Hi! On Wed, 17 Jun 2026 at 20:08, Jonathan Wakely via Boost <boost@lists.boost.org> wrote:
There are 482 Node.js modules included in the boost-1_91_0.tar.bz2 tarball, totalling more than 100MB, which is nearly 10% of the size of the entire tarball.
Some of these node modules contain known CVEs, e.g. Boost.Redis bundles axios-1.10.0 which is affected by several denial of service and information disclosure CVEs. This causes Boost to be flagged when scanning for software supply chain problems.
Thanks for reporting this. Axios is a dependency of Antora, our build toolchain. I've submitted a PR to upgrade the package lock file and get rid of the vulnerable packages: https://github.com/boostorg/redis/pull/429 Even with that, the latest Antora release depends on js-yaml prior to 4.1.1, which is flagged as containing a moderate vulnerability (Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68). I don't think it imposes a risk to us at this time, but I'll try to check in a few days and update if they fix it.
Do these modules really need to be shipped in the release, or are they only used to generate the HTML docs and could be omitted from the release tarball?
I tried removing libs/redis/doc/node_modules/* and building from the release tarball, and everything succeeded. That suggests they're not needed.
The npm packages are only required at doc build time, so it makes sense to not include them in the release tarball. Thanks, Ruben.