Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolving a long list of security vln found using snyk 👍 #164

Closed
wants to merge 13 commits into from
Closed

resolving a long list of security vln found using snyk 👍 #164

wants to merge 13 commits into from

Conversation

LucaPaterlini
Copy link

No description provided.

snyk-bot and others added 11 commits July 24, 2024 08:16
@snyk-bot
fix: package.json & package-lock.json to reduce vulnerabilities
ddb1c0d 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-VITE-6182924
- https://snyk.io/vuln/SNYK-JS-VITE-6098386
- https://snyk.io/vuln/SNYK-JS-VITE-6531286
@snyk-bot
fix: package.json & package-lock.json to reduce vulnerabilities
cafa3a2 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-VITE-6182924
- https://snyk.io/vuln/SNYK-JS-VITE-6098386
- https://snyk.io/vuln/SNYK-JS-VITE-6531286
@LucaPaterlini
Merge pull request #2 from LucaPaterlini/snyk-fix-34309cea6d67828f01d…
3158ea3 
…b06a9dce10325

[Snyk] Security upgrade vitepress from 1.0.0-rc.20 to 1.0.0
@LucaPaterlini
Merge branch 'master' into snyk-fix-47691ef11569a439da02e2807a197d77
726b568
@LucaPaterlini
Merge pull request #1 from LucaPaterlini/snyk-fix-47691ef11569a439da0…
475baf7 
…2e2807a197d77

[Snyk] Security upgrade vitepress from 1.0.0-rc.20 to 1.0.0
@snyk-bot
fix: src/Alba/Alba.csproj to reduce vulnerabilities
0736128 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTJSON-7433719
@LucaPaterlini
Merge pull request #3 from LucaPaterlini/snyk-fix-f2395067264fb724e7c…
6a8352a 
…08832210a516e

[Snyk] Security upgrade Microsoft.AspNetCore.Mvc.Testing from 8.0.0 to 8.0.7
@LucaPaterlini
fixed versions of dependancies to sec vln
2bcf0d8
@LucaPaterlini
fixed indirect dep for sec vln
3f02490
@LucaPaterlini
added vln dep fix for _build as well
79050a9
@LucaPaterlini
first attempt to solve path traversal vulnerability with unsanitized …
48e11cd 
…input
@Hawxy
Copy link
Collaborator

Hawxy commented Jul 24, 2024

Worth mentioning there's no actual security vulnerabilities to be found here, given this is a testing framework to be run in test projects. Typically, you exclude your test & build projects from Snyk as it creates a ton of unnecessary noise.

The code change is also unnecessary, as the implementation is all in-memory and doesn't send data over a network or between untrusted systems. I'll begrudgingly merge this in given this change is removed.

@LucaPaterlini
Copy link
Author

Thanks @Hawxy for your reply, reverted the specific commit you mentioned.

@Hawxy
Copy link
Collaborator

Hawxy commented Jul 26, 2024

I've rolled the relevant updates for the main package + docs into other PRs, so this can be closed. Thanks for the contribution.

@Hawxy Hawxy closed this Jul 26, 2024
@LucaPaterlini
Copy link
Author

LucaPaterlini commented Jul 26, 2024
edited
Loading

Hi @Hawxy thanks for your reply and work.
Just runned the scan again and it seems a few of the changes have slipped ...
Can I send a new pr with the leftovers? :)

Screenshot 2024-07-26 at 09 43 20

@Hawxy
Copy link
Collaborator

Hawxy commented Jul 26, 2024

The remaining projects are build infrastructure/test projects and don't need to be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LucaPaterlini @Hawxy @snyk-bot