[Pkg-javascript-devel] Embedded modules more than once

Xavier yadd at debian.org
Thu Sep 3 15:33:10 BST 2020


Le 03/09/2020 à 16:28, Jonas Smedegaard a écrit :
> Quoting Nicolas Mora (2020-09-03 15:49:32)
>> Hello,
>>
>> Concerning embedded modules, this raises me another question.
>>
>> Le 20-09-03 à 08 h 54, Xavier a écrit :
>>
>>> serialize-javascript:
>>>       - node-compression-webpack-plugin (1.9.1)
>>>       - node-copy-webpack-plugin (1.4.0)
>>>       - node-uglifyjs-webpack-plugin (1.7.0)
>>
>> A CVE was recently published for serialize-javascript [1], to fix the
>> issue, it must be upgraded to 3.1.0.
>>
>> Can it be possible to broadcast this kind of issue to all packages
>> embedding vulnerable modules?
> 
> A first step would be to identify all embedded code - thanks a lot to 
> Xavier for working on that!
> 
> A second step would be to report all embedded code to the security team 
> - see https://wiki.debian.org/EmbeddedCopies

Partially done

> A third step would be to ask the security team how we might better help 
> them handle this¹ issue (because I highly doubt that reporting in the 
> current form is enough for the security team to reliably track issues: 
> the seem not efficiently machine-readable).

I'll try to automate some things around this future tool and `npm
audit`. I need also to update lintian to get `nodejs-module` results for
non JS Team packages.



More information about the Pkg-javascript-devel mailing list