Could you help remove the high severity vulnerabilities introduced in your package?

[paimon0715]

Hi ,@vkarpov15, @AbdelrahmanHafez , I’d like to report two vulnerabilities introduced in mongoose :

Issue Description

Two vulnerabilities (high severity) CVE-2019-2391 and CVE-2020-7610 are detected in package bson(>=1.0.0 <1.1.4) and bson@1.0.9 is directly referenced by mongoose@4.13.21. We noticed that the vulnerabilities has been removed since mongoose@5.3.9.

However, mongoose's popular previous version mongoose@4.13.21 (25,347 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 3,324 downstream projects, e.g., @app-masters/node-lib 2.2.1, omniboard 2.14.0, e-commerce-platform 0.0.1, capstonejs 4.2.23-b, @shoutem/express-stack 0.2.36, etc.).
As such, issue CVE-2019-2391 and CVE-2020-7610 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade mongoose from version 8.13.0 to (>=9.2.0) For instance, mongoose@4.13.21 is introduced into the above projects via the following package dependency paths:
(1)@app-masters/node-lib@2.2.1 ➔ @app-masters/mongoose-it@1.0.13 ➔ mongoose@4.13.21 ➔ bson@1.0.9
......

The projects such as @app-masters/mongoose-it, which introduced mongoose@4.13.21, are not maintained anymore. These unmaintained packages can neither upgrade mongoose nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package mongoose@4.13.21?

Suggested Solution

Since these unactive projects set a version constaint 4.13.* for mongoose on the above vulnerable dependency paths, if mongoose removes the vulnerability from 4.13.21 and releases a new patched version mongoose@4.13.22, such a vulnerability patch can be automatically propagated into the 3,324 affected downstream projects.

In mongoose@4.13.22, you can kindly try to perform the following upgrade:
bson ~1.0.4 ➔ ~ 1.1.4;
Note:
bson@1.1.4(>=1.1.4) has fixed the vulnerabilityies (CVE-2019-2391 and CVE-2020-7610)

Thank you for your contributions.

Yours sincerely,
Paimon

[paimon0715]

@AbdelrahmanHafez @IslandRhythms Thanks for your understanding and help.

[vkarpov15]

Copying my comment from #10489 here for visibility for @paimon0715 :

I took a closer look at this and this change won't help. That's because Mongoose 4.x relies on MongoDB driver 2.x, which relies on mongodb-core@2.1.x, which relies on bson@~1.0.4. So this PR won't help unless we get mongodb-js/mongodb-core#464 merged.

TLDR; Mongoose can't do anything about this without the MongoDB driver team's help. Is there anything we can do to help you upgrade to Mongoose 5?