icu4x icon indicating copy to clipboard operation
icu4x copied to clipboard

Published 20 hours ago verified publisher icon unicode-org

Address 122 security alerts

Open robertbastian opened this issue 1 year ago • 2 comments

The number looks bad. If they are stupid alerts we should disable whatever reports them, otherwise we should address them.

robertbastian avatar Feb 06 '24 10:02 robertbastian

The number looks bad

True, though the alerts are only visible to team members IIUC.]

If they are stupid alerts we should disable whatever reports them, otherwise we should address them.

We can't easily disable most of them. I looked through the list and they are predominantly complaining about various dependencies we use in CI that have CVEs reported against them, plus another cluster saying that we don't pin enough of our dependencies. So in other words the alerts want us to pin our dependencies but then be on the ball to update the pinned version whenever a CVE gets reported. Alerts like this are whack-a-mole.

sffc avatar Feb 13 '24 04:02 sffc

Some of these bots are friendly enough to send PRs fixing the vulnerabilities. I would prefer if the bot reporting these alerts would also just send PRs fixing them. I think AI is advanced enough that it should be able to figure out how to do that even in a relatively unfamiliar codebase.

sffc avatar Feb 13 '24 04:02 sffc