goto-bus-stop
commented
5 years ago Thanks for the heads up! According to the linked advisory, that was fixed in 2.6.9: https://www.npmjs.com/advisories/534
I think sonatype's database is out of date!
Closed dmitriz closed 5 years ago
goto-bus-stop
commented
5 years ago Thanks for the heads up! According to the linked advisory, that was fixed in 2.6.9: https://www.npmjs.com/advisories/534
I think sonatype's database is out of date!
dmitriz
commented
5 years ago You are welcome, looks exactly so, and thank you for the clarification! I have now removed sonatype from all my repos.
goto-bus-stop
commented
5 years ago It's still worth having some vulnerability checking, whether sonatype or something else, but I guess you might need to click through the report to see if it's still up to date.
Since it's resolved, i'll close the issue. thanks!
dmitriz
commented
5 years ago It's still worth having some vulnerability checking, whether sonatype or something else, but I guess you might need to click through the report to see if it's still up to date.
Indeed, and I have found https://snyk.io/ that seems to be more reliable.
On some closer inspection, sonatype isn't seemingly widely used and such massive inaccuracy seems like a cause for concern.
Even more worrying is that I discovered they make a list of all repositories they found "vulnerable" publicly accessible, where they are currently listing many of my repositories, easily findable for hackers.
I am going to stay away from them in the future.
Just reporting some potential vulnerabilities in this package dependencies found by running sonatype-depshild against my repository:
https://github.com/dmitriz/un/issues/16