Login

Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
Fedor Indutny

There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github: github.com/advisories/GHSA-78x

Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.

I just posted a comment on the advisory issue github.com/github/advisory-dat asking to remove it, but looking at dicer's advisory github.com/advisories/GHSA-wm7 I see that there might be a larger pattern in place?

/1

GitHubCVE-2023-42282 - GitHub Advisory DatabaseNPM IP package incorrectly identifies some private IP addresses as public
Fedor Indutny

It looks like there are entities that in theory should fill the void in OSS community and provide resources for managing security reports for overloaded maintainers. (I'm looking at you SNYK)

However, the verification process of vulnerability reports doesn't involve maintainer at all, and it sounds like the commercial interest of advisory repositories is aligned with creating more vulnerabilities and proving themselves “useful" to companies that utilize them.

/2

Jun 25, 2024, 05:31 PM·Public·Ivory for Mac
5boosts·10favorites
Public
Fedor Indutny

For that dicer bug in particular, I don't think it is reproducible as described in the advisory's PoC: gist.github.com/indutny-signal

Furthermore the PoC doesn't seem to involve dicer at all: security.snyk.io/vuln/SNYK-JS-

What's funny is that I found no way to dispute the advisory on SNYK. The closest thing that I found was to write a message to support, but I'm not entirely sure whether this results in a vulnerability takedown...

/fin

Gistpoc.jsGitHub Gist: instantly share code, notes, and snippets.
Public
Fedor Indutny

Update:

GitHub got back to me and decided to lower the vulnerability rating in response to my feedback. Furthermore, they advised me to enable Private Vulnerability Reporting feature so that I could get a chance at tackling the reports before they hit all package users next time. Great response!

SNYK still didn't get back to me, though, and I have no idea if another feedback channel exists.

Public
Blaine Bublitz

@indutny you should see how synk's "security researchers" act in email...

ExploreLive feeds
About