dashy
dashy copied to clipboard
Lissy93
[BUG] Fix cve on new patch
Environment
Self-Hosted (Docker)
System
No response
Version
3.1.1
Describe the problem
Good day Is it possible to fix vulnerabilities in the new patch (attached report)?
Thank you in advance
Vulnerability_Report_Dashy.pdf
Additional info
Good day Is it possible to fix vulnerabilities in the new patch (attached report)?
Thank you in advance
Please tick the boxes
- [x] You have explained the issue clearly, and included all relevant info
- [x] You are using a supported version of Dashy
- [x] You've checked that this issue hasn't already been raised
- [x] You've checked the docs and troubleshooting guide
- [x] You agree to the code of conduct
Hi Appreciate the time for the report!
I think you'll be best off sending an email to @Lissy93 [email protected]
Lately it has been a bit quiet around her and especially dashy.
PS: Therefore I wouldn't expect a quick fix.
Hi there @orlovds and @CrazyWolf13, thanks for raising this and including the Trivy scan output. I appreciate your attention to security.
Appologies for not being more present here recently. I'll work more on Dashy again over the next few weeks, and slowly catchup on issues.
Most of the issues flagged here are related to dependencies of dependencies or the base Alpine/Node image — not Dashy’s own code. This is common across most modern Dockerized Node apps. And none of the flagged vulnerabilities are known to be directly exploitable in Dashy’s current usage.
In short, these automated reports are a helpful reference but don’t necessarily imply exploitable vulnerabilities in context. Still, I’ll go through and address what’s actionable.
Hi @Lissy93
Did not expect that reply, thanks for chiming back in :)
Yeah that's what I expected but thought I would let you judge on this.
Feel free to reply to me on matrix, if you want to pick up dashy again.