Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency update to fix CVEs #464

Merged
merged 3 commits into from
Aug 29, 2022
Merged

Dependency update to fix CVEs #464

merged 3 commits into from
Aug 29, 2022

Conversation

TheoBrigitte
Copy link
Contributor

@TheoBrigitte TheoBrigitte commented Aug 8, 2022
edited
Loading

Towards: #465

On latest master , nancy found 4 vulnerable dependencies with 5 high to critical CVEs.

  • pkg:golang/github.com/kataras/iris/v12@v12.1.8 : CVE-2021-23772 ( CVSS Score : 8.8/10 (High) )
  • pkg:golang/github.com/microcosm-cc/bluemonday@v1.0.2 : CVE-2021-42576 ( CVSS Score : 9.8/10 (Critical )
  • pkg:golang/github.com/nats-io/jwt@v0.3.0 : CVE-2020-26892 ( CVSS Score : 9.8/10 (Critical) )
  • pkg:golang/github.com/nats-io/jwt@v0.3.0 : CVE-2021-3127 ( CVSS Score : 7.5/10 (High) )
  • pkg:golang/github.com/valyala/fasthttp@v1.6.0 : CVE-2022-21221 ( CVSS Score : 7.5/10 (High) )

This PR updates dependencies to get rid of those CVEs.

Direct dependencies update (manually triggered) :

github.com/kataras/iris/v12 v12.1.8 => v12.2.0-beta4
github.com/valyala/fasthttp v1.6.0 => v1.34.0

Notable indirect dependencies update (done automatically by go) :

github.com/microcosm-cc/bluemonday v1.0.2 => v1.0.19
github.com/nats-io/jwt v0.3.0 => removed

@kamilogorek
Copy link
Contributor

Could you please rebase on top of master, as I just merged #462? Thanks!

@TheoBrigitte
Copy link
Contributor Author

Could you please rebase on top of master, as I just merged #462? Thanks!

I will do the rebasing.

@TheoBrigitte
Copy link
Contributor Author

TheoBrigitte commented Aug 19, 2022
edited
Loading

PR was rebased. I could benefit from a test run to see if things comply.

@TheoBrigitte
Copy link
Contributor Author

@kamilogorek can you have another look please ?

@kamilogorek
Copy link
Contributor

@TheoBrigitte the code is alright and the tests are passing. However, we are in the middle of a HackWeek at Sentry, and we've code frozen until the end of the week. Will merge it on Monday :)

@TheoBrigitte
Copy link
Contributor Author

Ok, thanks for the feedback :)
Have a good HackWeek.

@kamilogorek kamilogorek enabled auto-merge (squash) August 29, 2022 14:55
@kamilogorek kamilogorek merged commit 33f7b69 into getsentry:master Aug 29, 2022
This was referenced Aug 31, 2022
Closed
Closed
@serggl
Copy link

serggl commented Sep 20, 2022

@kamilogorek any chance this gets released?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kamilogorek kamilogorek kamilogorek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TheoBrigitte @kamilogorek @serggl