Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Security upgrade nginx from 1.25.2-alpine to 1.27.3-alpine #110

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade nginx from 1.25.2-alpine to 1.27.3-alpine #110

wants to merge 1 commit into from

Conversation

X-oss-byte
Copy link
Owner

@X-oss-byte X-oss-byte commented Nov 29, 2024
edited by sourcery-ai bot
Loading

snyk-top-banner

Snyk has created this PR to fix 5 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

  • docker/frontend/Dockerfile

We recommend upgrading to nginx:1.27.3-alpine, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
critical severity Integer Overflow or Wraparound
SNYK-ALPINE318-EXPAT-7908292		   714  
critical severity Integer Overflow or Wraparound
SNYK-ALPINE318-EXPAT-7908293		   714  
high severity Resource Exhaustion
SNYK-ALPINE318-EXPAT-6241039		   614  
high severity XML External Entity (XXE) Injection
SNYK-ALPINE318-EXPAT-7908294		   614  
high severity Integer Overflow or Wraparound
SNYK-ALPINE318-LIBX11-6042398		   614  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Resource Exhaustion
🦉 XML External Entity (XXE) Injection

Summary by Sourcery

Bug Fixes:

  • Upgrade nginx base image in Dockerfile to address multiple vulnerabilities, including integer overflow and XML external entity injection.

@stackblitz StackBlitz
Copy link

stackblitz bot commented Nov 29, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Nov 29, 2024

⚠️ No Changeset found

Latest commit: 677d395

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Nov 29, 2024
edited
Loading

Reviewer's Guide by Sourcery

This PR updates the NGINX base image in the frontend Dockerfile from version 1.25.2-alpine to 1.27.3-alpine to address multiple security vulnerabilities. The change is a straightforward version bump in the base image, with no other modifications to the Dockerfile structure or build process.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change Details Files
Update NGINX base image to patch security vulnerabilities
  • Upgrade NGINX version from 1.25.2-alpine to 1.27.3-alpine
  • Fix 2 critical severity vulnerabilities related to Integer Overflow in expat
  • Address 3 high severity vulnerabilities including Resource Exhaustion, XXE Injection, and Integer Overflow
 docker/frontend/Dockerfile
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time. You can also use
    this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Nov 29, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@X-oss-byte @snyk-bot