Please address CVE-2020-10800

[sebthom]

I upgraded to the latest lix version but npm still complains:

> npm audit
                       === npm audit security report ===
                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Critical        Machine-In-The-Middle
  Package         lix
  Patched in      No patch available
  Dependency of   lix [dev]
  Path            lix
  More info       https://npmjs.com/advisories/1306

found 1 critical severity vulnerability in 6 scanned packages
  1 vulnerability requires manual review. See the full report for details.

The CVE is from March 2020 I am a bit puzzled that it hasn't been addressed yet.

See GHSA-q8xg-8xwf-m598 and https://nvd.nist.gov/vuln/detail/CVE-2020-10800

[back2dos]

Npm and yarn will both also run postinstall scripts when installing from HTTP. It is a non-issue. And, I have no idea how to even contest the issue.

[player-03]

It looks like you'd use this form to dispute the issue. Presumably you'd select "CVE Rescore Request" since you're disputing the issue's severity.

---

So... is arbitrary code execution really a "non-issue"? I get where you're coming from, but it still seems dangerous.

On the other hand, the first few search results didn't bring up any concrete examples this happening in NPM, though there were people warning that it could. (And that it would be hard to detect.) All the concrete examples had to do with publishing malicious packages, probably because those are easy to verify once found.

When the malicious package vulnerability was reported, the NPM team defended the status quo on the grounds that there's a switch to disable scripts. Does Lix have a switch like that? It might help your case if so. It could even have three states: "always run scripts," "never run scripts," and "only run scripts if downloaded over https."