Le 03/09/2020 à 16:28, Jonas Smedegaard a écrit : > Quoting Nicolas Mora (2020-09-03 15:49:32) >> Hello, >> >> Concerning embedded modules, this raises me another question. >> >> Le 20-09-03 à 08 h 54, Xavier a écrit : >> >>> serialize-javascript: >>> - node-compression-webpack-plugin (1.9.1) >>> - node-copy-webpack-plugin (1.4.0) >>> - node-uglifyjs-webpack-plugin (1.7.0) >> >> A CVE was recently published for serialize-javascript [1], to fix the >> issue, it must be upgraded to 3.1.0. >> >> Can it be possible to broadcast this kind of issue to all packages >> embedding vulnerable modules? > > A first step would be to identify all embedded code - thanks a lot to > Xavier for working on that! > > A second step would be to report all embedded code to the security team > - see https://wiki.debian.org/EmbeddedCopies
Partially done > A third step would be to ask the security team how we might better help > them handle this¹ issue (because I highly doubt that reporting in the > current form is enough for the security team to reliably track issues: > the seem not efficiently machine-readable). I'll try to automate some things around this future tool and `npm audit`. I need also to update lintian to get `nodejs-module` results for non JS Team packages. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
