Is v6 vulnerable?/Can the fix be backported? #576
Comments
|
Yes v6 is affected. The issue is in the range constructor itself, the advisory is incomplete. Please see the discussion in #564. It is not currently planned given the age, and state of the CI and testing, and lack of release process in those old versions. |
|
@wraithgar i'm very interested in having the backport (since i'm permanently stuck on v6 on most projects due to the dropped node versions), i'd be more than happy to pull all the CI stuff onto a branch off of v6, and make a PR, if that's something you'd be willing to merge? |
|
You can try but iirc the CI "stuff" isn't currently set up to handle back-ported publishes. It's not something we've tackled yet, nor put any priority into. |
|
Thanks for the link to discussion about this. I missed that PR. Re others backporting: on the linked PR, it looks like microsoft has already backported the fix to v5 and offered to backport it to v6 because those versions are used within VSCode: #564 (comment) |
Is there an existing issue for this?
Current Behavior
GitHub is flagging https://nvd.nist.gov/vuln/detail/CVE-2022-25883 on libraries such as babel that use semver v6
These libraries cannot upgrade to v7 (see babel/babel#15720 (comment)) and as best I can tell semver v6 does not have the
new Rangefunction in questionExpected Behavior
If v6 is vulnerable, could the fix be backported?
If not, can v6 be excluded from the security advisory. (Many of us work at companies where leadership expects there to be no open security advisories on our dependencies, so it's nicer if we can close them vs having to explain that we don't use user input in that case and it's not a problem.)
Steps To Reproduce
Use babel, check github security advisories
Environment
No response
The text was updated successfully, but these errors were encountered: