[detaro]

services don't get CVEs.

[firebaze]

Well, didn't we just experience two major npm published packages containing malware? Both had CVEs.

Now we have the probable root cause, buried in a wall of text. No CVE.

[cjbprime]

CVEs alert end users that they need to take action to apply updates. That's relevant when a specific npm package contained a known vulnerability. It's not relevant when the npm server contained a known vulnerability. There's nothing a user of npm can do to update the npm server.

CVEs don't just mean "this is a big security problem".

[marcus_holmes]

hehe...

CVE: "the entire javascript/ruby/python development model is insecure"

affected: "the whole damn internet"

resolution:"rewrite the last 10 years of internet developmet from scratch"

not sure that's gonna happen

[rbanffy]

At least the npm packages outside their telemetry horizon should be updated immediately.

[detaro]

Yes, because pure services don't get CVEs. CVEs are for distributed software.

[firebaze]

Isn't this the biggest security flaw in the package ecosystem ever?

They don't even know when, if, who and when this was exploited, but maybe I didn't pay enough detail attention to the few paragraphs devoted to the real problem.

So shoudn't we assume all NPM packages published prior to 2nd of November are compromised?

And if so, shouldn't this deserve a CVE? (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exp...)

[detaro]

CVEs aren't usually assigned for "there might be something wrong", but only identified specific issues.