diff mbox series

[meta-oe,whinlatter,3/3] nodejs: ignore fixed CVEs

Message ID 20260407091913.3963112-3-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,whinlatter,1/3] nodejs: upgrade 22.22.0 -> 22.22.1 | expand

Commit Message

Gyorgy Sarvari April 7, 2026, 9:19 a.m. UTC 
All these CVEs are fixed in v22.22.2[1], except for CVE-2026-21712,
which does not affect v22 series, because it was introduced in a
later version[2]. All these CVEs are tracked without version info
by NVD at the time of creating this patch.

[1]: https://github.com/nodejs/node/blob/v22.x/doc/changelogs/CHANGELOG_V22.md
[2]: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-devtools/nodejs/nodejs_22.22.2.bb | 7 +++++++
 1 file changed, 7 insertions(+)
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_22.22.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_22.22.2.bb
index 2fad3f362d..c64cc5b7c2 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_22.22.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_22.22.2.bb
@@ -217,3 +217,10 @@  python __anonymous () {
 }
 
 BBCLASSEXTEND = "native"
+
+CVE_STATUS[CVE-2026-21712] = "cpe-incorrect: only v24 and v25 are affected"
+CVE_STATUS[CVE-2026-21713] = "fixed-version: fixed since v22.22.2"
+CVE_STATUS[CVE-2026-21714] = "fixed-version: fixed since v22.22.2"
+CVE_STATUS[CVE-2026-21715] = "fixed-version: fixed since v22.22.2"
+CVE_STATUS[CVE-2026-21716] = "fixed-version: fixed since v22.22.2"
+CVE_STATUS[CVE-2026-21717] = "fixed-version: fixed since v22.22.2"