Skip to content
This repository was archived by the owner on Feb 12, 2024. It is now read-only.

Node security #1128

Closed
richardschneider opened this issue Dec 4, 2017 · 5 comments
Closed

Node security #1128

richardschneider opened this issue Dec 4, 2017 · 5 comments

Comments

@richardschneider
Copy link
Contributor

richardschneider commented Dec 4, 2017
edited
Loading

The CI build is reporting 12 vulnerabilities found. They are all Sandbox Breakout and come from protons@1.0.0 > brfs@1.4.3 > static-module@1.5.0 > static-eval@0.2.4.

The recommendation is to upgrade static-module to v2.0.0 or later

dependency updates, most notably static-eval to v2.0.0 which fixes a security vulnerability.
@richardschneider
Copy link
Contributor Author

There's a PR to upgrade bfrs to the latest version of static-module. It's build is failing!

@richardschneider
Copy link
Contributor Author

Once brfs is upgraded, then protons should be upgraded. All dependents (bitswap, unixfs, ...) should be upgraded. Or make the new protons version just a patch (1.0.1) and dependents will just get it.

@richardschneider
Copy link
Contributor Author

It appears that ipfs/protons#3 will remove bfrs from protons and then all the security notifications will be resolved.

@dignifiedquire @thisconnect can we get some progress on the PR?

@daviddias
Copy link
Member

Seems that everything is ready, @dignifiedquire just needs to merge and release :)

@daviddias daviddias mentioned this issue Dec 7, 2017
Closed
@daviddias
Copy link
Member

Back to green

image

@richardschneider thanks for pushing on this one :)

This was referenced Jan 26, 2022
Open
Open
Open
This was referenced Mar 21, 2022
Open
Open
Open
@internetbuilder internetbuilder mentioned this issue Nov 29, 2023
Open
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richardschneider @daviddias