EIPs icon indicating copy to clipboard operation
EIPs copied to clipboard
verified publisher icon ethereum

Update README: Update vulnerable dependencies

Open crStiv opened this issue 11 months ago • 5 comments

Updates the following dependencies to resolve security vulnerabilities:

  • webrick from 1.8.1 to 1.8.2 (fixes CVE-2024-47220)
  • rexml from 3.2.5 to 3.3.9 (fixes CVE-2024-49761)

Fixes #9115

crStiv avatar Jan 05 '25 00:01 crStiv

File Gemfile

Requires 2 more reviewers from @g11tech, @lightclient, @samwilsn, @xinbenlv

File Gemfile.lock

Requires 2 more reviewers from @g11tech, @lightclient, @samwilsn, @xinbenlv

File README.md

Requires 2 more reviewers from @g11tech, @lightclient, @samwilsn, @xinbenlv

eth-bot avatar Jan 05 '25 00:01 eth-bot

While webrick 1.8.2 addresses the vulnerability, the maintainers have mentioned that webrick is not intended for production - ruby/webrick#145 (comment)

@SkandaBhat Thnx pointing this out!

As webrick used only for local development here in the EIPs repo - just for preview purposes and it's not production-ready, I think it still helps keep dev environments secure.

I could add a quick note in the docs about webrick's limitations if you think that would be helpful?

crStiv avatar Mar 23 '25 16:03 crStiv

The commit a125e8b57f9947325d7118dc2a4935acacea7946 (as a parent of ad3ba9609c70318df1057aaacfbfa9fbe31dbac8) contains errors. Please inspect the Run Summary for details.

github-actions[bot] avatar May 21 '25 14:05 github-actions[bot]

You'll need to regenerate the Gemfile.lock before this'll merge.

SamWilsn avatar May 21 '25 14:05 SamWilsn

There has been no activity on this issue for six months. It will be closed in 7 days if there is no new activity. If you would like to move this PR forward, please respond to any outstanding feedback or add a comment indicating that you have addressed all required feedback and are ready for a review.

github-actions[bot] avatar Nov 21 '25 00:11 github-actions[bot]