From: owner@bugs.debian.org 
  
 This is a multi-part message in MIME format... 
  
 Your message dated Thu, 16 Oct 2025 17:50:21 +0000 
 with message-id  
 and subject line Bug#1112610: Removed package(s) from unstable 
 has caused the Debian Bug report #1078951, 
 regarding civicrm: include vulnerable sinon without source 
 to be marked as done. 
  
 This means that you claim that the problem has been dealt with. 
 If this is not the case it is now your responsibility to reopen the 
 Bug report if necessary, and/or fix the problem forthwith. 
  
 (NB: If you are a system administrator and have no idea what this 
 message is talking about, this may indicate a serious mail system 
 misconfiguration somewhere. Please contact owner@bugs.debian.org 
 immediately.) 
  
  
 -- 
 1078951: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078951 
 Debian Bug Tracking System 
 Contact owner@bugs.debian.org with problems 
  
 Received: (at submit) by bugs.debian.org; 18 Aug 2024 09:27:50 +0000 
 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02 
  (2021-04-09) on buxtehude.debian.org 
 X-Spam-Level: 
 X-Spam-Status: No, score=-109.3 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH, 
  DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, 
  FROMDEVELOPER,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, 
  UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST,USER_IN_DKIM_WHITELIST, 
  XMAILER_REPORTBUG autolearn=ham autolearn_force=no 
  version=3.4.6-bugs.debian.org_2005_01_02 
 X-Spam-Bayes: score:0.0000 Tokens: new, 64; hammy, 150; neutral, 155; 
 spammy, 
  0. spammytokens: 
  hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 
  0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 
  0.000-+--H*RT:311, 0.000-+--H*RT:108 
 Return-path:  
 Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:42066) 
  from C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA, 
 N=stravinsky.debian.org,EMAIL=hostmaster@stravinsky.debian.org (verified) 
  by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RS 
 _PSS_RSAE_SHA256__AES_256_GCM:256) 
  (Exim 4.94.2) 
  (envelope-from ) 
  id 1sfcCU-00AiNe-3h 
  for submit@bugs.debian.org; Sun, 18 Aug 2024 09:27:50 +0000 
 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian. 
 org; 
  s=smtpauto.stravinsky; h=X-Debian-User:Date:Message-ID:Subject:To:From: 
  Content-Transfer-Encoding:MIME-Version:Content-Type:Reply-To:Cc:Content-ID: 
  Content-Description:In-Reply-To:References; 
  bh=7ve5WpCJi2fvC5RhLHeIhh1sKIpRhCQccr/rlasH8is=; b 
 =HDey1r20KK/oXtj7yC1n8z2DuQ 
  oAHJhjeOz+57v5+nnRr1GnmAkESxWriq6MukNlvH00Z1/VMl6t 
 9hN4YmEpjQvznDlLVFtZuylJKCY 
  1pat7JNn2Ix/ulBlqYQAliTTNQUf3UQV/nEOTeEt0q6SNvA/YR 
 xpjWoW1r3dC9uwfKM+Y6b7z+853 
  lVv0osVbvc+aNzc3otzh1WwTwGHiB9ueZgNpE9oULb9jwT13k1 
 aU9wTedzPcArmgbcExJ7zMZpzCB 
  UoLu6JBf5ckn13A1JKFZRgwknkJ/UduWpudbkd95JZZwkvzFKI 
 FCX3lTMnIzMms+ztMRhIABfO4oX 
  9OzE6KZA==; 
 Received: from authenticated user 
  by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ 
 SA_PSS_RSAE_SHA256__AES_256_GCM:256) 
  (Exim 4.94.2) 
  (envelope-from ) 
  id 1sfcCT-0040uU-8n; Sun, 18 Aug 2024 09:27:48 +0000 
 Content-Type: text/plain; charset="us-ascii" 
 MIME-Version: 1.0 
 Content-Transfer-Encoding: 7bit 
 From: =?utf-8?q?Bastien_Roucari=C3=A8s?=  
 To: Debian Bug Tracking System  
 Subject: civicrm: include vulnerable sinon without source 
 Message-ID: <172397326111.2735676.14152604034214612906.reportbug 
 portable-bastien.local.roucaries.eu> 
 X-Mailer: reportbug 13.0.1 
 Date: Sun, 18 Aug 2024 09:27:41 +0000 
 X-Debian-User: rouca 
 Delivered-To: submit@bugs.debian.org 
  
 Source: civicrm 
 Severity: serious 
 Tags: security 
 Justification: security problem 
 X-Debbugs-Cc: Debian Security Team  
  
 Dear Maintainer, 
  
 You include a sinon in installed package and bundle without source (thus 
 serious bug). 
  
 This a duplication of package but moreover a security problem (even if minor 
 due to being only local and during log reading) 
  
 Could you use the packaged node-sinon ? 
  
 npm audit sinon@1.14.1 
 # npm audit report 
  
 braces  <3.0.3 
 Severity: high 
 Uncontrolled resource consumption in braces - 
 https://github.com/advisories/GHSA-grv7-fg5c-xmjg 
 fix available via `npm audit fix` 
 node_modules/braces 
  
 elliptic  2.0.0 - 6.5.6 
 Elliptic's EDDSA missing signature length check - 
 https://github.com/advisories/GHSA-f7q4-pwc6-w24p 
 Elliptic's ECDSA missing check for whether leading bit of r and s is zero - 
 https://github.com/advisories/GHSA-977x-g7h5-7qgw 
 Elliptic allows BER-encoded signatures - 
 https://github.com/advisories/GHSA-49q7-c7j4-3p7m 
 fix available via `npm audit fix` 
 node_modules/elliptic 
  
 ws  8.0.0 - 8.17.0 
 Severity: high 
 ws affected by a DoS when handling a request with many HTTP headers - 
 https://github.com/advisories/GHSA-3h5v-q93c-6h6q 
 fix available via `npm audit fix --force` 
 Will install mochify@9.1.0, which is a breaking change 
 node_modules/mochify/node_modules/ws 
 node_modules/ws 
   puppeteer  11.0.0 - 22.11.1 
   Depends on vulnerable versions of puppeteer-core 
   Depends on vulnerable versions of ws 
   node_modules/mochify/node_modules/puppeteer 
   node_modules/puppeteer 
     mochify  >=9.2.0 
     Depends on vulnerable versions of puppeteer 
     node_modules/mochify 
   puppeteer-core  11.0.0 - 22.11.1 
   Depends on vulnerable versions of ws 
   node_modules/puppeteer-core 
  
 6 vulnerabilities (1 low, 5 high) 
 * 
  
  
 -- System Information: 
 Debian Release: trixie/sid 
   APT prefers testing-debug 
   APT policy: (900, 'testing-debug'), (900, 'testing') 
 Architecture: amd64 (x86_64) 
 Foreign Architectures: i386, armel 
  
 Kernel: Linux 6.9.12-rt-amd64 (SMP w/4 CPU threads; PREEMPT) 
 Kernel taint flags: TAINT_WARN 
 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not 
 set 
  
 [continued in next message] 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)