Patch versions for older majors?

[aaronjensen]

Hi there, any chance of releasing patch versions with the security fix for the older major versions? Many very popular libraries depend on ^2.0.0 or even 0.X. Thanks!

[heyimalex]

Just for reference, here's the advisory. I saw another comment that said it'd also been patched in 2.0.1, maybe the advisory should be changed to reflect that.

[aaronjensen]

the only way to watch this right now is by commenting, so I am commenting

This works too:

[chaosZeroFive]

Unfortunately a ton of bundled modules under a ton of other modules reference v2...what is the fix?

[aaronjensen]

@chaosZeroFive it sounds like 2.0.1 has the fix, but the advisory doesn't know it yet, so npm audit doesn't know it yet.

[heyimalex]

Yeah, it's definitely applied in the 2.0.1 branch. I shot an email to npm support about this, hopefully they change the criteria for the advisory.

[heyimalex]

I was just emailed back by npm, they added 2.0.1 to remediated!

[doowb]

I was just emailed back by npm, they added 2.0.1 to remediated!

I just verified that by running npm audit on the same package I did before, this now returns 0 vulnerabilities.

[philmayfield]

Greatly appreciate the fix. Just a heads up that this still shows as vulnerable in the Github Advisory Database.

GHSA-4jqc-8m5r-9rpr