is-my-node-vulnerable: bug: needs a minimum version check
$ npx is-my-node-vulnerable
Cannot find module 'node:events'
Require stack:
- /home/pi/.npm/_npx/4770/lib/node_modules/is-my-node-vulnerable/index.js
$ node --version
v12.22.8
I guess it’s probably vulnerable 😃
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 22 (22 by maintainers)
Commits related to this issue
- [Fix] drop required node to 12 Fixes #2 — committed to ljharb/is-my-node-vulnerable by ljharb a year ago
- [Fix] drop required node to 12 Fixes #2 — committed to ljharb/is-my-node-vulnerable by ljharb a year ago
- feat: warn if not an actively supported Node.js version Fixes: #2 Ref: https://github.com/nodejs/security-wg/issues/871 — committed to srl295/is-my-node-vulnerable by srl295 a year ago
- feat: warn if not an actively supported Node.js version - and document Fixes: #2 Ref: https://github.com/nodejs/security-wg/issues/871 — committed to srl295/is-my-node-vulnerable by srl295 a year ago
- fix: drop required node to 12 subset of 4f25898497c9b6e8c25d88f386a5262e702d9617 Co-Authored-By: Jordan Harband <ljharb@gmail.com> Fixes: #2 — committed to srl295/is-my-node-vulnerable by srl295 a year ago
- fix: drop required node to 12 subset of 4f25898497c9b6e8c25d88f386a5262e702d9617 Fixes: #2 Co-authored-by: Jordan Harband <ljharb@gmail.com> — committed to srl295/is-my-node-vulnerable by srl295 a year ago
- feat: warn if not an actively supported Node.js version Fixes: #2 - dropped semicolons ;) - check for whether a version is below active major (definite EOL) or we dont know — committed to srl295/is-my-node-vulnerable by srl295 a year ago
- fix: drop required node to 12 subset of 4f25898497c9b6e8c25d88f386a5262e702d9617 Fixes: #2 Co-authored-by: Jordan Harband <ljharb@gmail.com> — committed to RafaelGSS/is-my-node-vulnerable by srl295 a year ago
- feat: warn if not an actively supported Node.js version - and document Fixes: #2 Ref: https://github.com/nodejs/security-wg/issues/871 — committed to srl295/is-my-node-vulnerable by srl295 a year ago
- feat: warn if not an actively supported Node.js version Fixes: #2 - dropped semicolons ;) - check for whether a version is below active major (definite EOL) or we dont know — committed to srl295/is-my-node-vulnerable by srl295 a year ago
- feat: add support to end-of-life versions Fixes: #2 Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> — committed to RafaelGSS/is-my-node-vulnerable by srl295 a year ago
- feat: add support to end-of-life versions Fixes: #2 Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> — committed to RafaelGSS/is-my-node-vulnerable by srl295 a year ago
- feat: add support to end-of-life versions Fixes: #2 Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> — committed to RafaelGSS/is-my-node-vulnerable by srl295 a year ago
The simple answer is that we don’t validate if non-supported versions are affected by a vulnerability or not.
For instance, if you open a HackerOne report today saying that v14 is vulnerable and it gets accepted and a security patch is launched. The Security DB will hold the following information:
We can’t include <= v14.x for the simple reason we don’t validate the patch against end-of-life versions, in the end of the day, it’s not supported anymore.
sure, that’s fine, but this package (or rather, any package wishing to comply with semver) has to do a semver-major to drop any node version, no matter how EOL it is.
One thing we could do instead is: if there’s no security release after a version went end-of-life returns ALL GOOD. But, I’d also include a warning to recommend updating anyway.
An important note is that, just because there’s no security patch, it doesn’t mean there’s no vulnerability. We’ve received some reports that are VALID but were closed as N/A just because the version is end-of-life.