Update `tunnel-ssh` dependency for vulnerability CVE-2023-48795

[coruscating]

I'm submitting a...

• Bug report
• Feature request
• Question

Current behavior

The vulnerability CVE-2023-48795 requires ssh2 1.15 and above to fix: mscdex/ssh2#1354

The tunnel-ssh 4.x series, which is a dependency of db-migrate, only supports ssh2 up to 1.4.0: #755. This CVE can be resolved for db-migrate if the tunnel-ssh dependency is upgraded to 5.x (or if tunnel-ssh updates its 4.x dependencies, but it's been a year since 5.x was released).

Expected behavior

The security vulnerability should be addressed.

[MarkR87]

Any update on this?

[mriedem]

For anyone else looking at this, we're not using the tunnel config with db-migrate so we're just overriding the transitive dependency in our package.json:

"overrides": {
    "db-migrate": {
      "tunnel-ssh": "^5.1.2"
    }
  }