Fix dependabot security notice #267

futurechimp · 2020-06-17T11:22:18Z

No description provided.

futurechimp · 2020-06-18T10:45:40Z

Having a look at this one, we currently have a security alert from Github in our clients/native/examples/js-examples, in the dependency websocket-extensions. Tracing through the dependencies upwards, we are depending on webpack-dev-server which uses this (about 4 layers down the stack).

The vulnerability has no effect on us (it's example code and we're not running a js-based websocket server in our examples anyway).

Since there's no effect, we can periodically check back on this one, and when we see that webpack-dev-server releases again with updated dependencies we should upgrade then.

I have no idea what happens if we just upgrade the websocket-extensions package directly in package.json and yarn.lock but I don't feel like getting into a fight with js dependency managers and finding out.

futurechimp created this issue from a note in Core systems (Backlog) Jun 17, 2020

futurechimp added this to the 0.8.0 milestone Jun 17, 2020

futurechimp removed this from the 0.8.0 milestone Jun 18, 2020

futurechimp moved this from Backlog to Cold Storage in Core systems Oct 14, 2020

jstuczyn closed this as completed Jan 20, 2021

Core systems automation moved this from Cold Storage to Done Jan 20, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix dependabot security notice #267

Fix dependabot security notice #267

futurechimp commented Jun 17, 2020

futurechimp commented Jun 18, 2020

Fix dependabot security notice #267

Fix dependabot security notice #267

Comments

futurechimp commented Jun 17, 2020

futurechimp commented Jun 18, 2020