Quoting Xavier (2020-09-03 16:33:10) > Le 03/09/2020 à 16:28, Jonas Smedegaard a écrit : > > Quoting Nicolas Mora (2020-09-03 15:49:32) > >> Hello, > >> > >> Concerning embedded modules, this raises me another question. > >> > >> Le 20-09-03 à 08 h 54, Xavier a écrit : > >> > >>> serialize-javascript: > >>> - node-compression-webpack-plugin (1.9.1) > >>> - node-copy-webpack-plugin (1.4.0) > >>> - node-uglifyjs-webpack-plugin (1.7.0) > >> > >> A CVE was recently published for serialize-javascript [1], to fix the > >> issue, it must be upgraded to 3.1.0. > >> > >> Can it be possible to broadcast this kind of issue to all packages > >> embedding vulnerable modules? > > > > A first step would be to identify all embedded code - thanks a lot to > > Xavier for working on that! > > > > A second step would be to report all embedded code to the security team > > - see https://wiki.debian.org/EmbeddedCopies > > Partially done > > > A third step would be to ask the security team how we might better help > > them handle this¹ issue (because I highly doubt that reporting in the > > current form is enough for the security team to reliably track issues: > > the seem not efficiently machine-readable). > > I'll try to automate some things around this future tool and `npm > audit`. I need also to update lintian to get `nodejs-module` results for > non JS Team packages.
Thanks a lot for your work on this! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel