Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-3mwc-2cj7-gx8c] lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management #5009

Conversation

vincelwt
Copy link

Updates

  • Affected products
  • CVSS v3
  • Severity

Comments
The NPM package is not tied to this repo. This vulnerability concerns the main repo, not the NPM compagnon package.

@github-actions github-actions bot changed the base branch from main to vincelwt/advisory-improvement-5009 November 15, 2024 05:01
@darakian
Copy link
Contributor

Hey there 👋
Can you help me understand why the npm package is not affected? I see that there's no repo linked on the npm page
https://www.npmjs.com/package/lunary
Do you know where the code for the package originates and how I might validate that?

Same question on #5008 as well :)

@vincelwt
Copy link
Author

Hello @darakian, thanks for your reply.

Sure, this is the repo for the NPM package: https://github.com/lunary-ai/lunary-js

And for the python: https://github.com/lunary-ai/lunary-py

We should indeed explicitly link them together.

If you pull the JS repo and compare to the NPM module, you'll see that it matches :)

Thanks for your help! have a good weekend

@vincelwt
Copy link
Author

Hi @darakian we've linked the correct repo on the NPM page: https://www.npmjs.com/package/lunary

Thanks!

@darakian
Copy link
Contributor

darakian commented Nov 18, 2024

@vincelwt awesome. Thanks for adding the repo link. I've gone ahead and withdrawn these two advisories for now so that dependabot alerts stop. I'll see if I can clean them up further to delink the npm package, but that might take a bit. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants