Hi Sean, On Sat, 17 Feb 2018, Sean Whitton wrote:
I was making a more specific claim -- we don't and will never have the manpower to provide security support for multiple different versions of hundreds of little JavaScript libraries.
please have a look at for example CVE-2017-18077 [1] in the security tracker. This CVE affects one little JavaScript library and is marked as <unimportant>. There is also a note attached, saying: "nodejs not covered by security support"
Basically all other CVEs for node-modules are marked as <unimportant> as well. So we do track all Javascript issues, but we don't create DSAs for them and don't include them in point releases (as you can see for example in CVE-2016-1000236 [2][3][4]).
Other javascript libraries like libjs-* and *.js even don't get a CVE. So either they are secure or nobody cares.
From a security manpower point of view, there is no difference whether wehave hundreds of little JavaScript libraries in only one or in multiple versions.
Thorsten [1] https://security-tracker.debian.org/tracker/CVE-2017-18077 [2] https://security-tracker.debian.org/tracker/CVE-2016-1000236 [3] https://nodesecurity.io/advisories/134 [4] https://tracker.debian.org/pkg/node-cookie-signature