typewriter icon indicating copy to clipboard operation
typewriter copied to clipboard

Published 20 hours ago verified publisher icon segmentio

Version bump to 4.7.2 to resolve vulnerabilities

Open ajermaky opened this issue 4 years ago • 1 comments

Hi! I wanted to propose that a 4.7.2 release be done to address some of the security issues that are present in 4.7.1. I believe main branch has already resolved most of them, but its just not part of the official release. Not sure what the release lifecycle is like, but if there are any roadblocks, like updating packages, etc. happy to help here!

ajermaky avatar Nov 10 '21 19:11 ajermaky

This seems critical. Any blocker that you need help resolving, so we can get a patch out for this?

Screenshot 2022-06-23 at 08 46 20

https://github.com/advisories/GHSA-f2jv-r9rf-7988

Nederby avatar Jun 23 '22 06:06 Nederby

This is finally fixed in v8. Sorry for the wait

oscb avatar Sep 12 '22 23:09 oscb

@oscb As per your comment, critical vuln was fixed in 8.x.x. But what about users who are using v7 and not ready to migrate yet? There should be a release for v7.4.2 that fixes this.

Sparkenstein avatar Apr 25 '23 17:04 Sparkenstein

@Sparkenstein I know this is not a great answer but I'm going to be honest. v7 doesn't build and it's poorly documented internally. I bet it's just a matter of redoing the updates of the packages between v7.4.1 and the latest version but at this point we just don't have the resources to go and fix it.

I would be happy to review any PR for v7 and trigger a release

oscb avatar Apr 25 '23 17:04 oscb