Summary
@databricks/sql currently pins thrift at a version that's flagged by GHSA-r67j-r569-jrwp (Apache Thrift Node.js bindings vulnerable to uncontrolled recursion). Downstream consumers running npm audit --audit-level=high in CI are now seeing this fail with "No fix available" because the lockfile-resolved thrift version falls inside the advisory's affected range.
Can be reproduced in any project that depends on @databricks/sql@^1.13.0
Requested change
Bump the thrift peer/runtime dependency in @databricks/sql to a version outside the advisory range (the next patched release on or after 0.23.0)
Summary
@databricks/sqlcurrently pinsthriftat a version that's flagged by GHSA-r67j-r569-jrwp (Apache Thrift Node.js bindings vulnerable to uncontrolled recursion). Downstream consumers runningnpm audit --audit-level=highin CI are now seeing this fail with "No fix available" because the lockfile-resolved thrift version falls inside the advisory's affected range.Can be reproduced in any project that depends on
@databricks/sql@^1.13.0Requested change
Bump the
thriftpeer/runtime dependency in@databricks/sqlto a version outside the advisory range (the next patched release on or after0.23.0)