Bug #22133: Upgrade dependencies to address current security advisories - Arvados

Actions

Bug #22133

closed

Upgrade dependencies to address current security advisories

Added by Lucas Di Pentima 2 months ago. Updated about 2 months ago.

Status:

Resolved

Priority:

Normal

Assigned To:

Lucas Di Pentima

Category:

-

Target version:

Development 2024-09-25 sprint

Story points:

-

Release:

Release relationship:

Auto

Actions

#1

Updated by Lucas Di Pentima 2 months ago

Status changed from New to In Progress

Actions

#2

Updated by Brett Smith 2 months ago

Please be careful not to re-revert 2f4fb1522c89c29a94854bf9f26fb6d13959f2d4. If dependabot identifies a specific security issue with the net-imap gem, please share details so we can figure out what we want to do about it.

Actions

#3

Updated by Lucas Di Pentima about 2 months ago

Updates at a6da959 - branch 22133-dependency-upgrades

Test run: developer-run-tests: #4458
WB rerun: developer-run-tests-services-workbench2: #1171

Go dependencies upgrade
- github.com/docker/docker from v26.1.3+incompatible to v26.1.5+incompatible to address CVE-2024-41110
- google.golang.org/grpc from v1.64.0 to v1.64.1 to mitigate a potential CWE-200
Workbench dependencies upgrade
- Direct
  - webpack
  - dompurify
  - elliptic
  - resolve-url-loader
  - wait-on
- Indirect
  - express
  - braces
  - micromatch
  - postcss

Actions

#4

Updated by Lucas Di Pentima about 2 months ago

Update at 5617c02 - branch 22133-dependency-upgrades-part-deux
Test run: developer-run-tests-services-workbench2: #1179

Second pass of Workbench related dependency upgrades

Upgrades ws to address CVE-2024-37890
Upgrades socks to get a replacement for the vulnerable ip package
Upgrades path-to-regexp where possible
Removes unused lodash.template & lodash.mergewith packages

Actions

#5

Updated by Lucas Di Pentima about 2 months ago

Status changed from In Progress to Resolved

Actions

Also available in: Atom PDF