fix(deps): upgrade undici from 5.28.2 to 5.28.3 due to CVE
#12763
Conversation
- c.f. GHSA-3787-6prv-h9w3 - `undici` is a transitive dep, used by `swagger-ui-react` - `swagger-ui-react` -> `swagger-client` -> `undici` Signed-off-by: Anton Gilgur <[email protected]>
agilgur5
added
type/security
|
Dependabot is still not updating these deps timely. I thought it might be the Something else is going on... I'm wondering if we have security updates disabled or something at the repo or org level? Or is dependabot just very slow / not have the most up-to-date info? A lot of these vulns were reported with GHSAs, so GitHub should have these available in their CVE DB for dependabot... |
I think this is the case -- "Dependabot alerts" are not enabled, and those seem to be required for security updates That would explain #12635 (comment), #12526 (comment), #12470 (comment), and other manual dependency security updates we've had to do. I've added this as a topic to the next Contributors Meeting |
Signed-off-by: Anton Gilgur <[email protected]>
|
Cherry-picked into
|
…j#12763) Signed-off-by: Anton Gilgur <[email protected]>
…j#12763) Signed-off-by: Anton Gilgur <[email protected]>
Partial fix for #12031, "Vulnerabilities"
Motivation
After the Snyk failure for #12753, I also checked OpenSSF Scorecard's current vuln report and found this vuln too: GHSA-3787-6prv-h9w3
Modifications
yarn.lockto bumpundiciundiciis a transitive dep, used byswagger-ui-reactswagger-ui-react->swagger-client->undiciVerification
yarnafter, no additional changesnpx yarn-audit-fix && yarn deduplicateto check for more vulns and auto-update them (same as chore(deps): automaticallyaudit fixUI deps #12036), no others popped upyarn audit:0 vulnerabilities found - Packages audited: 1488yarnagain, no additional changes