Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes, because pure services don't get CVEs. CVEs are for distributed software.


Isn't this the biggest security flaw in the package ecosystem ever?

They don't even know when, if, who and when this was exploited, but maybe I didn't pay enough detail attention to the few paragraphs devoted to the real problem.

So shoudn't we assume all NPM packages published prior to 2nd of November are compromised?

And if so, shouldn't this deserve a CVE? (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exp...)


CVEs aren't usually assigned for "there might be something wrong", but only identified specific issues.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: