Bug 243388 - www/npm: Update to 6.13.4 - < 6.13.4 vulnerable to multiple vulnerabilities incl. arbitrary file write
Summary: www/npm: Update to 6.13.4 - < 6.13.4 vulnerable to multiple vulnerabilities i...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Sunpoet Po-Chuan Hsieh
URL:
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2020-01-16 11:35 UTC by volker77
Modified: 2020-06-23 15:24 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
pizzamig: maintainer-feedback+
koobs: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description volker77 2020-01-16 11:35:20 UTC
Please see advisories for details:

https://www.npmjs.com/advisories/1437
https://www.npmjs.com/advisories/1436
https://www.npmjs.com/advisories/1434

These also seem to affect yarn, so this may have repercussions for all / most NodeJS related ports.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-16 11:48:34 UTC
Thank you for the report

^Triage: CC www/yarn maintainer and request feedback
Comment 2 Luca Pizzamiglio freebsd_committer 2020-01-20 08:46:34 UTC
there no CVE filled for yarn. It's a npm issue only.
Comment 3 volker77 2020-01-20 10:16:58 UTC
(In reply to Luca Pizzamiglio from comment #2)

This looks very much like at least a related issue, given timing and nature of the fix:

https://github.com/yarnpkg/yarn/pull/7755
Comment 4 Matthias Fechner freebsd_committer 2020-06-10 12:13:57 UTC
I added a vulnerability record here:
https://svnweb.freebsd.org/ports?view=revision&revision=538392