Security issue

[MarcinHoppe]

Hello,

As a member of the Node.js Security WG I would like to draw your attention to a security report that has been made regarding this package.

I have made attempts to contact the person identified as a maintainer of this package but did not get any answer. What is the best way to reach someone with commit rights over this repo and hopefully NPM publishing rights as well, in order to invite them to privately discuss the issue on the HackerOne platform and provide a resolution?

Thanks,
Marcin

References:

• Node.js Security WG ecosystem vulnerability processes 

[nfour]

This package is implicitly deprecated

[MarcinHoppe]

@nfour Thanks! Would you mind deprecating the package properly so that npm audit could advise users to avoid it?

[MarcinHoppe]

@nfour Do you plan to deprecate the package? I am not sure if we should wait for you to do it or should we proceed with disclosure?

[nfour]

@MarcinHoppe Sorry man I've been a bit too busy to care, but I'm actually curious, just never got a chance to reply to your email!

Can you tell me in email (novus.nfour@gmail.com) what the vulnerability is or just here, I dont think it matters.

I've deprecated it with npm.

[MarcinHoppe]

Sorry for a late response. We just disclosed the report, it's public now:

https://hackerone.com/reports/439107