[Pkg-javascript-devel] Embedded modules more than once
Xavier
yadd at debian.org
Thu Sep 3 15:33:10 BST 2020
Le 03/09/2020 à 16:28, Jonas Smedegaard a écrit :
> Quoting Nicolas Mora (2020-09-03 15:49:32)
>> Hello,
>>
>> Concerning embedded modules, this raises me another question.
>>
>> Le 20-09-03 à 08 h 54, Xavier a écrit :
>>
>>> serialize-javascript:
>>> - node-compression-webpack-plugin (1.9.1)
>>> - node-copy-webpack-plugin (1.4.0)
>>> - node-uglifyjs-webpack-plugin (1.7.0)
>>
>> A CVE was recently published for serialize-javascript [1], to fix the
>> issue, it must be upgraded to 3.1.0.
>>
>> Can it be possible to broadcast this kind of issue to all packages
>> embedding vulnerable modules?
>
> A first step would be to identify all embedded code - thanks a lot to
> Xavier for working on that!
>
> A second step would be to report all embedded code to the security team
> - see https://wiki.debian.org/EmbeddedCopies
Partially done
> A third step would be to ask the security team how we might better help
> them handle this¹ issue (because I highly doubt that reporting in the
> current form is enough for the security team to reliably track issues:
> the seem not efficiently machine-readable).
I'll try to automate some things around this future tool and `npm
audit`. I need also to update lintian to get `nodejs-module` results for
non JS Team packages.
More information about the Pkg-javascript-devel
mailing list