From bernie at codewiz.org Tue Jul 13 15:58:41 2021 From: bernie at codewiz.org (Bernie Innocenti) Date: Tue, 13 Jul 2021 21:58:41 +0200 Subject: [Systems] Fwd: [GitHub] Your Dependabot alerts for the week of Jul 6 - Jul 13 In-Reply-To: <60edc38061540_1373c710492ec@github-lowworker-39b4a70.va3-iad.github.net.mail> References: <60edc38061540_1373c710492ec@github-lowworker-39b4a70.va3-iad.github.net.mail> Message-ID: I'm seeing a high-severity security bug in the version of grunt that we're using for the website. Could someone please upgrade? -------- Forwarded Message -------- Subject: [GitHub] Your Dependabot alerts for the week of Jul 6 - Jul 13 Date: Tue, 13 Jul 2021 16:46:56 +0000 (UTC) From: GitHub To: Bernie Innocenti Dependabot alerts on GitHub Explore this week on GitHub Dependabot alerts GitHub ?security alert digest *codewiz?s* repository security updates from the week of *Jul 6 - Jul 13* Sugar Labs organization Warning! sugarlabs / *sugar-web* Known security vulnerabilities detected Dependency grunt Version < 1.3.0 Upgrade to ~> 1.3.0 Defined in package.json Vulnerabilities CVE-2020-7729 High severity Review all vulnerable dependencies Warning! sugarlabs / *sugar-gitbot* Known security vulnerabilities detected Dependency express Version < 3.11.0 Upgrade to ~> 3.11.0 Defined in package.json Vulnerabilities CVE-2014-6393 Moderate severity Review all vulnerable dependencies Warning! sugarlabs / *www-sugarlabs* Known security vulnerabilities detected Dependency kramdown Version < 2.3.0 Upgrade to ~> 2.3.0 Defined in Gemfile.lock Vulnerabilities CVE-2020-14001 High severity CVE-2021-28834 High severity Dependency nokogiri Version < 1.11.4 Upgrade to ~> 1.11.4 Defined in Gemfile.lock Suggested update #334 Vulnerabilities GHSA-7rrm-v45f-jp64 Moderate severity Dependency addressable Version > 2.3.0 <= 2.7.0 Upgrade to ~> 2.8.0 Defined in Gemfile.lock Vulnerabilities CVE-2021-32740 High severity Review all vulnerable dependencies Warning! sugarlabs / *musicblocks* Known security vulnerabilities detected Dependency is-svg Version >= 2.1.0 < 4.2.2 Upgrade to ~> 4.2.2 Defined in package-lock.json Vulnerabilities CVE-2021-28092 High severity Dependency hosted-git-info Version < 2.8.9 Upgrade to ~> 2.8.9 Defined in package-lock.json Suggested update #2945 Vulnerabilities CVE-2021-23362 Moderate severity Dependency trim-newlines Version < 3.0.1 Upgrade to ~> 3.0.1 Defined in package-lock.json Vulnerabilities CVE-2021-33623 High severity Dependency glob-parent Version < 5.1.2 Upgrade to ~> 5.1.2 Defined in package-lock.json Vulnerabilities CVE-2020-28469 High severity Dependency postcss Version >= 7.0.0 < 7.0.36 Upgrade to ~> 7.0.36 Defined in package-lock.json Suggested update #2964 Vulnerabilities CVE-2021-23368 Moderate severity Dependency color-string Version < 1.5.5 Upgrade to ~> 1.5.5 Defined in package-lock.json Suggested update #2967 Vulnerabilities CVE-2021-29060 Moderate severity Review all vulnerable dependencies Warning! sugarlabs / *edit-fonts-activity* Known security vulnerabilities detected Dependency underscore Version >= 1.3.2 < 1.12.1 Upgrade to ~> 1.12.1 Defined in underscore.js Vulnerabilities CVE-2021-23358 High severity Review all vulnerable dependencies Warning! sugarlabs / *aventura-matematica-activity* Known security vulnerabilities detected Dependency grunt Version < 1.3.0 Upgrade to ~> 1.3.0 Defined in package.json Vulnerabilities CVE-2020-7729 High severity Review all vulnerable dependencies Warning! sugarlabs / *diamond-fusion-activity* Known security vulnerabilities detected Dependency grunt Version < 1.3.0 Upgrade to ~> 1.3.0 Defined in package.json Vulnerabilities CVE-2020-7729 High severity Review all vulnerable dependencies Warning! sugarlabs / *hfoss-sugar-snake* Known security vulnerabilities