Douglas Wilson

Anyone can raise a CVE, so many do it without a valid reason other then trying to beef up their CV. This issue github.com/mvel/mvel/issu… and the corresponding CVE nvd.nist.gov/vuln/detail/CV… are a clear example of this situation and at this point the whole process is becoming a joke.

What is it that right in the end of the year holidays is when there is an uptick in security vulnerability reports? It is the hardest time of the year to assess and fix things. I received two just today, and 10 now since Nov 1.

@mikermcneil @_mikeusa I still love Perl and wish I was able to use it in the course of work. I haven't actually kept up in a couple years, I guess I'll have to see what it's up to now!

@_mikeusa @blipsofadoug birds of a feather

Some things I’ve learned about JavaScript gist.github.com/mikermcneil/d8…

@mannyistyping 👋 and thanks for the tweet. Sorry I am not on Twitter much and the delayed response. Please feel free to reach out over email as I would be happy to chat over voice about it if you like.

I work primarily w/ @fastifyjs, having just done security plugin work for my previous company. I am curious if this middleware could use some support or taking over maintenance? I'd love to understand what your wishes are and how I may be able to help (if at all)

@ThisIsMissEm @jshttp If you believe there is an issue, please open up an issue on the github for that project with all the details, as twitter is very limiting to diagnose and/or work though a technical issue (plus I am not the only person on the project).

@ThisIsMissEm @jshttp I'm sorry, I'm not clear on what this is showing/what you are saying the issue is.

@ThisIsMissEm @jshttp If I do get time I'm happy to work on an implementation, but like many open source projects, it is built on the contributions of the users. I think the conversation there puts forward what an implementation would look like, so it's really just waiting for someone to contribute it

Somehow the cyber security team @EY_US manages to be even worse, not only disingenuous, but even sending out the information with incorrect conclusions to all kinds of third parties before even confirming the issue with the project. So much for even private disclosure.

This is how the email, which contained very little information, ended, even.

.@jfrog has a security team who will contact you stating they have potentially found a security vulnerability and let them know if you think it is, but assign a CVE prior to contact and argue that it is. My experience shows that their reports are disingenuous.

@adam_baldwin @matteocollina I would love to take part in such a conversation if one materializes. I absolutely respect the security community and understand that there is not an easy answer for either side.

The only goal of some security researchers is to rank up a high number of CVE against OSS projects. They could not care less about users or the OSS project themselves.

Heavily enjoy using and contributing to open source (github.com/dougwilson), web technologies and protocols are my life blood 😃 HTML5+, JavaScript, WebSocket, TLS, Kerberos, OAuth, HTTP 1/2/3, TCP/UDP, IPSec, etc. etc. Dissenting binary protocols. Testing! Code quality!

I am currently a Principal Software Engineer working on an internal compute platform on the look out for new employment to grow myself and my career. Work on dev tools, microservices, product integrations, Kubernetes, product security, Node.js, C#, Golang, and more.

@wesleytodd @matteocollina @nodejs @liran_tal Yes, the changes are not the most maintainable and I have no arguments against switching to yargs. Just hoping that the change (yargs + Node.js support) doesn't have to be on the 4.x line...

@blipsofadoug @matteocollina @nodejs @liran_tal One nice thing about this approach is they could just abandon it on the current major and move on with the reduced node support in future majors. Seems like a great PR for this case!

Repeat with me: dropping support for old @nodejs release is a breaking change and it should be released in a major version.

@wesleytodd @matteocollina @nodejs @liran_tal I made a pull request that does both. Maybe it will be accepted github.com/wycats/handleb…

@blipsofadoug @matteocollina @nodejs @liran_tal Sorry to keep pinging you on this, but see this: github.com/wycats/handleb… They cannot maintain both node version compat and resolve the minimist issue in the same major line. This is why I am telling folks to ignore it.

@matteocollina @nodejs The sudden changes in version policies of modules makes working with Node.js quite hard. Npm defaults to "^" ranges, which is good for updates, but really hurts when they turn up breaking... The increased Node.js major version rates has only increased the problem. @wesleytodd

@matteocollina @nodejs github.com/wycats/handleb…

@wesleytodd Sadly the access is scoped to the executable calling into the keychain. I did the same thing with a bash script and used the built in exe on mac to access the keychain. Once allowed any program on mac could now access it. It seems more a mac issue than chrome issue.

I feel like the existence of this module should scare me... npmjs.com/package/chrome…