Could you help remove the high severity vulnerabilities introduced in your package?

[paimon0715]

Hi ,@vkarpov15, @AbdelrahmanHafez , I’d like to report two vulnerabilities introduced in mongoose :

Issue Description

Two vulnerabilities (high severity) CVE-2019-2391 and CVE-2020-7610 are detected in package bson(>=1.0.0 <1.1.4) and [email protected] is directly referenced by [email protected]. We noticed that the vulnerabilities has been removed since [email protected].

However, mongoose's popular previous version [email protected] (25,347 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 3,324 downstream projects, e.g., @app-masters/node-lib 2.2.1, omniboard 2.14.0, e-commerce-platform 0.0.1, capstonejs 4.2.23-b, @shoutem/express-stack 0.2.36, etc.).
As such, issue CVE-2019-2391 and CVE-2020-7610 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade mongoose from version 8.13.0 to (>=9.2.0) For instance, [email protected] is introduced into the above projects via the following package dependency paths:
(1)@app-masters/[email protected] ➔ @app-masters/[email protected] ➔ [email protected] ➔ [email protected]
......

The projects such as @app-masters/mongoose-it, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade mongoose nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package [email protected]?

Suggested Solution

Since these unactive projects set a version constaint 4.13.* for mongoose on the above vulnerable dependency paths, if mongoose removes the vulnerability from 4.13.21 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the 3,324 affected downstream projects.

In [email protected], you can kindly try to perform the following upgrade:
bson ~1.0.4 ➔ ~ 1.1.4;
Note:
[email protected](>=1.1.4) has fixed the vulnerabilityies (CVE-2019-2391 and CVE-2020-7610)

Thank you for your contributions.

Yours sincerely,
Paimon

[paimon0715]

@AbdelrahmanHafez @IslandRhythms Thanks for your understanding and help.

[vkarpov15]

Copying my comment from #10489 here for visibility for @paimon0715 :

I took a closer look at this and this change won't help. That's because Mongoose 4.x relies on MongoDB driver 2.x, which relies on [email protected], which relies on bson@~1.0.4. So this PR won't help unless we get mongodb-js/mongodb-core#464 merged.

TLDR; Mongoose can't do anything about this without the MongoDB driver team's help. Is there anything we can do to help you upgrade to Mongoose 5?