[GHSA-25mp-g6fv-mqxx] Unexpected server crash in Next.js.

[medikoo]

Problem is that security vulnerability is incorrectly applied to v0.4 version of next, when it was totally different product, and that affects some of my packages which still depend on next@0.4

Updates

• Affected products
• Description

[github]

Hi there @timneutkens! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[darakian]

Hey there @medikoo, any chance you have some references discussing the rewrite/restart of the project after 0.4?

[medikoo]

@darakian I was the package owner of next until v0.4, You can confirm that by installing next@0.4 (see on npm: https://www.npmjs.com/package/next/v/0.4.1 it reflects: https://github.com/medikoo/node-ext, and you can confirm I'm the author by inspecting the author package.json field)

Back then I marked it as deprecated, and then current owners of next contacted me whether I'll be fine with giving away a package name, and I agreed to that. Starting from then it became a totally different product with its first release at v0.9.9

[medikoo]

Discussion of giving away a package name was happening in emails (it's not public on GitHub), but I believe the information I provided above should be sufficient to validate that next v0.4 and v0.9+ are from scratch absolutely different projects.

[darakian]

Discussion of giving away a package name was happening in emails (it's not public on GitHub)

Is there any public reference to this? So far the best I can tell is that the git history of the current maintainer of next starts around version 1.0.0.

[medikoo]

Is there any public reference to this?

It was a regular email exchange, that due to its technical nature was not public, and at the time there were no needs to make any public announcements of that.

Still, you can see trace of that here: medikoo/node-ext#2 (it's issue where other developer expressed interested in next name, and I'v answered that I've already passed ownership of this module to current owner of next)

the best I can tell is that the git history of the current maintainer of next starts around version 1.0.0.

I'm referring strictly to npm package, that's part of npm registry (as for those you're issuing currently invalid security reports).

And by inspecting npm registry you can easily confirm what I'm stating by following steps:

1. Install v0.4 version via npm as follows:

npm install next@0.4

2. Inspect the source installed at node_modules/next - you can confirm easily that it shares content of this repository: https://github.com/medikoo/node-ext

3. In other folder install v0.9 version via npm:

npm install next@0.9

4. Compare content of installed v0.4 and v0.9 - it confirms both are totally different products

[darakian]

I've reached out to the current next devs and they've confirmed that this is the case. I'll go ahead and process this update. Thanks.

[advisory-database]

Hi @medikoo! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[medikoo]

I've reached out to the current next devs and they've confirmed that this is the case. I'll go ahead and process this update. Thanks.

Actually, whether the package changed ownership was irrelevant to this case.

The main point is that v0.4 is a very different project and it should not be marked with the vulnerability of v0.9+ and that can be easily confirmed just by inspecting published versions :)

[darakian]

If I were more familiar with the library sure, but as an outsider to the project it's hard to say that a vulnerability isn't shared between two artifacts just because they have significant differences. It's much easier to make that assessment after getting confirmation that the project started from scratch at 0.9.9.