spec icon indicating copy to clipboard operation
spec copied to clipboard

Published 20 hours ago verified publisher icon cloudevents

Security Audit - Outdated dependencies

Open embano1 opened this issue 2 years ago • 5 comments
trafficstars

After reviewing the recent security audit I was wondering whether we should enable Github Dependabot for this repo to automatically bump deps.

cc/ @duglin @lionelvillard

embano1 avatar Dec 11 '22 09:12 embano1

yep - just need to find the time :-)

duglin avatar Jan 18 '23 20:01 duglin

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Feb 18 '23 01:02 github-actions[bot]

As CloudEvents provide SDKs with out of the box integration with 3rd party libraries, could we add either dependabot or renovate for managing all dependencies for all CloudEvents repositories?

For example, on the JAVA-SDK repository, the latest SDK update is from May 15, 2023 and the following packages have known vulnerabilities on 3rd party dependencies:

  • https://mvnrepository.com/artifact/io.cloudevents/cloudevents-protobuf/2.5.0
  • https://mvnrepository.com/artifact/io.cloudevents/cloudevents-json-jackson/2.5.0
  • https://mvnrepository.com/artifact/io.cloudevents/cloudevents-kafka/2.5.0
  • https://mvnrepository.com/artifact/io.cloudevents/cloudevents-spring/2.5.0
  • etc.

YohanSciubukgian avatar Mar 06 '24 16:03 YohanSciubukgian

Yes, we use Dependabot in the sdk-go repo. Want to file a PR? Not sure how much work is involved though to integrate with Maven (security keys to push).

embano1 avatar Mar 10 '24 06:03 embano1

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Apr 10 '24 01:04 github-actions[bot]