ok I've sent out 748 disclosure notifications (pretty sure most bounced). Some of them were well received, others not so much.¯\_(ツ)_/¯Open source is hard & many maintainers are over worked and under appreciated. I've got about 10 more emails to hand craft & deliver and then ...
I was initially pretty excited about the find and most peers agreed it was a fun issue with varying severity, but I finally discovered another researcher had found the same thing late last year and they applied it at an even greater scale! (I focused on npm)
That initially bummed me out but hey points for rediscovery and after thinking about it for a while I figured it was probably not well known and it would still be valuable to reach out to impacted package maintainers and spread some knowledge. wooo. 📚
Sometime between now and February 5th I'll get a blog post together and a list of package versions so npm package consumers can verify they aren't using these versions. Cool?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
