The website team is working within nodejs/nodejs.org#7906 and nodejs/nodejs.org#7990 to display EOL software information on the website.
This is going well, and we will be able to use https://github.com/nodejs/security-wg/blob/main/vuln/core/index.json as an automated authoritative source to keep this information correct.
In building, this, however, we have noticed 78 unknown severity CVEs
At first I didnt think anything of it, but when I digged in I noticed most have a CVSS3 score on NVD, not a CVSS4 score.
(my theory is that perhaps they were not yet evaluated at time of publish? I see that the blog posts often have severities too example)
I stopped after two, and wanted to learn more about if this was something the security WG would accept patches on. I see how to do it, I think, by PRing data into each CVE file within the https://github.com/nodejs/security-wg/tree/main/vuln/core directory.
Thanks!
The website team is working within nodejs/nodejs.org#7906 and nodejs/nodejs.org#7990 to display EOL software information on the website.
This is going well, and we will be able to use https://github.com/nodejs/security-wg/blob/main/vuln/core/index.json as an automated authoritative source to keep this information correct.
In building, this, however, we have noticed 78
unknownseverity CVEsAt first I didnt think anything of it, but when I digged in I noticed most have a CVSS3 score on NVD, not a CVSS4 score.
(my theory is that perhaps they were not yet evaluated at time of publish? I see that the blog posts often have severities too example)
I stopped after two, and wanted to learn more about if this was something the security WG would accept patches on. I see how to do it, I think, by PRing data into each CVE file within the https://github.com/nodejs/security-wg/tree/main/vuln/core directory.
Thanks!