Hi Bastien, Quoting Bastien Roucariès (2021-09-24 09:49:37) > Package: node-define-property > Severity: serious > Tags: security upstream fixed-upstream > Justification: security bug > Forwarded: https://github.com/jonschlinkert/define-property/pull/6 > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > Dear Maintainer, > > According to > https://www.npmjs.com/advisories/1490 > node-define-property is vulnerable > > > Because it embed small modules that are vulnerable.
Sorry, I don't see the advisory mentioning define-property anywhere, and don't see our actual code calling "constructor" anywhere, as seems to be what the security in the advisory is about. Your reference to a PR 6 seems to be tied to an older version of define-property than in Debian. Please elaborate how this vulnerability affects code in Debian. > Embdeding is bad and we have here another proof I was puzzled at first, but think I now understand your point: Embedding in general is not necessarily bad but is complex to do right - embedding without proper tracking is bad. What confused me is that at first I thought you were ranting about Debian practice of embedding, but it seems you are ranting about lack of tracking of (either upstream or Debian-introduced) embedding. Do I understand that correctly? Thanks for reporting, regardless, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
