Skip to content

GitHub Advisory Database Over-reporting Vulnerability for @tanstack/eslint-plugin-start #7764

Description

@anthony-hull

Which project does this relate to?

Start

Describe the bug

@tanstack/eslint-plugin-start has been flagged with CRITICAL malware severity in the GitHub Advisory Database.

Advisory Details
ID: GHSA-8hwj-wqhq-3xw2
Severity: CRITICAL (Malware)
Affected versions:
= 0.0.7
= 0.0.4

= 0
Patched versions: (unknown)

The 0.0.7 and 0.0.4 are no longer in NPM but >=0 is still catching 0.1.0 and any future versions.

This is the same as #7384

Resolution:
Github must remove the >= 0 VVR
#7384 (comment)

Complete minimal reproducer

not relevant

Steps to Reproduce the Bug

npm i @tanstack/eslint-plugin-start
npm audit

npm audit report

@tanstack/eslint-plugin-start *
Severity: critical
Malware in @tanstack/eslint-plugin-start - GHSA-8hwj-wqhq-3xw2
No fix available
node_modules/@tanstack/eslint-plugin-start

Expected behavior

Audit pass with no malware

Screenshots or Videos

No response

Platform

npm

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions