Anyone can raise a CVE, so many do it without a valid reason other then trying to beef up their CV.
This issue https://t.co/4bUd53mywe and the corresponding CVE https://t.co/kGYpCRGkb7 are a clear example of this situation and at this point the whole process is becoming a joke.
What is it that right in the end of the year holidays is when there is an uptick in security vulnerability reports? It is the hardest time of the year to assess and fix things. I received two just today, and 10 now since Nov 1.
@mikermcneil@_mikeusa I still love Perl and wish I was able to use it in the course of work. I haven't actually kept up in a couple years, I guess I'll have to see what it's up to now!
@mannyistyping π and thanks for the tweet. Sorry I am not on Twitter much and the delayed response. Please feel free to reach out over email as I would be happy to chat over voice about it if you like.
@ThisIsMissEm @jshttp If you believe there is an issue, please open up an issue on the github for that project with all the details, as twitter is very limiting to diagnose and/or work though a technical issue (plus I am not the only person on the project).
@ThisIsMissEm @jshttp If I do get time I'm happy to work on an implementation, but like many open source projects, it is built on the contributions of the users. I think the conversation there puts forward what an implementation would look like, so it's really just waiting for someone to contribute it
Somehow the cyber security team @EY_US manages to be even worse, not only disingenuous, but even sending out the information with incorrect conclusions to all kinds of third parties before even confirming the issue with the project. So much for even private disclosure.
.@jfrog has a security team who will contact you stating they have potentially found a security vulnerability and let them know if you think it is, but assign a CVE prior to contact and argue that it is. My experience shows that their reports are disingenuous.
.@jfrog has a security team who will contact you stating they have potentially found a security vulnerability and let them know if you think it is, but assign a CVE prior to contact and argue that it is. My experience shows that their reports are disingenuous.
@adam_baldwin@matteocollina I would love to take part in such a conversation if one materializes. I absolutely respect the security community and understand that there is not an easy answer for either side.
The only goal of some security researchers is to rank up a high number of CVE against OSS projects.
They could not care less about users or the OSS project themselves.
Heavily enjoy using and contributing to open source (https://t.co/jCtA5t87rN), web technologies and protocols are my life blood π HTML5+, JavaScript, WebSocket, TLS, Kerberos, OAuth, HTTP 1/2/3, TCP/UDP, IPSec, etc. etc. Dissenting binary protocols. Testing! Code quality!
I am currently a Principal Software Engineer working on an internal compute platform on the look out for new employment to grow myself and my career. Work on dev tools, microservices, product integrations, Kubernetes, product security, Node.js, C#, Golang, and more.
@wesleytodd@matteocollina@nodejs@liran_tal Yes, the changes are not the most maintainable and I have no arguments against switching to yargs. Just hoping that the change (yargs + Node.js support) doesn't have to be on the 4.x line...
@matteocollina@nodejs The sudden changes in version policies of modules makes working with Node.js quite hard. Npm defaults to "^" ranges, which is good for updates, but really hurts when they turn up breaking... The increased Node.js major version rates has only increased the problem. @wesleytodd
@wesleytodd Sadly the access is scoped to the executable calling into the keychain. I did the same thing with a bash script and used the built in exe on mac to access the keychain. Once allowed any program on mac could now access it. It seems more a mac issue than chrome issue.