Le ven. 24 sept. 2021 à 08:16, Jonas Smedegaard <jo...@jones.dk> a écrit : > > Hi Bastien, > > Quoting Bastien Roucariès (2021-09-24 09:49:37) > > Package: node-define-property > > Severity: serious > > Tags: security upstream fixed-upstream > > Justification: security bug > > Forwarded: https://github.com/jonschlinkert/define-property/pull/6 > > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > > > Dear Maintainer, > > > > According to > > https://www.npmjs.com/advisories/1490 > > node-define-property is vulnerable > > > > > > Because it embed small modules that are vulnerable. > > Sorry, I don't see the advisory mentioning define-property anywhere, and > don't see our actual code calling "constructor" anywhere, as seems to be > what the security in the advisory is about. > > Your reference to a PR 6 seems to be tied to an older version of > define-property than in Debian. > > Please elaborate how this vulnerability affects code in Debian. > > > > Embdeding is bad and we have here another proof > > I was puzzled at first, but think I now understand your point: > > Embedding in general is not necessarily bad but is complex to do right - > embedding without proper tracking is bad.
Yes it is lack of README.Sources, lack of lintian tag > > What confused me is that at first I thought you were ranting about > Debian practice of embedding, but it seems you are ranting about lack of > tracking of (either upstream or Debian-introduced) embedding. Do I > understand that correctly? Yes it is Fixed nevertheless > > Thanks for reporting, regardless, > > - Jonas > > -- > * Jonas Smedegaard - idealist & Internet-arkitekt > * Tlf.: +45 40843136 Website: http://dr.jones.dk/ > > [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
