Incorrect Package Name in Advisory GHSA-x8rq-rc7x-5fg5 for @uppy/component

[shivakumar-loginsoft]

Hello team,

I noticed that the GitHub advisory for GHSA-x8rq-rc7x-5fg5 lists the vulnerable package as uppy, whereas the actual vulnerable package appears to be @uppy/component.

This vulnerability is a bypass for GHSA-mm7r-265w-jv6f (CVE-2020-8135), as reported on Huntr:
🔗 https://huntr.com/bounties/c1c03ef6-3f18-4976-a9ad-08c251279122
which references the original report on HackerOne:
🔗 https://hackerone.com/reports/786956

I have also verified the advisory for any potential transitive dependencies. Based on the vulnerable version range specified (< 2.3.3) on the npm page (https://www.npmjs.com/package/uppy/v/2.3.2), there is no indication that the uppy package includes a dependency on @uppy/component.

Could you please review this and make any necessary corrections to the advisory?

Thank you!

[JonathanLEvans]

👋 @shivakumar-loginsoft, thank you for your contribution. Could you make a pull request for this?

Also, based on the huntr and hackerone reports, I believe you mean @uppy/companion instead of @uppy/component. Is that correct?

[shivakumar-loginsoft]

That's true, sorry for the typo. Will make a PR for this.