TypeOrm mssql peer dependency issue related to CVE-2024-35255

[MissaouiChedy]

Issue description

I am using TypeOrm 0.3.20 in a project with SQL Server.

npm audit is surfacing the following vulnerability related to @azure/identity:

# npm audit report 
@azure/identity  <4.2.1
Severity: moderate
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
fix available via `npm audit fix --force`
Will install mssql@11.0.0, which is a breaking change
node_modules/@azure/identity
  tedious  11.0.9 - 18.2.0
  Depends on vulnerable versions of @azure/identity
  node_modules/tedious
    mssql  7.2.1 - 10.0.4
    Depends on vulnerable versions of tedious
    node_modules/mssql
      typeorm  0.3.6-dev.0418ebc - 0.3.6-dev.ef025bd || >=0.3.7-dev.1b5aa62
      Depends on vulnerable versions of mssql
      node_modules/typeorm
4 moderate severity vulnerabilities

It is possible to mitigate the issue by upgrading mssql to 11.0.x, however this causes a peer dependency conflict with typeorm 0.3.20.

What would be the ramifications of allowing mssql 11 as peer dependency in typeorm ? I am open to contribute.

Expected Behavior

No peer dependency conflict with mssql 11.0.0

Actual Behavior

Peer dependency conflict with mssql 11.0.0

Steps to reproduce

In a sample project:

1. Reference typeorm 0.3.20
2. Reference mssql 11.0.0
3. run npm install

My Environment

Dependency	Version
Operating System	Linux (Ubuntu)
Node.js version	22.2
Typescript version	^5.1.3
TypeORM version	0.3.20

Additional Context

Unfortunately, I was not able to follow the typeorm security policy as the support@typeorm.io e-mail is unreachable.

Relevant Database Driver(s)

• aurora-mysql
• aurora-postgres
• better-sqlite3
• cockroachdb
• cordova
• expo
• mongodb
• mysql
• nativescript
• oracle
• postgres
• react-native
• sap
• spanner
• sqlite
• sqlite-abstract
• sqljs
• sqlserver

Are you willing to resolve this issue by submitting a Pull Request?

Yes, I have the time, but I don't know how to start. I would need guidance.

[Fatmoogle]

Were you able to resolve the vulnerabilities on your end and still update mssql to v11.0.0?

[MissaouiChedy]

Were you able to resolve the vulnerabilities on your end and still update mssql to v11.0.0?

@Fatmoogle I am not sure I understand you correctly but yes I tried to npm audit fix + upgrade to mssql 11.0.0 but I get a dependency conflict.

Should I try to ignore the dependency conflict and test anyway ?

[mboiman]

Dependency Conflict: mssql 11.x.x and typeorm 0.3.20

Issue Description

There is currently a dependency conflict between typeorm version 0.3.20 and mssql version 11.x.x. This conflict arises from the need to address a security vulnerability (CVE-2024-35255) in mssql, which requires upgrading to version 11.x.x.

Current Situation

• typeorm 0.3.20 specifies optional peer dependencies for mssql versions ^9.1.1 || ^10.0.1.
• Security vulnerability CVE-2024-35255 requires upgrading mssql to version 11.x.x.
• mssql 11.x.x falls outside the range specified by typeorm 0.3.20.

Problems

1. Security Compliance: Projects must upgrade to mssql 11.x.x to address the vulnerability, but this conflicts with typeorm 0.3.20's peer dependency constraints.
2. npm Version Resolution: npm version 7 and above treat peer dependency conflicts as errors, blocking installations and complicating dependency management.

Request

We kindly request that the typeorm team consider updating the peer dependency constraints to include mssql 11.x.x in an upcoming release. This update would resolve the conflict and allow developers to maintain both security compliance and compatibility with the latest typeorm features.

Proposed Solution

1. Update the peer dependencies for mssql in typeorm to support version 11.x.x.
2. Ensure that the updated typeorm release is compatible with mssql 11.x.x to facilitate smooth installations and adherence to security standards.

Benefits

This change would greatly help developers by:

• Eliminating the need for workarounds
• Ensuring a more seamless and secure development experience
• Allowing projects to maintain security compliance without sacrificing typeorm compatibility

Thank you for your attention to this matter.

[pkuczynski]

Adding in package.json:

"overrides": {
    "mssql": "$mssql"
}

and upgrading mssql to 11.x is a viable workaround for fixed peer dependencies until #10933 is merged and released.