-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-25mp-g6fv-mqxx] Unexpected server crash in Next.js. #179
[GHSA-25mp-g6fv-mqxx] Unexpected server crash in Next.js. #179
Conversation
Hi there @timneutkens! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
Hey there @medikoo, any chance you have some references discussing the rewrite/restart of the project after 0.4? |
@darakian I was the package owner of Back then I marked it as deprecated, and then current owners of |
Discussion of giving away a package name was happening in emails (it's not public on GitHub), but I believe the information I provided above should be sufficient to validate that |
Is there any public reference to this? So far the best I can tell is that the git history of the current maintainer of next starts around version 1.0.0. |
It was a regular email exchange, that due to its technical nature was not public, and at the time there were no needs to make any public announcements of that. Still, you can see trace of that here: medikoo/node-ext#2 (it's issue where other developer expressed interested in
I'm referring strictly to npm package, that's part of npm registry (as for those you're issuing currently invalid security reports). And by inspecting npm registry you can easily confirm what I'm stating by following steps:
|
I've reached out to the current next devs and they've confirmed that this is the case. I'll go ahead and process this update. Thanks. |
Hi @medikoo! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Actually, whether the package changed ownership was irrelevant to this case. The main point is that v0.4 is a very different project and it should not be marked with the vulnerability of v0.9+ and that can be easily confirmed just by inspecting published versions :) |
If I were more familiar with the library sure, but as an outsider to the project it's hard to say that a vulnerability isn't shared between two artifacts just because they have significant differences. It's much easier to make that assessment after getting confirmation that the project started from scratch at |
Problem is that security vulnerability is incorrectly applied to v0.4 version of
next
, when it was totally different product, and that affects some of my packages which still depend on[email protected]
Updates