Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Updates #83

Closed
bryant-finney opened this issue Nov 17, 2021 · 0 comments · Fixed by #84 or #85
Closed

Security Updates #83

bryant-finney opened this issue Nov 17, 2021 · 0 comments · Fixed by #84 or #85
Assignees
@bryant-finney
Labels
chore This label identifies trivial maintenance tasks / changes

Comments

@bryant-finney
Copy link
Collaborator

Several dependencies in the test datasets contain security vulnerabilities. These are not project dependencies and are only used to test the application with representative operations.

Accordingly, this is not a high-priority issue and receives the chore label.

While merging dependabot PRs, might as well add a code scanning workflow for CodeQL.
@bryant-finney bryant-finney mentioned this issue Nov 17, 2021
Merged
@bryant-finney bryant-finney added the chore This label identifies trivial maintenance tasks / changes label Nov 17, 2021
@bryant-finney bryant-finney self-assigned this Nov 17, 2021
bryant-finney added a commit that referenced this issue Nov 17, 2021
@bryant-finney @dependabot
#83 security updates (PR #84)
271814d 
* Bump lxml from 4.0.0 to 4.6.3 in /tests/data/broken_0

Bumps [lxml](https://github.com/lxml/lxml) from 4.0.0 to 4.6.3.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.0.0...lxml-4.6.3)

Signed-off-by: dependabot[bot] <[email protected]>

* Bump pyyaml from 3.12 to 5.4 in /tests/data

Bumps [pyyaml](https://github.com/yaml/pyyaml) from 3.12 to 5.4.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](yaml/pyyaml@3.12...5.4)

Signed-off-by: dependabot[bot] <[email protected]>

* Bump lxml from 4.0.0 to 4.6.3 in /tests/data

Bumps [lxml](https://github.com/lxml/lxml) from 4.0.0 to 4.6.3.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.0.0...lxml-4.6.3)

Signed-off-by: dependabot[bot] <[email protected]>

* Bump lxml from 4.0.0 to 4.6.3 in /tests/data/extra_0

Bumps [lxml](https://github.com/lxml/lxml) from 4.0.0 to 4.6.3.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.0.0...lxml-4.6.3)

Signed-off-by: dependabot[bot] <[email protected]>

* Bump lxml from 4.0.0 to 4.6.3 in /tests/data/broken_1

Bumps [lxml](https://github.com/lxml/lxml) from 4.0.0 to 4.6.3.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.0.0...lxml-4.6.3)

Signed-off-by: dependabot[bot] <[email protected]>

* Bump pyyaml from 3.12 to 5.4 in /tests/data/extra_0

Bumps [pyyaml](https://github.com/yaml/pyyaml) from 3.12 to 5.4.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](yaml/pyyaml@3.12...5.4)

Signed-off-by: dependabot[bot] <[email protected]>

* Bump pyyaml from 3.12 to 5.4 in /tests/data/broken_1

Bumps [pyyaml](https://github.com/yaml/pyyaml) from 3.12 to 5.4.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](yaml/pyyaml@3.12...5.4)

Signed-off-by: dependabot[bot] <[email protected]>

* Configure CodeQL security scans

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@bryant-finney bryant-finney linked a pull request Nov 18, 2021 that will close this issue
#83 additional security updates #85
Merged
bryant-finney added a commit that referenced this issue Nov 19, 2021
@bryant-finney @dependabot
#83 more security updates (#87)
c75c95e 
* #86 additional security updates (#85)

* Bump sqlalchemy from 1.1.14 to 1.3.0 in /tests/data/broken_1

Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 1.1.14 to 1.3.0.
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

---
updated-dependencies:
- dependency-name: sqlalchemy
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump sqlalchemy from 1.1.14 to 1.3.0 in /tests/data/extra_0

Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 1.1.14 to 1.3.0.
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

---
updated-dependencies:
- dependency-name: sqlalchemy
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump sqlalchemy from 1.1.14 to 1.3.0 in /tests/data

Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 1.1.14 to 1.3.0.
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

---
updated-dependencies:
- dependency-name: sqlalchemy
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump requests from 2.18.4 to 2.20.0 in /tests/data

Bumps [requests](https://github.com/psf/requests) from 2.18.4 to 2.20.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.18.4...v2.20.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump sqlalchemy from 1.1.14 to 1.3.0 in /tests/data/broken_1

Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 1.1.14 to 1.3.0.
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

---
updated-dependencies:
- dependency-name: sqlalchemy
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump sqlalchemy from 1.1.14 to 1.3.0 in /tests/data/extra_0

Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 1.1.14 to 1.3.0.
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

---
updated-dependencies:
- dependency-name: sqlalchemy
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bryant-finney bryant-finney

Labels
chore This label identifies trivial maintenance tasks / changes
Projects
None yet
Milestone
No milestone
1 participant
@bryant-finney