Please see advisories for details:
These also seem to affect yarn, so this may have repercussions for all / most NodeJS related ports.
Thank you for the report
^Triage: CC www/yarn maintainer and request feedback
there no CVE filled for yarn. It's a npm issue only.
(In reply to Luca Pizzamiglio from comment #2)
This looks very much like at least a related issue, given timing and nature of the fix:
I added a vulnerability record here:
any news here?
Gentle Ping from Ports-Secteam
It seems it is also unsupported with the current version of node in ports:
npm WARN npm npm does not support Node.js v14.8.0
npm WARN npm You should probably upgrade to a newer version of node as we
npm WARN npm can't make any promises that npm will work with this version.
npm WARN npm Supported releases of Node.js are the latest release of 6, 8, 9, 10, 11, 12, 13.
npm WARN npm You can find the latest version at https://nodejs.org/
Maybe releases of node should be synced with releases of npm? I'm adding bhughes@, maintainer of www/node. Maybe he has some input?
Created attachment 218155 [details]
svn diff from /usr/ports/www/npm
i did not update the MASTER_SITES make variable. so, the committer should set that properly to point to the new distfile
Created attachment 218156 [details]
distfile to be placed into /usr/ports/distfiles
i rolled this tarball as best as i could figure how by mimicking sunpoet's prior work
to be clear, i wasnt aware of the 1 MB upload limit, and i'm not trying to host that distfile indefinitely at the link referenced as attachment 218156 [details]; it may go away before too long. i think i can handle it for a few weeks but please don't reference it there from the Makefile and commit that
My original script to generate the tarball was gone due to zpool breakage. There was lots of failure while trying to build the tarball. Eventually it works last weekend.
Here's the 6.14.8 patch .
I plan to commit it this weekend.
npm 6.14.8 landed the ports tree in r550309.