolution override long-term, this PR replaces sqlite3 with better-sqlite3 in the test helper:

  • better-sqlite3 does not depend on tar at all
  • sqlite3 was only used in __tests__/helpers.ts to provide an in-memory SQLite database for tests (the actual runtime adapter uses react-native-sqlite-storage / expo-sqlite)
  • The InnerSQLiteDatabase test helper has been rewritten to use better-sqlite3's synchronous API with param sanitization for strict type binding

Changes

  • packages/datastore-storage-adapter/package.json: Replace sqlite3 with better-sqlite3 + @types/better-sqlite3
  • packages/datastore-storage-adapter/__tests__/helpers.ts: Rewrite InnerSQLiteDatabase class
  • package.json: Remove tar resolution (no longer needed)
  • yarn.lock: Updated

Testing

All 110 tests pass across all 4 test suites in datastore-storage-adapter.

@pranavosu
fix: replace sqlite3 with better-sqlite3 to resolve CVE-2026-29786
b7504cd 
- Replace sqlite3 (devDependency) with better-sqlite3 in datastore-storage-adapter
- Rewrite InnerSQLiteDatabase test helper to use better-sqlite3 synchronous API
- Add param sanitization for better-sqlite3 strict type binding
- Remove tar resolution from root package.json (no longer needed)
- Resolves Dependabot alert #190 (high severity path traversal in tar)
@pranavosu pranavosu requested a review from a team as a code owner March 5, 2026 23:33
@changeset-bot
Copy link

changeset-bot bot commented Mar 5, 2026

⚠️ No Changeset found

Latest commit: b7504cd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pranavosu pranavosu changed the title fix: replace sqlite3 with better-sqlite3 to resolve CVE-2026-29786 chore(deps): replace sqlite3 with better-sqlite3 Mar 5, 2026
@pranavosu pranavosu merged commit 24c0a0b into main Mar 6, 2026
42 checks passed
@pranavosu pranavosu deleted the fix/190 branch March 6, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@soberm soberm soberm approved these changes

@sarayev sarayev sarayev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pranavosu @soberm @sarayev