You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Fluentd depends on http_parser.rb but it's not maintained and not released new version since December 11, 2013.
In this gem, vulnerability is often detected mistakenly by several security tools because it includes a garbage Gemfile.lock. e.g.) #3409#3374
I'm troublesome to support such issue, so that I've gotten ownership of http_parser.rb and I'll release a new gem which fixes this issue. Although such false positive will be suppressed by it, we should consider replacing http_parser.rb with other equivalents such as llhttp because dependent http-parser is already dead too.
http_parser.rb 0.6.0 includes a garbage Gemfile.lock and it causes false
positive detection by security scanning tools. 0.7.0 fixes this issue.
See also: #3374#3409#3437
Signed-off-by: Takuro Ashie <ashie@clear-code.com>
Describe the bug
Fluentd depends on http_parser.rb but it's not maintained and not released new version since December 11, 2013.
In this gem, vulnerability is often detected mistakenly by several security tools because it includes a garbage Gemfile.lock. e.g.) #3409 #3374
I'm troublesome to support such issue, so that I've gotten ownership of http_parser.rb and I'll release a new gem which fixes this issue. Although such false positive will be suppressed by it, we should consider replacing http_parser.rb with other equivalents such as llhttp because dependent http-parser is already dead too.
To Reproduce
See https://github.com/nodejs/http-parser
Expected behavior
Dependent libraries should be well maintained.
Your Environment
N/A
Your Configuration
N/A
Your Error Log
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: