I would like to ask for version range of www/node https://vuxml.freebsd.org/freebsd/ad792169-2aa4-11eb-ab71-0022489ad614.html
The current specifiacation is:
node < 15.2.1
node14 < 14.15.1
node12 < 12.19.1
www/node is specified without the lower end so if fix for www/node in quaterly branch is backported from www/node14 then we have a port www/node of version 14.15.1 which is not vulnerable but is reported vulnerable be pkg audit.
Can the "affected" be always specified as "X.0.0 < X.Y.Z" and not just "< X.Y.Z"?
node - 15.0.0 < 15.2.1
node14 - 14.0.0 < 14.15.1
node12 - 12.0.0 < 12.19.1
Similar situation affect some other ports (vulnerabilities) too. It caused problems for FreeBSD base vulnerablity too (last week)
Hi! I am closing this PR now that there is a new quarterly with the latest versions of all Node.js ports. I am sorry that I didn't manage to get 2020Q4 updated, the addition of www/node14 and switch to 15.x in www/node made it non-trivial. I will do better about keeping the quarterly branch up-to-date with the latest Node.js versions, with particular focus on the LTS releases.
Thanks for the report! :)
*** Bug 251994 has been marked as a duplicate of this bug. ***
(In reply to Bradley T. Hughes from comment #1)
It is not just about the node versions it is about the style of version ranges reported in vuln.xml in general. I think we need to always set both sides: the minimum and maximum version. Not just "anything lower than". It caused problems in the past and will cause problems in the future too.
Package of node was just an actual example.
I am re-opening this PR since this is an important detail that I missed.