Le dimanche 20 juillet 2025, 14:51:06 heure d’été d’Europe centrale Paul Gevers a écrit : > Control: tags -1 moreinfo > > Hi, > > On Sun, 20 Jul 2025 11:21:45 +0200 Bastien Roucaries <ro...@debian.org> > wrote: > > > [ Reason ] > > Affected by a ReDoS (outside upstream security support) but this block > > autopkgtest for angular.js affected by about 10 CVEs > > > Can you please explain why upstream declined your patch and why we > should carry it? They explictly said that redos are not a security problem
> Are reverse dependencies using this package for use > cases it wasn't intended for (and not supported upstream)? we use node-jsdom for testing angular.js and thus hit a redos in node-jsdom before hiting the redos in angular.js jsdom is the gold standard for automated test of js. I have reported to security support of jsdom and we are trying to get the patch merged as a improvement not a security support. > Please assume > I know nearly nothing about the node ecosystem. > > Paul >
signature.asc
Description: This is a digitally signed message part.
