-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect security advisory on npmjs.com #383
Comments
|
@mvangeest thanks for confirmation this is fixed 👍 @FreekVR let me know if you continue to bump into any issues. |
@bcoe just wanted to verify, this fix was backported to 5.0.1 in commit 1c417bd, 5.0.1 is safe from vulnerability CVE-2020-7608 |
v5.0.1 is patched: |
Thank you for the verification, I have submitted to NVD and they have corrected the entry, still waiting on the CVE from Mitre and the OSS INDEX from Sonatype to update per the requests as well. |
OSS INDEX has been updated and reflects no issues as well. The last one is the CVE which will take awhile, with these two changes, security scans should not show it as an issue as these dbs are normally prioritized over the root cve finding. Thank you again |
Hi,
I sent this issue to npm support but they referred me back here :)
In a recent advisory on npmjs a vulnerability was disclosed: https://www.npmjs.com/advisories/1500/versions
It doesn't report
5.0.1
as unaffected while it DOES include5.0.0-security.0
as unafffected -- and this is additionally inconsistent with the Snyk report here: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381Is it possible to get this remedied? Sorry if this is the wrong place to ask, but NPM support wasn't getting my anywhere so far :)
The text was updated successfully, but these errors were encountered: