Replies: 1 comment 1 reply
-
|
The pre-9.3.2 CVE is published with information about the vulnerability: It's also in the GitHub Advisory Database: This sounds like a bug in npm if they're not correctly surfacing this in their audits. |
Beta Was this translation helpful? Give feedback.
-
|
I don't think NPM provides that? NPM points to the patch notes, which don't link to the CVE. The suggestion is to link to the CVE in the patch notes so that it's accessible. However, in this case the CVE also doesn't document how to reproduce... Is there any way to figure that out? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
If we look at https://github.com/vercel/next.js/releases/tag/v9.3.2, we can see that a CVE related to this exists. However, the NPM audit reference isn't the CVE - it just goes to version history.
If we don't document what the CVE is, how are developers supposed to know whether they are affected or decide on a fix? I looked here, but none seem relevant:
https://www.cvedetails.com/vulnerability-list/vendor_id-17577/product_id-43198/Zeit-Next.js.html
Beta Was this translation helpful? Give feedback.
All reactions