Node.js will soon issue a CVE for EOL versions to highlight the security risks of using outdated versions. π
I believe this is a needed move, as many companies neglect updates. Itβll push them to prioritize security and stay on supported versions.
https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions
I believe this is a needed move, as many companies neglect updates. Itβll push them to prioritize security and stay on supported versions.
https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions
Comments
If a project is ignoring EOL updates, theyβre likely overlooking CVEs too. Raising CVEs for EOL versions highlights the security risks and encourages either updating or acknowledging the vulnerabilities.
I see it as crying Wolf. Yes it's a problem in the long run but it's also not a verifiable actual imminent issue and leads to less attention being paid to actual urgent zero day CVEs.
Not all are urgent, and "0-day" vulnerabilities often get lost in the noise. This is also why I dislike npm audit, many vulnerabilities flagged aren't actual threats to the app itself.
https://overreacted.io/npm-audit-broken-by-design/
https://github.com/nodejs/security-wg/issues/1401