Skip to content

node-red-node-sqlite dependency sqlite3 is DEPRECATED and has upstream high severity vuln #1121

New issue
New issue
Open
Open
node-red-node-sqlite dependency sqlite3 is DEPRECATED and has upstream high severity vuln#1121
Labels
dependenciesPull requests that update a dependency file
@Steve-Mcl

Description

@Steve-Mcl
Steve-Mcl
opened on Jan 26, 2026

The sqlite3 package (npm, github) is marked on GH as DEPRECATED and has not been updated for over 2 years

NPM reports an issue with a child dependency tar:

tar  <=7.5.3
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w

npm audit:

└─┬ [email protected]
  └─┬ [email protected]
    ├─┬ [email protected]
    │ ├─┬ [email protected]
    │ │ └─┬ [email protected]
    │ │   └── [email protected] deduped
    │ └── [email protected] deduped
    └── [email protected]

It seems many packages are moving to better-sqlite3 (it has twice as many downloads as sqlite3 ands is updated frequently) - perhaps it is time to consider a move?

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions