Where to report a repository security issue ?

I noticed a security issue in this repository: https://github.com/alinemorelli/react-gtm/blob/master/src/Snippets.js#L17

Basically, using HTTP instead of HTTPS to send data to google tag manager.

I haven’t contacter the author, but even if he does fix it, all the people who have installed it already won’t be notified and may not get the security patch.

Therefore, I think it would be fair to mark the repo as having a security issue, I’ve seen this feature but don’t know how to report a reporitory. (I get security issues weekly emails for my repo who are using an old version of EJS which has a security breach, that’s how I know about this feature)

As mentioned in the blog post on the new security alerts feature, we currently tag things that have security vulnerabilities with CVE IDs. So you would need to report the security vulnerability to a database that can have a CVE ID assigned. You can find out more about how CVEs are assigned on the MITRE corporation website.

1 Like

Hi there, you the line you reported, is actually okay. It uses relative path, which means if user is already in https, it uses https if they’re in http, then it uses http, it’s probably done to avoid getting not secure flag or something.

But for ANY repository if you find security vulnerability, you should email them first, for instance, in your case, it’d be the user @alinemorelli if you go to his profile, he has listed his email.

I would simply create a issue in this case though, sites hosted in https are already getting https, but the sites using only http, are using http and avoiding that risk page thing. They need not worry about a script loading from http because they’re already at risk at the original website anyway.

Okay, thank you both, I guess I don’t need to report anything then. I’ll know next time :slight_smile: