GHSA-2mhj-xmf4-pr8m - Affected versions are too broad

[FrederikBolding]

The affected versions for GHSA-2mhj-xmf4-pr8m are too broad currently flagging all available versions of the package.

The correct versions to flag are: 1.95.6 and 1.95.7, these are also the only versions of the package that have been taken down from NPM. One of the publishers of the package was phished causing the two versions mentioned previously to be published containing malware. There are no known issues with any other versions of the package AFAIK.

Sources:
https://github.com/solana-labs/solana-web3.js/releases/tag/v1.95.8
https://x.com/anza_xyz/status/1864085236432134264
https://x.com/trentdotsol/status/1864053347461771321

[mackyfer]

I second this. Putting the version number so broad is problematic and misinformation.

[shelbyc]

👋 Hi @FrederikBolding and @mackyfer, GHSA-2mhj-xmf4-pr8m has been updated with narrower version range information. In addition, the maintainers of @solana/web3.js published GHSA-jcxm-7wvp-g6p5 with the narrower version range information included. Thanks for the feedback and enjoy the rest of your day!

[FrederikBolding]

Appreciate it, thanks!