Incorrect security advisory on npmjs.com

[FreekVR]

Hi,

I sent this issue to npm support but they referred me back here :)

In a recent advisory on npmjs a vulnerability was disclosed: https://www.npmjs.com/advisories/1500/versions

It doesn't report 5.0.1 as unaffected while it DOES include 5.0.0-security.0 as unafffected -- and this is additionally inconsistent with the Snyk report here: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381

Is it possible to get this remedied? Sorry if this is the wrong place to ask, but NPM support wasn't getting my anywhere so far :)

[mvangeest]

npm audit etc. no longer report 5.0.1 as affected, probably since npm audit switched to the GitHub Advisory Database; they list 5.0.1 as patched.

[bcoe]

@mvangeest thanks for confirmation this is fixed 👍

@FreekVR let me know if you continue to bump into any issues.

[jeran-urban]

@bcoe just wanted to verify, this fix was backported to 5.0.1 in commit 1c417bd, 5.0.1 is safe from vulnerability CVE-2020-7608
, and github advisory and Snyk are correct, but other sources are not correct? please confirm and I will put in a request for the other agencies to update and report the correct version to avoid this in future

[bcoe]

v5.0.1 is patched:

#363

[jeran-urban]

Thank you for the verification, I have submitted to NVD and they have corrected the entry, still waiting on the CVE from Mitre and the OSS INDEX from Sonatype to update per the requests as well.

[jeran-urban]

OSS INDEX has been updated and reflects no issues as well. The last one is the CVE which will take awhile, with these two changes, security scans should not show it as an issue as these dbs are normally prioritized over the root cve finding. Thank you again