rene at debian.org
Sun Feb 21 21:43:31 UTC 2021
Am 21.02.21 um 09:43 schrieb Andrew Udvare:
>> On 2021-02-20, at 16:48, Jean-Baptiste Faure <jbfaure at libreoffice.org> wrote:
>> I certainly did not understand everything in https://firstname.lastname@example.org/dependency-confusion-4a5d60fec610, but I wonder if LibreOffice could be subject to this kind of vulnerability?
> As far as I can tell, the dependencies that LibreOffice uses in distributions are gathered manually and updated manually. So, not really.
It's not that easy. The question indeed doesn't make sense for
Still anything which uses those "get your dependencies randomly from
some random place in random versions and save them into your tree"
thingy like npm, pip etc. is a problem.
And LibreOffice Online *does* use npm.
So while LibreOffice itself shouldn't be affected, conceptually by using
npm LibreOffce Online is.
More information about the LibreOffice