rust-playground icon indicating copy to clipboard operation
rust-playground copied to clipboard

Published 20 hours ago verified publisher icon rust-lang

Outdated dependencies

Open cbarrick opened this issue 2 years ago • 0 comments

The way this was brought to my attention was rather bizarre.

I recently starred this repo, and shortly thereafter I received an email from [email protected] containing a vulnerability report. I have no association with oscs1024, and the email was in Chinese, which I cannot read. The report linked from that email is at:

https://www.oscs1024.com/cd/1530179631909675008?sign=82f3cbbf&report=1

With the help of Google Translate, I determined:

Safe versions are:

  • postcss >= 7.0.36 or 8.2.13
  • needle >= 3.1.0

I took a quick look through yarn.lock, and it seems that the vulnerable versions are being pulled in as transitive dependencies.

There may not be anything actionable here. I don't know enough about the project to know if this report is meaningful.

But I wanted to pass this information along and let you know that a company is emailing vulnerability reports to people who follow this repository.

cbarrick avatar Jun 23 '22 04:06 cbarrick