There's probably already hundreds of thousands of Jira tickets to fix it with no sprint assigned....

I feel attacked.

And very, very happy that we're proxying all access to npm through Artifactory, which allowed us to block the affected versions and verify that they were in fact never pulled by any of our builds.

	▲	Aeolun 3 days ago \| parent \| next [-]
		Only problem is the artifactory instance is on the other side if the world instead of behind the convenient npmjs CDN, so installing packages takes 5x longer..
	▲	pixl97 3 days ago \| parent \| prev [-]
		About to say, if you're in a company of any size and you're not doing it this way, you're doing it wrong.

▲

hylaride 3 days ago | parent | prev [-]

Ugh, have some respect. Some of us have PTSD dealing with security issues where the powers that be prevented us dealing with them due to them deprioritizing them during backlog grooming. My last company literally refused to do any security work except CVE turndowns - because it was contractually promised via a customer contract.