Hi follow LTS contributors
It is this kind of question again. "Is it worth it?".
We have CVE-2020-7677 on node-thenify.
According to popcorn we have three installations. That is of course a
lower end number since popcorn only counts the popcorn users, but anyway
it indicates that the installation number is really low. It is in fact
the lowest popcorn score I have seen so far.
Then about the vulnerability itself. It is an arbitrary code execution,
but it is on the client side, and the user have get some code injected
into it that is passed to this function. This means you have to find
some other code that use this functionality and in some way pass it
through. It can be done but the likelihood is lower.
Further I can see that node-* packages were unsupported in stretch. They
seem to be in buster however.
Quite a lot of node-* packages have fairly severe issues declared as
minor issues. I could not find any arbitrary code execution
vulnerabilities though.
So my question is, should we fix node-thenify?
I guess so but I want to raise the question.