On Sun, Oct 30, 2016 at 12:05 PM, Adam Borowski wrote: > That database looks like something easy to check, and since most if not all > Debian node.js packages use naming consistent with npm, it could be > automated. (Please tell me it already is.)
It is not automated. Every few months I find a bit of time to go through the recent nodesecurity posts and file bugs or ping maintainers but I doubt I'll be doing that again soon. Except for CVEs from MITRE, all of the data collection for the Debian security tracker is manual at this point (and a significant proportion is done by carnil). In case anyone wants to help fix that, check out these initial thoughts: https://wiki.debian.org/SummerOfCode2015/ProjectProposals/SecurityTrackerCheckExternal https://anonscm.debian.org/viewvc/secure-testing/check-external/sources.ini?view=markup -- bye, pabs https://wiki.debian.org/PaulWise
