Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

catch up to low/medium priority security issues #3007

Closed
dckc opened this issue Apr 30, 2021 · 9 comments
Closed

catch up to low/medium priority security issues #3007

dckc opened this issue Apr 30, 2021 · 9 comments
Assignees
@warner
Labels
bug Something isn't working

Comments

@dckc
Copy link
Member

dckc commented Apr 30, 2021

see https://github.com/Agoric/agoric-sdk/security/dependabot

cc @erights @rowgraus @dtribble
@dckc dckc added the bug Something isn't working label Apr 30, 2021
@tyg
Copy link
Contributor

tyg commented May 7, 2021
edited by dckc
Loading

Not quite sure what I need to add here, but in the documentation repo at the very top, I get a dependabot alert. Opening it up, it shows one item,
is-svg
high severity
Mar 20, 2021 by GitHub
yarn.lock

https://github.com/Agoric/documentation/security/dependabot

@dckc
Copy link
Member Author

dckc commented May 7, 2021
edited
Loading

Thanks, @tyg ; that's right on target.

@kriskowal and I plan to work on this next week.

@dckc dckc assigned kriskowal and dckc and unassigned warner, erights, dtribble and rowgraus May 7, 2021
@kriskowal
Copy link
Member

See preliminary work on endojs/endo#718, starting with a general yarn upgrade and gradually fixing the consequences.

@Chris-Hibbert
Copy link
Contributor

I received dependabot notifications for repos that I don't feel ownership of. I asked and didn't get anyone else to acknowledge that they had also been notified. Recording here for general attention.

@dckc
Copy link
Member Author

dckc commented Jun 1, 2021

I received dependabot notifications ...

In discussion with @kriskowal , I merged these.

@dckc
Copy link
Member Author

dckc commented Jun 1, 2021
edited
Loading

see https://github.com/Agoric/agoric-sdk/security/dependabot

The bot was griping about template/ui/package.json which no longer exists, so @kriskowal and I dismissed all of these.

@kriskowal did land one upgrade: #3231 for handlebars

@dckc
Copy link
Member Author

dckc commented Jun 1, 2021

@katelynsills , I looked at this with @kriskowal ...

... in the documentation repo at the very top, I get a dependabot alert. ...

https://github.com/Agoric/documentation/security/dependabot

A couple more have been added there in the mean time. Unfortunately, the bot ran into conflicts when it tried to upgrade is-svg etc. Do you see a straightforward fix?

@katelynsills
Copy link
Contributor

A couple more have been added there in the mean time. Unfortunately, the bot ran into conflicts when it tried to upgrade is-svg etc. Do you see a straightforward fix?

Thanks for pursuing this! I will take a look

@katelynsills katelynsills mentioned this issue Jun 1, 2021
Closed
@dckc dckc assigned warner and unassigned dckc and katelynsills Jun 7, 2021
@kriskowal
Copy link
Member

We have an ongoing process now for catching up. I’m content to close this tracker.

@kriskowal kriskowal removed their assignment Jun 22, 2021
@dckc dckc closed this as completed Jun 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@warner warner

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@warner @kriskowal @dckc @erights @tyg @dtribble @katelynsills @Chris-Hibbert @rowgraus