-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerabilities in 17.0.0-rc1 #64417
Comments
Tagging potential owners of the requirements files based on
Would be great if you could take a quick look at the dependencies, and upgrade them if possible |
For (It's just a refresh from the upstream |
https://reviews.llvm.org/D157254 for llvm/utils/git |
@vogelsgesang maybe this is a bit unrelated to this - but it would be nice to have the actions run this check somehow. |
Agree. I am not sure how to do this, though. The tool we are internally using is proprietary, and we are only scanning LLVM's source code when I am about to upgrade to a new version. I will reach out to the security team internally to figure out if they have an idea how to automate this |
Does github allow a project to enable dependabot? The GHE instance that Sony runs internally does that. |
@tstellar could we enable dependabot for python on llvm-project? or is there something blocking that? |
https://reviews.llvm.org/D157284 for flang/examples/FlangOmpReport |
ruamel.yaml had a potential security issues (may also be a false positive in scanner). Related to #64417 #64417 Reviewed By: avogelsgesang Differential Revision: https://reviews.llvm.org/D157284
closing, since llvm 17 is done and there is a newer release already |
An automated security scan of 17.0.0-rc1 complained about the following dependencies
The relevant requirement files are:
0.17.32
can't hurt(Previously reported in #57907 (comment) ; splitting this off as a separate issue as requested on Discourse)
The text was updated successfully, but these errors were encountered: