Closed dmitriz closed 5 years ago
Thanks for the heads up! According to the linked advisory, that was fixed in 2.6.9: https://www.npmjs.com/advisories/534
I think sonatype's database is out of date!
You are welcome, looks exactly so, and thank you for the clarification! I have now removed sonatype from all my repos.
It's still worth having some vulnerability checking, whether sonatype or something else, but I guess you might need to click through the report to see if it's still up to date.
Since it's resolved, i'll close the issue. thanks!
It's still worth having some vulnerability checking, whether sonatype or something else, but I guess you might need to click through the report to see if it's still up to date.
Indeed, and I have found https://snyk.io/ that seems to be more reliable.
On some closer inspection, sonatype
isn't seemingly widely used and such massive inaccuracy seems like a cause for concern.
Even more worrying is that I discovered they make a list of all repositories they found "vulnerable" publicly accessible, where they are currently listing many of my repositories, easily findable for hackers.
I am going to stay away from them in the future.
Just reporting some potential vulnerabilities in this package dependencies found by running sonatype-depshild against my repository:
https://github.com/dmitriz/un/issues/16