-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolution of Dependabot alerts - avsitter.github.io not updating #54
Comments
Apologies, I've had trouble with email and didn't notice the last bunch of updates. Hopefully that's fixed now.
By design, avsitter.github.io is building from the `master` branch, but I changed the default branch to `devel`, and that is where pull requests go. The purpose of the change is to hold the documentation for the new version until it is released; this prevents confusing users with new features that are not yet present in the version from Marketplace. Part of the release process will then be to merge `devel` into `master` in this repository, so that the new version changes become visible.
In the case of #52, since it applies to all versions, I've cherry-picked it on `master` and pushed; the change is now effective.
As for Dependabot, I review the proposed changes and whether the security fixes affect us. I don't upgrade if they aren't necessary. It's unusual that one of the fixes may affect us (unless it's something like a cross-site scripting vulnerability) because the build process happens in a virtual machine that can't be affected externally, and once built, the pages are just static HTML and JS with no server-side software running on the GitHub servers. Rather than updating blindly and taking the risk of breaking the existing site, I prefer to hold things as they are while possible.
|
The latest update was unnecessary:
https://nvd.nist.gov/vuln/detail/CVE-2021-32740
"a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input [...]"
`addressable` is part of the building process, and since all additions to the repository come from trusted user input (reviewed via pull requests), we fall under "typical usage" and the update doesn't apply to this case.
Since `devel` is not built by default, it's still unknown whether the change will affect the build. Since I'm not sure of the implications, to be on the safe side I've reverted the change. Dependabot will probably complain again.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've noticed that http://avsitter.github.io seems to have stopped auto-updating to reflect changes made to the pages in the AVsitter documentation repository. I assume it's because of the "Dependabot alerts" seen when I log in: https://github.com/AVsitter/avsitter.github.io/security/dependabot which seem to indicate we need to update some dependencies.
I'm making this issue as I am not sure how to solve the issues and get the documentation pages auto-updating again. Hoping that Sei will take this up if familiar with resolving the conflicts, otherwise I will look at it in more detail when I get a chance.
The text was updated successfully, but these errors were encountered: