The SQlite3 dependency is to an old version of the package that has itself a dependency to a vulnerable version of node-tar:
Advisory:
GHSA-34x7-hfp2-rc4v
While I don't think that SQLite is used in a way that can trigger this (I'm not sure, though), it fills up yarn audit/npm audit. It would be really nice to not have this spamming audits.
Also the used SQLite bindings package is deprecated and unmaintained anyway! So it probably would be better to switch to other SQLite3 bindings. NodeJS has itself sync bindings to SQLite3 included, but sync wouldn't fly, I guess. There are multiple other SQLite3 bindings on npmjs.com, I'm not sure which would be the best to choose. Maybe Microsoft is trustworthy enough to use their bindings? https://www.npmjs.com/package/@vscode/sqlite3
Edit: I just noticed that the sqlite3 package has transitive (dev) dependencies to two more packages that have low and moderate level issues:
GHSA-vpq2-c234-7xj6
GHSA-v2v4-37r5-5v8g
The SQlite3 dependency is to an old version of the package that has itself a dependency to a vulnerable version of
node-tar:shopify-app-js/packages/apps/session-storage/shopify-app-session-storage-sqlite/package.json
Line 48 in f39d1bc
Advisory:
GHSA-34x7-hfp2-rc4v
While I don't think that SQLite is used in a way that can trigger this (I'm not sure, though), it fills up
yarn audit/npm audit. It would be really nice to not have this spamming audits.Also the used SQLite bindings package is deprecated and unmaintained anyway! So it probably would be better to switch to other SQLite3 bindings. NodeJS has itself sync bindings to SQLite3 included, but sync wouldn't fly, I guess. There are multiple other SQLite3 bindings on npmjs.com, I'm not sure which would be the best to choose. Maybe Microsoft is trustworthy enough to use their bindings? https://www.npmjs.com/package/@vscode/sqlite3
Edit: I just noticed that the
sqlite3package has transitive (dev) dependencies to two more packages that have low and moderate level issues:GHSA-vpq2-c234-7xj6
GHSA-v2v4-37r5-5v8g