-
-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please backport CVE-2020-8116 security fix to 4.x. #63
Comments
+1 Please consider reopening #61 . The v4 release line may be old but it's still used by many packages and is installed millions of times each week. As a CVSS-high-severity vulnerability, we have had no option but to manually resolve to v5, introducing breaking changes to dozens of projects. |
I was trying to open a pull request for v4.2.0...Trott:sec-fix and came across this. I know it's an annoyance and that Node.js 6 and 8 are end-of-life, but that means users of upstream dependencies like I totally get the argument for not patching old release lines generally, and you certainly don't owe it to anyone, but if you can be persuaded to release a 4.2.1 in this particular instance, I think it would be a good thing. And if not, hey, thanks for reading anyway. |
we're going to have to patch this for npm@6 so I'm proposing the idea of maintaining a legacy fork in order to be able to fix vulns warnings such as this for legacy release lines, it might be an ephemeral fork though it should stay around (in terms of receiving active maintenance) for as long as npm@6 is still around 😊 To get it:
@sindresorhus I'd much prefer consolidating maintenance so let me know if you're open to have folks publish these versions over here in |
Thank you @ruyadorno for creating the legacy fork! It seems to already be very popular (52,171 downloads in less than 2 days). |
Sure. I didn't anticipate how many problems this would cause. I've published https://github.com/sindresorhus/dot-prop/tree/v4 as 4.2.1 (on the |
That's awesome! ❤️ Thanks Sindre! |
@sindresorhus I noticed the tag hasn't been pushed to the repo, maybe you want to push that in the future, just in case |
Awesome!!! Big Thank You! |
Done: https://github.com/sindresorhus/dot-prop/releases/tag/v4.2.1 |
Based on the severity of CVE-2020-8116 and the fact that 4.x is still very commonly used as a dependency, I would like to kindly request for the fix to be backported to 4.x and released as (presumably) v4.2.1.
Would this be possible? Many thanks in advance.
The text was updated successfully, but these errors were encountered: