d2 icon indicating copy to clipboard operation
d2 copied to clipboard
verified publisher icon terrastruct

New patch release with CVE fixes

Open nathanlaceyraft opened this issue 10 months ago • 3 comments

Would it be possible to get a patch release with the CVE fixes?

https://github.com/terrastruct/d2/pull/2383 and https://github.com/terrastruct/d2/pull/2381

thanks

nathanlaceyraft avatar Feb 26 '25 17:02 nathanlaceyraft

Do these actually have material impact? I'm genuinely curious, does using the software without these patches pose safety concerns for you? Or is there some other external requirement?

alixander avatar Mar 02 '25 06:03 alixander

Some scanners like Trivy don't use modern govulncheck, and as such, can have 'false alarms' ea say something is a CVE that isn't actually being called.

But the 2 patches that have been merged, represent actually possible vulnerabilities. As listed by govulnchbeck (ea code path is actually called)

Once I get a patch version, of d2, than I need to work with yuzutech/kroki to update d2

fyi, if you were creating library only, third party users of your package, should be able to update patch releases, locally ... but when you deliver a binary, there isn't any other way to resolve CVE's (short of forking repo)

Thanks for creating/maintaining software for community!

nathanlaceyraft avatar Mar 02 '25 17:03 nathanlaceyraft

also, like I was showing in https://github.com/terrastruct/d2/pull/2381, you could make GitHub automatically create PR's to help your project stay free of CVE's, by Enabling Dependabot.

Thanks

nathanlaceyraft avatar Mar 02 '25 17:03 nathanlaceyraft