-
Notifications
You must be signed in to change notification settings - Fork 12
Bug: https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0 #123
Comments
Sorry for the delay. This should be fixed, and will update sometime tomorrow. |
@ken-duck , Thanks for your reply. Is it updated? Anurag |
Very strange. It seems fine on my internal/dev environment. It looks like it is getting jammed up somewhere in the pipeline. Working on it now... |
I identified an anomaly in some data in the processing pipeline. I gave it a bit of a manual kick. Hopefully that gets things moving again. I will check again tomorrow and give it more of a kicking if required. |
Oof. This was a rough one. Long story short there was a corrupt entry that was causing all sorts of havoc. It should be resolved (but I won't be certain until tomorrow, fingers crossed). Meanwhile the entry was removed by hand. If the data is clean tomorrow you will see the vulnerability you linked is gone, but there is a known vulnerability that will show up now (it was being blocked by the aforementioned corrupt entry). The "new" vulnerability you will see is due to a known problem which has never been resolved: mysqljs/mysql#1828 |
@ken-duck , are you saying there is no workaround for this, we need to accept this and live along.? |
So that's a good question. Here is a better description of our current situation. You should find the original issue resolved at this point. I do not see any vulnerabilities against this package any more: https://ossindex.sonatype.org/component/pkg:npm/[email protected] whereas you can see the vulnerability against this one: https://ossindex.sonatype.org/component/pkg:npm/[email protected] The original vulnerability link gives you a 404 at this point. The "new" issue is working itself down the pipeline but is not active yet, so we have a few days to think about it. Are you using any particular tool (eg. audit.js) or are you using the API? Some of the tools have an ability to filter vulnerabilities by their UUIDs so you can hide them from your results. The awkward thing about this vulnerability is it is only against certain use cases, and it looks like there isn't a huge push to fix it. Do you have any thoughts on how you would like to see it handled? |
Closing this older issue as the originally reported vulnerability no longer exists, and the component no longer has any vulnerabilities. Please feel free to reopen or create a new issue if needed. Thanks! |
Vulnerability URL
https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0
https://ossindex.sonatype.org/component/pkg:npm/[email protected]
The text was updated successfully, but these errors were encountered: