Skip to content

Commit

Permalink
package updates (#405)
Browse files Browse the repository at this point in the history
  • Loading branch information
carrolp authored Aug 2, 2023
1 parent 4b6bb5e commit 1e5707a
Show file tree
Hide file tree
Showing 3 changed files with 560 additions and 373 deletions.
53 changes: 28 additions & 25 deletions audit-ci.json
Original file line number Diff line number Diff line change
@@ -1,26 +1,29 @@
{
"low": true,
"_allowlistInfo": [
{
"advisory": "GHSA-p8p7-x288-28g6",
"details": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
"justification1": "Request package is deprecated and unlikely to receive updates.",
"justification2": "Application unaffected as it only uses request by way of kubernetes/client-node, which talks to kubernetes, which can be asserted as not an attacker-controlled server.",
"expiry": "31 July 2023 00:00"
}
],
"_allowlistInfo1": [
{
"advisory": "GHSA-72xf-g2v4-qvf3",
"details": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
"justification1": "Request package is deprecated and unlikely to receive updates.",
"justification2": "Application unaffected as it only uses request by way of kubernetes/client-node, which talks to kubernetes, which can be asserted as not an attacker-controlled server.",
"expiry": "31 July 2023 00:00"
}
],
"allowlist": [
"GHSA-p8p7-x288-28g6",
"GHSA-72xf-g2v4-qvf3"
],
"skip-dev": true
}
"low": true,
"_allowListExample": [
{
"GHSA-1234-5678-9012": {
"active": true,
"notes": "The package X has vuln Y that is ignored because Y",
"expiry": "2077-04-01"
}
},
],
"allowlist": [
{
"GHSA-p8p7-x288-28g6": {
"active": true,
"notes": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
"expiry": "2023-10-01"
}
},
{
"GHSA-72xf-g2v4-qvf3": {
"active": true,
"notes": "The Request package (see above) requires tough-cookie at a vulnerable version.",
"expiry": "2023-10-01"
}
} ],
"skip-dev": true
}

Loading

0 comments on commit 1e5707a

Please sign in to comment.