Project

General

Profile

Actions

Bug #22133

closed

Upgrade dependencies to address current security advisories

Added by Lucas Di Pentima 3 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Story points:
-
Release:
Release relationship:
Auto
Actions #1

Updated by Lucas Di Pentima 3 months ago

  • Status changed from New to In Progress
Actions #2

Updated by Brett Smith 3 months ago

Please be careful not to re-revert 2f4fb1522c89c29a94854bf9f26fb6d13959f2d4. If dependabot identifies a specific security issue with the net-imap gem, please share details so we can figure out what we want to do about it.

Actions #3

Updated by Lucas Di Pentima 3 months ago

Updates at a6da959 - branch 22133-dependency-upgrades

Test run: developer-run-tests: #4458
WB rerun: developer-run-tests-services-workbench2: #1171

  • Go dependencies upgrade
    • github.com/docker/docker from v26.1.3+incompatible to v26.1.5+incompatible to address CVE-2024-41110
    • google.golang.org/grpc from v1.64.0 to v1.64.1 to mitigate a potential CWE-200
  • Workbench dependencies upgrade
    • Direct
      • webpack
      • dompurify
      • elliptic
      • resolve-url-loader
      • wait-on
    • Indirect
      • express
      • braces
      • micromatch
      • postcss
Actions #4

Updated by Lucas Di Pentima 3 months ago

Update at 5617c02 - branch 22133-dependency-upgrades-part-deux
Test run: developer-run-tests-services-workbench2: #1179

Second pass of Workbench related dependency upgrades

  • Upgrades ws to address CVE-2024-37890
  • Upgrades socks to get a replacement for the vulnerable ip package
  • Upgrades path-to-regexp where possible
  • Removes unused lodash.template & lodash.mergewith packages
Actions #5

Updated by Lucas Di Pentima 3 months ago

  • Status changed from In Progress to Resolved
Actions

Also available in: Atom PDF