Packaging of unmaintained dependency: http-parser

phusion / passenger

A fast and robust web server and application server for Ruby, Python and Node.js

https://www.phusionpassenger.com/

MIT License

5.01k stars 548 forks source link

Closed jcoyne closed 7 months ago

jcoyne commented 7 months ago

Passenger appears to package http-parser (https://github.com/phusion/passenger/blob/stable-6.0/src/cxx_supportlib/ServerKit/http_parser.cpp) , which has been abandoned by it's maintianers: https://github.com/nodejs/http-parser/issues/522. This may be a risk as there is no one to handle security issues. It's unclear if Passenger is affected by https://nvd.nist.gov/vuln/detail/CVE-2020-8287, but it seems like it is.

CamJN commented 7 months ago

jcoyne commented 7 months ago

@CamJN Excellent! I missed that.