Bug 243388 - www/npm: Update to 6.13.4 - < 6.13.4 vulnerable to multiple vulnerabilities incl. arbitrary file write
Summary: www/npm: Update to 6.13.4 - < 6.13.4 vulnerable to multiple vulnerabilities i...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Sunpoet Po-Chuan Hsieh
URL:
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2020-01-16 11:35 UTC by volker77
Modified: 2020-01-20 10:16 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
pizzamig: maintainer-feedback+
koobs: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description volker77 2020-01-16 11:35:20 UTC
Please see advisories for details:

https://www.npmjs.com/advisories/1437
https://www.npmjs.com/advisories/1436
https://www.npmjs.com/advisories/1434

These also seem to affect yarn, so this may have repercussions for all / most NodeJS related ports.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-16 11:48:34 UTC
Thank you for the report

^Triage: CC www/yarn maintainer and request feedback
Comment 2 Luca Pizzamiglio freebsd_committer 2020-01-20 08:46:34 UTC
there no CVE filled for yarn. It's a npm issue only.
Comment 3 volker77 2020-01-20 10:16:58 UTC
(In reply to Luca Pizzamiglio from comment #2)

This looks very much like at least a related issue, given timing and nature of the fix:

https://github.com/yarnpkg/yarn/pull/7755