-
Notifications
You must be signed in to change notification settings - Fork 758
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086
Comments
+1 |
I just submitted a PR for this and to resolve the one for sever-static as well: #2087 |
+1 |
I'll sort this later today, thanks :) |
Hello, any updates on this? |
browser-sync@3.0.3 |
Not mentioned here: https://github.com/BrowserSync/browser-sync/releases nor here: https://github.com/BrowserSync/browser-sync/blob/master/CHANGELOG.md |
If the CHANGELOG is obsolete then it should be mentioned in the file's header. |
On a side note: Not publishing proper changes opens the door to supply-chain attacks, cf. xz fiasco. |
https://github.com/BrowserSync/browser-sync/releases/tag/v3.0.3
Can you explain your concern a little further? In terms of publishing this package to |
I guess
could be deleted as well then. |
What I mentioned was: There is a new version published to NPM and one cannot find any release notes/change log. Reading the release notes should be the minimum one does before upgrading. But some people do not care or use non-pinned versions 🤷 Maybe you might want to use provenance in the future: https://docs.npmjs.com/searching-for-and-choosing-packages-to-download#package-provenance |
$ npm audit signatures is useless in a way though. Unless you use ignore-scripts with
|
The text was updated successfully, but these errors were encountered: