[Pkg-javascript-devel] Embedded modules more than once
Jonas Smedegaard
jonas at jones.dk
Thu Sep 3 15:28:07 BST 2020
Quoting Nicolas Mora (2020-09-03 15:49:32)
> Hello,
>
> Concerning embedded modules, this raises me another question.
>
> Le 20-09-03 à 08 h 54, Xavier a écrit :
>
> > serialize-javascript:
> > - node-compression-webpack-plugin (1.9.1)
> > - node-copy-webpack-plugin (1.4.0)
> > - node-uglifyjs-webpack-plugin (1.7.0)
>
> A CVE was recently published for serialize-javascript [1], to fix the
> issue, it must be upgraded to 3.1.0.
>
> Can it be possible to broadcast this kind of issue to all packages
> embedding vulnerable modules?
A first step would be to identify all embedded code - thanks a lot to
Xavier for working on that!
A second step would be to report all embedded code to the security team
- see https://wiki.debian.org/EmbeddedCopies
A third step would be to ask the security team how we might better help
them handle this¹ issue (because I highly doubt that reporting in the
current form is enough for the security team to reliably track issues:
the seem not efficiently machine-readable).
- Jonas
¹ ...where "this issue" is the fact that some embedded code copies are
required. Obviously code copies *not* required should be *dropped*
rather than reported, and obviously we should not whine about
ftp-masters wrongly forcing us to embed stuff because that's (not true,
and) irrelevant for the security team.
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200903/2b05b58e/attachment.sig>
More information about the Pkg-javascript-devel
mailing list