Updating dependencies to address Rack CVEs
23 views
Skip to first unread message
Pete Johns
Jul 22, 2020, 3:40:52 AM7/22/20
to Lita
Hi there,
I hope you're all well given the current situation with COVID-19. This mailing list seems more active the the GitHub project, so I thought I'd join in :-)
We recently ran `bundle update` on our beloved Lita instance to address CVE-2020-8184 and CVE-2020-8161.
The latest Lita version release is 4.7.1 (2016-09-17), which requires Rack ">= 1.5.2", "< 2.0.0" (see litaio/lita@fda3a80) and prevents us from updating Rack to version `2.1.4` or later to address these CVEs. Taking the latest version from GitHub (litaio/lita@312df73) comes with the trade-off that we have to downgrade Faraday to `0.15.4` from `1.0.1` and Thor from `1.0.1` to `0.20.3`. This version also fails CI (see build 631295227).
I'd really like to upgrade these dependencies to ensure we don't have any known vulnerabilities.
I've opened two Pull Requests:
I hope you're all well given the current situation with COVID-19. This mailing list seems more active the the GitHub project, so I thought I'd join in :-)
We recently ran `bundle update` on our beloved Lita instance to address CVE-2020-8184 and CVE-2020-8161.
The latest Lita version release is 4.7.1 (2016-09-17), which requires Rack ">= 1.5.2", "< 2.0.0" (see litaio/lita@fda3a80) and prevents us from updating Rack to version `2.1.4` or later to address these CVEs. Taking the latest version from GitHub (litaio/lita@312df73) comes with the trade-off that we have to downgrade Faraday to `0.15.4` from `1.0.1` and Thor from `1.0.1` to `0.20.3`. This version also fails CI (see build 631295227).
I'd really like to upgrade these dependencies to ensure we don't have any known vulnerabilities.
I've opened two Pull Requests:
- Address https://travis-ci.org/github/litaio/lita/jobs/631295228#L684 (#223)
- Upgrade Faraday and Thor Dependencies (#224)
Could somebody please review these PRs? I'm keen to help get them into a state where the changes can be released.
Many thanks;
--paj
Reply all
Reply to author
Forward
0 new messages