npm module [email protected] marked as latest

[leonidio-com]

Support plan

• Which support plan is this issue covered by? (Community, Sponsor, Enterprise): Community
• Currently blocking your project/work? (yes/no): yes
• Affecting a production system? (yes/no): yes

Context

• Node.js version: 14
• Release Line of Formidable (Legacy, Current, Next): Next
• Formidable exact version: 2.0.1
• Environment (node, browser, native, OS): node
• Used with (popular names of modules): dependency of superagent

What are you trying to achieve or the steps to reproduce?

Our security scans find a vulnerability in [email protected] (CVE-2022-29622).

const some = 'properly formatted code example';

What was the result you got?

[email protected] is pulled in by [email protected] in our product.
Even though [email protected] is very new it still pulls [email protected]
Looking at that page here: https://www.npmjs.com/package/formidable
we can see that [email protected] marked as latest - this might explain why [email protected] pulls [email protected] instead of [email protected]

What result did you expect?

We expect all the products to pull the latest and greatest formidable with all the CVE's fixed.

[tunnckoCore]

yes. that's how it works.

It's not marked as latest for a reason.

check #856, #862, and superagent's one ladjs/superagent#1725 (comment) and ladjs/superagent#1724.

The vulnerability is not as severe as everyone is making it out to be.

They are not that effected.