[Pkg-javascript-devel] Embedded modules more than once
Jonas Smedegaard
jonas at jones.dk
Thu Sep 3 16:17:01 BST 2020
Quoting Xavier (2020-09-03 16:33:10)
> Le 03/09/2020 à 16:28, Jonas Smedegaard a écrit :
> > Quoting Nicolas Mora (2020-09-03 15:49:32)
> >> Hello,
> >>
> >> Concerning embedded modules, this raises me another question.
> >>
> >> Le 20-09-03 à 08 h 54, Xavier a écrit :
> >>
> >>> serialize-javascript:
> >>> - node-compression-webpack-plugin (1.9.1)
> >>> - node-copy-webpack-plugin (1.4.0)
> >>> - node-uglifyjs-webpack-plugin (1.7.0)
> >>
> >> A CVE was recently published for serialize-javascript [1], to fix the
> >> issue, it must be upgraded to 3.1.0.
> >>
> >> Can it be possible to broadcast this kind of issue to all packages
> >> embedding vulnerable modules?
> >
> > A first step would be to identify all embedded code - thanks a lot to
> > Xavier for working on that!
> >
> > A second step would be to report all embedded code to the security team
> > - see https://wiki.debian.org/EmbeddedCopies
>
> Partially done
>
> > A third step would be to ask the security team how we might better help
> > them handle this¹ issue (because I highly doubt that reporting in the
> > current form is enough for the security team to reliably track issues:
> > the seem not efficiently machine-readable).
>
> I'll try to automate some things around this future tool and `npm
> audit`. I need also to update lintian to get `nodejs-module` results for
> non JS Team packages.
Thanks a lot for your work on this!
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200903/f3779c99/attachment.sig>
More information about the Pkg-javascript-devel
mailing list