Closed MidSpike closed 2 years ago
All tags that contained CVE-2022-23812 have been removed from this repository on GitHub.
However, looking at the package.json
has led me to the following findings:
`package.json`, dependency versions are vulnerable to supply-chain attacks:
- barely-patched in 8.1.1, semi-patched in 10.1.3
- however 10.1.3 still contains `strong-type: ^1.0.1` along with unfixed devDependencies
- additionally node-cmd, js-queue, js-message, event-pubsub, strong-type are all owned by riaevangelist
A new issue will be opened to track these findings.
This issue will be closed once I've analyzed all commits attached to a tag in this repository. Any tags containing CVE-2022-23812 or
peacenotwar
will be removed from this repository.