Comments (7)
I marked this as duplicate, so the conversation can be centralized here: #26 (comment)
from finalhandler.
NP, I didn't see anything relevant in the open issues. Maybe you should reopen #26 until a new version with the fix is published.
from finalhandler.
Publishing a new version won't resolve anything, as npm has set the affected version to all and so all new published versions will still be marked vulnerable. On top if that, it is unclear on what the issue is that should be fixed, as described in that issue.
The issue was closed when the change was merged and the open button is disabled.
from finalhandler.
The problem as far as I understand it is the CSP change patch, but a new version hasn't been released with the fix.
Admittedly, this hasn't been handled properly by whoever gets the npm reports out...
from finalhandler.
That was what I thought, but if that were the case the old versions of the module would not be marked as vulnerable as well. Since releasing a new version will still be marked as vulnerable anyway, I'm waiting to hear from them so I can definitely cut one that they will mark as not vulnerable.
from finalhandler.
All applies to all current versions not to future releases, as far as I understand it.
If you release a new version with the fix, ideally it should be only a patch release, then the people who review these things will mark only the old ones as vulnerable.
Again, this is how I get the whole situation myself. Personally, I would release a patch version with just this fix.
from finalhandler.
So if you're just going to argue here, I can't help you if you don't believe me.
from finalhandler.
Related Issues (16)
- Content-Type is always text/html; charset=utf-8 ? HOT 2
- Content type is html instead of text/plain HOT 6
- Cannot read property 'headersSent' of undefined HOT 14
- Respect `expose` on thrown errors HOT 2
- TypeError: Cannot read property 'headersSent' of undefined HOT 1
- Content-Security-Policy should use default-src 'none'. HOT 81
- Also read status from err.statusCode HOT 6
- npm audit security advisory 836 HOT 3
- Any reason for awaiting complete requests before sending responses? HOT 5
- UnsupportedWarning: Status message is not supported by HTTP/2 (RFC7540 8.1.2.4) HOT 1
- req.socket.destroy is not a function HOT 2
- Print causes when outputting error stacks HOT 1
- req.socket might be null HOT 3
- allow uncaught errors to bubble HOT 7
- Remove trailing newline HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from finalhandler.