Package: nodeenv Version: 0.13.4-1.1 Severity: normal X-Debbugs-Cc: r...@ryanlapointe.org
The latest version of nodeenv available in the Debian repositories uses plain HTTP to connect to nodejs.org to download the NodeJS executables when the --prebuilt option is used. This version was released in 2015 and 19 new versions of nodeenv have been released since then (https://github.com/ekalinin/nodeenv/tags). Newer versions of nodeenv use HTTPS to download NodeJS. Although nodejs.org responds with a 301 redirecting to HTTPS, the initial connection over HTTP still creates a vulnerability to a man-in-the-middle attack. It's 2023, and executing binaries that were downloaded using plain HTTP with no verification is a bad practice. (https://security.googleblog.com/2020/02/protecting-users-from-insecure_6.html) Please update this package to a newer upstream version to fix this bad practice. I tried emailing the package maintainer before opening this bug, but the maintainer's mailserver rejected my message because the maintainer's mailbox "is over quota".