| ▲ | wch 4 days ago | |||||||
When I run `npm audit`, it points me to a security advisory at GitHub. For example, for debug, it is https://github.com/advisories/GHSA-8mgj-vmr8-frr6 . That page says that the affected versions are ">=0". Does that seem right? That page also says: > Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. Is this information accurate? | ||||||||
| ▲ | andrewmcwatters 4 days ago | parent | next [-] | |||||||
No. A now unavailable version, `debug@4.4.2` was unpublished by npm, which is the only vulnerable version in question. Edit: However, I think the reason the security advisory marks the entire package at the moment, is because there is no mechanism in npm to notify users a version with an exploit is currently installed. `npm audit` looks at the versions configured, not installed. The security advisory triggering this warning forces everyone to reinstall packages today, in case 4.4.2 was installed. | ||||||||
| ▲ | herpdyderp 4 days ago | parent | prev [-] | |||||||
I also see: - https://github.com/advisories/GHSA-hfm8-9jrf-7g9w - https://github.com/advisories/GHSA-5g7q-qh7p-jjvm - https://github.com/advisories/GHSA-8mgj-vmr8-frr6 - https://github.com/advisories/GHSA-m99c-cfww-cxqx I wonder if they're all from the same thing, they all popped up at the same time. edit: they do appear to all be the same thing, and the advisory version wildcard is wrong: https://github.com/github/advisory-database/issues/6099 | ||||||||
| ||||||||