-
-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project Blackduck Vulnerabilities found in serenity js #1062
Comments
Hey @nbarrett! Sure thing, I've just released 2.32.4 with updated dependencies, so it would be good to know what Blackduck thinks about those? I don't think Serenity/JS depends on any of the libs from your Excel spreadsheet directly, but if you could figure out what's pulling them in I'm sure we can figure out how to upgrade them. Also, out of curiosity, can you run Blackduck on a branch as opposed to the released version? Might be good to see if there are any potential issues with the upcoming 3.0 release on branch |
Hi @jan-molak ! - thanks for your quick response - I've just got our security team to re-run the blackduck scan on blackduck-vulnerability-report.xlsx I've not had a chance to perform the same on the 3.0 branch yet. We'll have a look to see how easy it is to do that... Cheers 👍 |
Hi @nbarrett - And I have also done a bit of research via
|
Hi @jan-molak - sure thing - I'll raise those 3 PRs forthwith - thanks for your analysis! |
- Helps address vulnerability in serenity-js as part of [issue restify#1062](serenity-js/serenity-js#1062 (comment))
- Helps address vulnerability in serenity-js as part of [issue #1062](serenity-js/serenity-js#1062 (comment))
Hi @jan-molak - I've raised 2 of the 2 PRs you suggested but having trouble with bumping the
This looks to me to be a problem with using a deprecated library
|
Thanks, @nbarrett! I had a quick look at It seems like @eriktrom is interested in dropping support for the ancient Node 0.10.x altogether (http-party/node-portfinder#122), but that's something for a separate PR I think. The maintainers did mention that the project is locked for any new features (http-party/node-portfinder#117 (comment)), but I'm hoping that they'll accept a security fix. |
Hey @nbarrett! I think we can close this ticket now, as at the time of writing Serenity/JS:
Please let me know if you come across any other issues in the future! |
Hi @jan-molak ! Long time no speak. It seems that my current project is considering moving to Serenity-js + WebdriverIO but in order to do that, we need to assess the vulnerability impact. So our team has run v2.32.3 through our internal blackduck scanning and have found the following Vulnerabilities:
![image](https://user-images.githubusercontent.com/626941/143483333-d4a3875b-26ec-4371-abc6-75d0cc1e19ed.png)
And the following Operational Risks:
Right now we are focussed on the vulnerabilities and are wondering whether it might be possible to upgrade the project dependencies to resolve these? Maybe I can help with a PR, once I work out where these dependencies are coming from. I enclose an excel sheet of the affected libraries and the specific vulnerabilities:
blackduck-vulnerability-report.xlsx
I look forward to hearing from you and hopefully contributing....
Thanks, @nbarrett
The text was updated successfully, but these errors were encountered: