[FP]: vulnerability in date-and-time
(NPM) dependencies being flagged in kotlinx-datetime
dependencies
#6864
Labels
date-and-time
(NPM) dependencies being flagged in kotlinx-datetime
dependencies
#6864
Package URl
pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime*
CPE
cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*
CVE
CVE-2020-26289
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
10.0.3
Description
This NPM-specific CPE is apparently being erroneously applied to multiple Kotlin dependencies:
Since
kotlinx-datetime
is a Kotlin Multiplatform (KMP) library, the JS-specific dependencies of that library, such askotlinx-datetime-js
, could at least in theory be affected by this vulnerability if they depend on affected versions of thedate-and-time
NPM dependency, but it doesn't look like that's the reason why this vulnerability is getting flagged. (Even if it did, it should only flag it on the applicable-js
dependencies of the library.)The text was updated successfully, but these errors were encountered: