npm security vulnerability about finalhandler HOT 7 CLOSED

I marked this as duplicate, so the conversation can be centralized here: #26 (comment)

from finalhandler.

NP, I didn't see anything relevant in the open issues. Maybe you should reopen #26 until a new version with the fix is published.

from finalhandler.

Publishing a new version won't resolve anything, as npm has set the affected version to all and so all new published versions will still be marked vulnerable. On top if that, it is unclear on what the issue is that should be fixed, as described in that issue.

The issue was closed when the change was merged and the open button is disabled.

from finalhandler.

The problem as far as I understand it is the CSP change patch, but a new version hasn't been released with the fix.

Admittedly, this hasn't been handled properly by whoever gets the npm reports out...

from finalhandler.

That was what I thought, but if that were the case the old versions of the module would not be marked as vulnerable as well. Since releasing a new version will still be marked as vulnerable anyway, I'm waiting to hear from them so I can definitely cut one that they will mark as not vulnerable.

from finalhandler.

All applies to all current versions not to future releases, as far as I understand it.

If you release a new version with the fix, ideally it should be only a patch release, then the people who review these things will mark only the old ones as vulnerable.

Again, this is how I get the whole situation myself. Personally, I would release a patch version with just this fix.

from finalhandler.

So if you're just going to argue here, I can't help you if you don't believe me.

from finalhandler.