|
|
|
|
|
|
by icetank
723 days ago
|
|
|
I remember a Node.js library I worked on completely broke after a Node.js security update disabled a encyption feature. I don't think anyone could come up with a tangible exploit chain but the Node.js maintainers made the breaking change anyway because of the CVE. There was maybe one guy bringing attention to the CVE and 20 or so more people complaining about broken production applications. I wonder at what point people give up on CVE notices and just don't update for security patches when the majority of CVE reports are bogus anyway. I know the Node.js library we work with had about 10 security notices on npm audit. But none of them compromise the libraries security in any way. People still try to remedy them with npm audit fix but that just causes there dependencies to break completely. |
|
|
https://github.com/indutny/node-ip/issues/136
The stupidity is like a cancer that spreads and infects random other repositories with alarmist nonsense:
https://github.com/JoshGlazebrook/socks/issues/93#issue-2128...
"I didn't look through the code" yeah no shit sherlock, you didn't look through code in a while.