What happened to issue #13310


I was following the release of 4.14 and noticed issue #13310 was talking about one possible exploit… But when I came back to it yesterday, the issue was deleted.


Was this fixed, or was there wrong information?

It didn’t follow responsible disclosure so it was removed.

In any case, it was a bogus report due to a misunderstanding of what npm audit shows when installing Ghost. The “vulnerabilities” listed are typically in no way exploitable (but we do check ourselves as part of development). Unfortunately that means the average user who doesn’t (and wouldn’t be expected to) have the knowledge to understand the output correctly tend to open “security” issues in a non-secure manner, causing alarm and wasting peoples time - similar to how you saw the issue and thought there may be an exploit, tried to follow it, then followed up on the forum.

You can read more about the problem here https://overreacted.io/npm-audit-broken-by-design/. Hopefully the node/npm ecosystem will have a better approach to this in the future.

Thank you for your response, Kevin :slight_smile:

My underlying motivation is to understand how things stand because I’m creating content around Ghost. So, if there were an active exploit like in the issue, I would hold off talking about 4.14.

Wasting your time or Ghost’s team wasn’t my intention. I’m sorry.

Wasting your time or Ghost’s team wasn’t my intention. I’m sorry.

I didn’t mean it like that at all, I was referring to the original issue opener and how it’s unfortunate that npm audit's output creates these chains of events. It was as much a nod to your time being wasted as ours :slight_smile:

1 Like