Hi Sean,
On Sat, 17 Feb 2018, Sean Whitton wrote:
I was making a more specific claim -- we don't and will never have the
manpower to provide security support for multiple different versions of
hundreds of little JavaScript libraries.
please have a look at for example CVE-2017-18077 [1] in the security
tracker. This CVE affects one little JavaScript library and is marked as
<unimportant>. There is also a note attached, saying: "nodejs not covered
by security support"
Basically all other CVEs for node-modules are marked as <unimportant> as
well. So we do track all Javascript issues, but we don't create DSAs for
them and don't include them in point releases (as you can see for example
in CVE-2016-1000236 [2][3][4]).
Other javascript libraries like libjs-* and *.js even don't get a CVE. So
either they are secure or nobody cares.
From a security manpower point of view, there is no difference whether we
have hundreds of little JavaScript libraries in only one or in multiple
versions.
Thorsten
[1] https://security-tracker.debian.org/tracker/CVE-2017-18077
[2] https://security-tracker.debian.org/tracker/CVE-2016-1000236
[3] https://nodesecurity.io/advisories/134
[4] https://tracker.debian.org/pkg/node-cookie-signature