Re: node-yarnpkg: please update backport to fix CVE-2020-8131

To: Xavier <yadd@debian.org>
Cc: debian-backports@lists.debian.org, Utkarsh Gupta <guptautkarsh2102@gmail.com>, Pirate Praveen <praveen@debian.org>
Subject: Re: node-yarnpkg: please update backport to fix CVE-2020-8131
From: Greg Price <gnprice@gmail.com>
Date: Tue, 28 Apr 2020 23:31:11 -0700
Message-id: <[🔎] CAFCC3es2OESDWEr0AmV62=d-b84WdfkNH-BQp2ari=KzAKY80Q@mail.gmail.com>
In-reply-to: <[🔎] e3417872-a233-e099-9696-ebf0896c12a4@debian.org>
References: <[🔎] CAFCC3evekt77ce5RMYA-Q-sKJsaC8B589m9xH2PyAccDkhiPxA@mail.gmail.com> <[🔎] e3417872-a233-e099-9696-ebf0896c12a4@debian.org>

On Sun, Apr 26, 2020 at 1:09 AM Xavier <yadd@debian.org> wrote:
> this requires node-gulp4 which is waiting for acceptance
> (https://ftp-master.debian.org/backports-new.html)

Great -- glad you're already on it. And I see your node-gulp update
has now reached the archive.

FWIW on my own machine I've gone and installed the fixed yarnpkg from
bullseye, and it works great. (*) But I'm sure other users using it
from buster-backports will be glad for this security update to reach
them too.

Thanks, cheers,
Greg

(*) Well, it pulled in for some reason the node-js-yaml from bullseye
at 3.13.1+dfsg-2 instead of the 3.13.1+dfsg-2~bpo10+1 in
buster-backports. I suppose that just means I didn't get the pinning
quite right; in any case the difference is harmless.

Reply to:

References:
- node-yarnpkg: please update backport to fix CVE-2020-8131
  - From: Greg Price <gnprice@gmail.com>
- Re: node-yarnpkg: please update backport to fix CVE-2020-8131
  - From: Xavier <yadd@debian.org>

Prev by Date: Re: php-mailparse - please make a package with version 3.1
Next by Date: Backports with API breaks
Previous by thread: Re: node-yarnpkg: please update backport to fix CVE-2020-8131
Next by thread: Backports with API breaks
Index(es):
- Date
- Thread