Seeking clarification regarding unpatched vulnerabilities in dependencies

171 views
Skip to first unread message

Kamal Velan

unread,
Dec 14, 2021, 2:34:28 PM12/14/21
to pedestal-users
Hi folks,

I use Pedestal for my research engineering work. I am surprised to find a good amount of unpatched vulnerabilities within pedestal as reported by `lein nvd check`

I wanted to understand what is the upgrade process  / expected timeline to update these dependencies, specifically within https://github.com/pedestal/pedestal/blob/master/jetty/project.clj

Please do let me know how I can help, eg. creating a PR

Thanks,
Kamal


Screenshot_20211215_005739.png

Paul deGrandis

unread,
Dec 15, 2021, 7:35:47 AM12/15/21
to pedestal-users
Hi Kamal,

Thanks for using Pedestal and for reaching out on the mailing-list!

PRs that update dependencies and clean up doc strings are always welcome and very helpful.
Outside of a PR, a Github issue is also helpful - there are a few community members who will pick up smaller tickets.

Regarding dependencies in your own projects:
I recommend getting in the habit of using `:exclusions` and pinning problematic transitive dependencies within the top-level of your project.
You can see an example of this within Pedestal itself: https://github.com/pedestal/pedestal/blob/master/service/project.clj#L29

I hope this helps!
Paul

Daniel De Aguiar

unread,
Dec 15, 2021, 9:29:06 AM12/15/21
to pedestal-users
Hi Kamal,

Adding to what Paul said, I've opened up an issue which captures this. Ideally we'd be identifying and addressing dependencies with vulnerabilities sooner. I'll work on improving in that area.

Thanks for reaching out!

/dan

Kamal Velan

unread,
Dec 18, 2021, 11:13:07 AM12/18/21
to pedestal-users
Thanks Paul & dan for replying to this mail.

I will look into the exclusions feature and pin my deps appropriately.

Thanks a lot for you work.

Kamal
Reply all
Reply to author
Forward
0 new messages