advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

GHSA-8mgj-vmr8-frr6 lists incorrect dependencies * instead of v4.4.2

Open hpierre74 opened this issue 3 months ago • 3 comments

The Avidsory https://github.com/advisories/GHSA-8mgj-vmr8-frr6 is a wildcard while npm has removed the malicious dependency v4.4.2

https://github.com/debug-js/debug/issues/1005 https://github.com/chalk/chalk/issues/656

Unless I am missing something, previous versions seem unaffected. Please update to unlock development pipelines of unaffected packages.

hpierre74 avatar Sep 08 '25 16:09 hpierre74

This issue also appears to affect other packages mentioned in advisories published today. I’ve opened an issue with all the information I was able to gather: https://github.com/github/advisory-database/issues/6099

marcalexiei avatar Sep 08 '25 17:09 marcalexiei

Thank you for bringing this to our attention! The version ranges in the advisories have been corrected. Please let us know if there are any more issues.

JonathanLEvans avatar Sep 08 '25 18:09 JonathanLEvans

Thank you for bringing this to our attention! The version ranges in the advisories have been corrected. Please let us know if there are any more issues.

Hi @JonathanLEvans , I expect that npm audit returns:

color-string Vulnerable versions >=2.1.1 Patched versions <2.1.0

but currently we still get:

color-string Vulnerable versions >=0 Patched versions <0.0.0

This is breaking all of the production builds that currently have correctly downgraded but still relies on an npm audit step. When can we expect the npm vulnerabilities db to be updated/propogated?

Also being discussed: https://github.com/github/advisory-database/issues/6099

nightvision04 avatar Sep 08 '25 18:09 nightvision04