Quoting Nicolas Mora (2020-09-03 15:49:32) > Hello, > > Concerning embedded modules, this raises me another question. > > Le 20-09-03 à 08 h 54, Xavier a écrit : > > > serialize-javascript: > > - node-compression-webpack-plugin (1.9.1) > > - node-copy-webpack-plugin (1.4.0) > > - node-uglifyjs-webpack-plugin (1.7.0) > > A CVE was recently published for serialize-javascript [1], to fix the > issue, it must be upgraded to 3.1.0. > > Can it be possible to broadcast this kind of issue to all packages > embedding vulnerable modules?
A first step would be to identify all embedded code - thanks a lot to Xavier for working on that! A second step would be to report all embedded code to the security team - see https://wiki.debian.org/EmbeddedCopies A third step would be to ask the security team how we might better help them handle this¹ issue (because I highly doubt that reporting in the current form is enough for the security team to reliably track issues: the seem not efficiently machine-readable). - Jonas ¹ ...where "this issue" is the fact that some embedded code copies are required. Obviously code copies *not* required should be *dropped* rather than reported, and obviously we should not whine about ftp-masters wrongly forcing us to embed stuff because that's (not true, and) irrelevant for the security team. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
