[SEC-WG] Centralized CVE Tracking for Our Packages

[bjohansebas]

I’ve just created a PoC to pull in all the CVEs we have across all our packages. Here’s the script (https://gist.github.com/bjohansebas/91c1056fbad6968b4bd739d53ab53d57). It can still be improved and even turned into a GitHub Action, but before moving forward, what do you think about tracking our packages’ CVEs here?

With this, we could also improve the section at https://github.com/webpack/security-wg/blob/main/docs/threat-model.md#examples-of-vulnerabilities-in-scope by referencing this new file.

Result

Security Advisories

Total: 7

webpack

Total: 7

Repository Name	Advisories
webpack	CVE-2024-43788 CVE-2023-28154
webpack-dev-middleware	CVE-2024-29180
webpack-dev-server	CVE-2025-30360 CVE-2025-30359 CVE-2018-14732
webpack-bundle-analyzer	GHSA-pgr8-jg6h-8gw6

[UlisesGascon]

I like the idea. We can reuse this script with minor modifications and integrate it into the OpenJS Command Center
(reference). The goal would be to include tooling that helps us assess and monitor the security posture of all projects within the foundation.

To be clear, adding this to the Command Center can be optional and does not have to replace having our own standalone automation. Both approaches can coexist.

That said, having an automated system that notifies the OpenJS CNA team and project maintainers when new CVEs are published would be extremely valuable.

[bjohansebas]

I like the idea. We can reuse this script with minor modifications and integrate it into the OpenJS Command Center
(reference). The goal would be to include tooling that helps us assess and monitor the security posture of all projects within the foundation.

Yep, quite a few modifications because it takes the repository name into account, but the package might already be under a scope on npm or the repository could be a monorepo with multiple packages, so those improvements are still missing, or the name might not match

That said, having an automated system that notifies the OpenJS CNA team and project maintainers when new CVEs are published would be extremely valuable.

Agree, that’s why I wanted to do this. I’m going to adapt the script into a GitHub Action, and we can move that repository either to the foundation or to pkgjs. It could then be integrated into the Command Center and here, or wherever they want to have a clearer record of the CVEs.