Hi Xavier, On Sun, Jun 21, 2026 at 12:26:07PM +0200, Xavier wrote: > Control: fixed -1 7.6.0+ds-1 > > Le 06/06/2026 à 20:39, Salvatore Bonaccorso a écrit : > > Source: npm > > Version: 11.16.0+ds2-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for npm. > > > > CVE-2026-9496[0]: > > | Versions of the package pacote from 11.2.7 are vulnerable to Denial > > | of Service (DoS) via the addGitSha function. An attacker can exploit > > | this vulnerability by supplying a specially crafted spec.rawSpec > > | value that triggers the function’s regex replacement and string- > > | manipulation logic, causing excessive CPU consumption and > > | potentially stalling or crashing the process. > > > > pacote is embedded/provided via src:npm. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2026-9496 > > https://www.cve.org/CVERecord?id=CVE-2026-9496 > > [1] https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084 > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > > Hi, > > pacote reach version 11.2.7 in npm 7.6.0.
IMHO closing is wrong. The version affected are in my understanding pacote >= 11.2.7 (not fixed version). and still vulnerable up to 21.5.1 and fixed. Can you recheck please. Regards, Salvatore
