Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): all versions
Describe the issue: Since 3 days ago, npm is flagging all versions of opensearch-project as compromised (see screenshot below). We discovered this as we were about to migrate from 3.5.1 to 3.6.0, and it left us quite confused. Is there a remaining or new issue with opensearch-project? Thank you for your help on this matter.
Configuration: Currently using opensearch-project 3.5.1
Relevant Logs or Screenshots:
Same here. Any progress or timeline for getting this resolved? We include npm audit as a check we run within our CI/CD pipeline and this is causing issues.
@Aquacephale See the following post.
Hi Pablo,
Thank you for your answer. From a user perspective, I have to say that things are a little bit less simple than what is stated in the post.
First, we have what is described in the post : an issue affecting versions 3.5.3, 3.6.2, 3.7.0, and 3.8.0.
Then, we have the npm thing and the github advisory, stating that all versions are affected.
Then, we have the issue with Netty affecting version 3.6.0.
You’ll have to admit that this create a bit of confusion for at least some of us. We have no doubt that the Opensearch team is working hard to mitigate all of this. The thing is that bypassing our own security measures around npm packages with such a context is something we would rather not do.
The issue has been fixed in npm today, the >=0 value for impacted versions has been removed. Thank you for your work on this!
