[GHSA-3mwc-2cj7-gx8c] lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management

[vincelwt]

Updates

• Affected products
• CVSS v3
• Severity

Comments
The NPM package is not tied to this repo. This vulnerability concerns the main repo, not the NPM compagnon package.

[darakian]

Hey there 👋
Can you help me understand why the npm package is not affected? I see that there's no repo linked on the npm page
https://www.npmjs.com/package/lunary
Do you know where the code for the package originates and how I might validate that?

Same question on #5008 as well :)

[vincelwt]

Hello @darakian, thanks for your reply.

Sure, this is the repo for the NPM package: https://github.com/lunary-ai/lunary-js

And for the python: https://github.com/lunary-ai/lunary-py

We should indeed explicitly link them together.

If you pull the JS repo and compare to the NPM module, you'll see that it matches :)

Thanks for your help! have a good weekend

[vincelwt]

Hi @darakian we've linked the correct repo on the NPM page: https://www.npmjs.com/package/lunary

Thanks!

[darakian]

@vincelwt awesome. Thanks for adding the repo link. I've gone ahead and withdrawn these two advisories for now so that dependabot alerts stop. I'll see if I can clean them up further to delink the npm package, but that might take a bit. 👍