Ensure all tags linked to CVE-2022-23812 are removed

MidSpike / node-ipc

Inter Process Communication Module for node supporting Unix sockets, TCP, TLS, and UDP. Giving lightning speed on Linux, Mac, and Windows.

MIT License

19 stars 3 forks source link

Ensure all tags linked to CVE-2022-23812 are removed #3

Closed MidSpike closed 2 years ago

MidSpike commented 2 years ago

This issue will be closed once I've analyzed all commits attached to a tag in this repository. Any tags containing CVE-2022-23812 or peacenotwar will be removed from this repository.

MidSpike commented 2 years ago

All tags that contained CVE-2022-23812 have been removed from this repository on GitHub.

MidSpike commented 2 years ago

However, looking at the package.json has led me to the following findings:

`package.json`, dependency versions are vulnerable to supply-chain attacks:
- barely-patched in 8.1.1, semi-patched in 10.1.3
- however 10.1.3 still contains `strong-type: ^1.0.1` along with unfixed devDependencies
- additionally node-cmd, js-queue, js-message, event-pubsub, strong-type are all owned by riaevangelist

A new issue will be opened to track these findings.