On Fri, Jan 24, 2025 at 10:55:39AM -0800, Alan Coopersmith wrote: > Their reasons for this are detailed on the blog post at: > https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions > including getting CVE scanners to report EOL versions as vulnerable even > if no existing CVE specifically says that they are. > > While I can understand their reasoning, I can just imagine the noise if > every project started issuing CVE's for every version that reaches EOL.
I think that's a great idea for projects to start doing (especially ones that are a CNA which I recommend all open source projects become.) And as for "noise", I think that will just be a "drop in the bucket" of the overall CVE assignment numbers these days as just how many different software versions are going EOL each month? thanks, greg k-h
