sqlite3 dependency introduces high-severity security vulnerability (GHSA-8qq5-rm4j-mr97) #536
Description
The current SQLite persistent storage relies on the sqlite3 package which is unmaintained. This introduces a high-severity vulnerability via its dependency on tar (<=7.5.2):
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ node-tar is Vulnerable to Arbitrary File Overwrite and │
│ │ Symlink Poisoning via Insufficient Path Sanitization │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ tar │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.2 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=7.5.3 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ flexsearch > sqlite3 > tar │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-8qq5-rm4j-mr97 │
└─────────────────────┴────────────────────────────────────────────────────────┘
Since sqlite3 is unmaintained this vulnerability is unlikely to be patched upstream.
Proposal:
Replace sqlite3 with better-sqlite3