Node.js modules included in the boost
Hi Jonathan, I believe this is solved, going forward, with boost 1.92.0. Download the latest boost 1.92.0 snapshot: https://archives.boost.io/develop/ https://archives.boost.io/develop/boost_1_92_0-snapshot.tar.bz2 No node_modules in the archive, right? On Wed, Jun 17, 2026 at 12:08 PM Jonathan Wakely via Boost < boost@lists.boost.org> wrote:
There are 482 Node.js modules included in the boost-1_91_0.tar.bz2 tarball, totalling more than 100MB, which is nearly 10% of the size of the entire tarball.
Some of these node modules contain known CVEs, e.g. Boost.Redis bundles axios-1.10.0 which is affected by several denial of service and information disclosure CVEs. This causes Boost to be flagged when scanning for software supply chain problems.
Do these modules really need to be shipped in the release, or are they only used to generate the HTML docs and could be omitted from the release tarball?
I tried removing libs/redis/doc/node_modules/* and building from the release tarball, and everything succeeded. That suggests they're not needed. _______________________________________________ Boost mailing list -- boost@lists.boost.org To unsubscribe send an email to boost-leave@lists.boost.org https://lists.boost.org/mailman3/lists/boost.lists.boost.org/ Archived at: https://lists.boost.org/archives/list/boost@lists.boost.org/message/APKJIASX...