Three known security vulnerabilities in JavaScript dependencies

Question

Three known security vulnerabilities in JavaScript dependencies

Closed this issue 6 years ago · 2 comments

DilumAluthge commented 6 years ago

There are three known security vulnerabilities in JavaScript dependencies specified in this repository:

docs/Gemfile.lock specifies ffi version 1.9.21. There is a known vulnerability in this version: CVE-2018-1000201. The recommendation is to upgrade to ffi version 1.9.24.
docs/Gemfile.lock specifies rubyzip version 1.2.1. There is a known vulnerability in this version: CVE-2018-1000544. The recommendation is to upgrade to rubyzip version 1.2.2.
docs/Gemfile.lock specifies jekyll version 3.6.2. There is a known vulnerability in this version: CVE-2018-17567. The recommendation is to upgrade to jekyll version 3.6.3.

Can we update Gemfile.lock to specify appropriately recent versions of these dependencies?

cc: @randyzwitch

Answer 1 · 2018-10-06T12:06:43.000Z

The Jekyll environment used to build documentation has nothing to do with the Julia package itself

Answer 2 · 2018-10-06T20:22:47.000Z

I agree, the Jekyll environment is not part of the Julia package. But it is still part of this GitHub repo. There is no vulnerability in the Julia package. But if anyone clones this GitHub repo and builds the docs locally, they are still susceptible.

…

On Sat, Oct 6, 2018 at 08:06 Randy Zwitch ***@***.***> wrote: The Jekyll environment used to build documentation has nothing to do with the Julia package itself — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#67 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFXAreDIcgAIvzEVyvNBTAp4aHvsm8BZks5uiJzTgaJpZM4XLIAH> .