On 17 Jun 2026 22:04, René Ferdinand Rivera Morell via Boost wrote:
On Wed, Jun 17, 2026 at 1:53 PM Andrey Semashev via Boost < boost@lists.boost.org> wrote:
On 17 Jun 2026 21:17, Sam Darwin via Boost wrote:
Node.js modules included in the boost
Hi Jonathan,
I believe this is solved, going forward, with boost 1.92.0.
Download the latest boost 1.92.0 snapshot: https://archives.boost.io/develop/ https://archives.boost.io/develop/boost_1_92_0-snapshot.tar.bz2
No node_modules in the archive, right?
Given that these modules are downloaded during Boost build and have known vulnerabilities, this may pose a security thread to Boost building infrastructure. Is it possible to remove this dependency download or at the very least change the building process to rely only on the fixed, known good versions, with checksum/signature verification?
Which code is downloading them?
I don't know. I'm assuming they are downloaded as part of the documentation build process, perhaps via npm.