detected Dependency socket.io Version < 2.4.0 Upgrade to ~> 2.4.0 Defined in package.json Vulnerabilities CVE-2020-28481 Moderate severity Review all vulnerable dependencies sugarlabs-infra organization Warning! sugarlabs-infra / *helios-server* Known security vulnerabilities detected Dependency gunicorn Version < 19.5.0 Upgrade to ~> 19.5.0 Defined in requirements.txt Vulnerabilities CVE-2018-1000164 Moderate severity Dependency requests Version <= 2.19.1 Upgrade to ~> 2.20.0 Defined in requirements.txt Vulnerabilities CVE-2018-18074 Moderate severity Dependency django Version < 1.11.18 Upgrade to ~> 1.11.18 Defined in requirements.txt Vulnerabilities CVE-2020-9402 High severity CVE-2021-33203 High severity CVE-2019-3498 Low severity CVE-2019-6975 Moderate severity CVE-2019-19844 Moderate severity View 1 more Dependency bleach Version < 3.1.1 Upgrade to ~> 3.1.1 Defined in requirements.txt Vulnerabilities CVE-2020-6802 Moderate severity CVE-2020-6816 Moderate severity CVE-2020-6817 Moderate severity CVE-2021-23980 Moderate severity Review all vulnerable dependencies Always verify the validity and compatibility of suggestions with your codebase. ------------------------------------------------------------------------ Change how you receive security alert emails in your notification preferences . Unsubscribe ? Email preferences ? Terms ? Privacy ? Sign into GitHub GitHub, Inc. 88 Colin P Kelly Jr St. San Francisco, CA 94107 From ibiam at sugarlabs.org Tue Jul 13 19:47:58 2021 From: ibiam at sugarlabs.org (Chihurumnaya Ibiam) Date: Wed, 14 Jul 2021 00:47:58 +0100 Subject: [Systems] Fwd: [GitHub] Your Dependabot alerts for the week of Jul 6 - Jul 13 In-Reply-To: References: <60edc38061540_1373c710492ec@github-lowworker-39b4a70.va3-iad.github.net.mail> Message-ID: Done. -- Ibiam Chihurumnaya ibiam at sugarlabs.org On Tue, Jul 13, 2021 at 8:58 PM Bernie Innocenti wrote: > I'm seeing a high-severity security bug in the version of grunt that > we're using for the website. Could someone please upgrade? > > > -------- Forwarded Message -------- > Subject: [GitHub] Your Dependabot alerts for the week of Jul 6 - > Jul 13 > Date: Tue, 13 Jul 2021 16:46:56 +0000 (UTC) > From: GitHub > To: Bernie Innocenti > > > > Dependabot alerts on GitHub > > > Explore this week on GitHub > Dependabot alerts > > > GitHub security alert digest > > *codewiz?s* repository security updates from the week of *Jul 6 - Jul 13* > > > > > Sugar Labs organization > > Warning! > > > sugarlabs / *sugar-web* > > Known security vulnerabilities detected > > Dependency grunt Version < 1.3.0 Upgrade to ~> 1.3.0 > Defined in package.json > Vulnerabilities > CVE-2020-7729 High severity > > > > Review all vulnerable dependencies > > > Warning! > > > sugarlabs / *sugar-gitbot* > > > Known security vulnerabilities detected > > Dependency express Version < 3.11.0 Upgrade to ~> 3.11.0 > Defined in package.json > Vulnerabilities > CVE-2014-6393 Moderate severity > > > > Review all vulnerable dependencies > > > Warning! > > > sugarlabs / *www-sugarlabs* > > > Known security vulnerabilities detected > > Dependency kramdown Version < 2.3.0 Upgrade to ~> 2.3.0 > Defined in Gemfile.lock > Vulnerabilities > CVE-2020-14001 High severity > CVE-2021-28834 High severity > > Dependency nokogiri Version < 1.11.4 Upgrade to ~> 1.11.4 > Defined in Gemfile.lock Suggested update #334 > > Vulnerabilities > GHSA-7rrm-v45f-jp64 Moderate severity > > Dependency addressable Version > 2.3.0 <= 2.7.0 Upgrade to ~> 2.8.0 > Defined in Gemfile.lock > Vulnerabilities > CVE-2021-32740 High severity > > > > Review all vulnerable dependencies > > > Warning! > > > sugarlabs / *musicblocks* > > Known security vulnerabilities detected > > Dependency is-svg Version >= 2.1.0 < 4.2.2 Upgrade to ~> 4.2.2 > Defined in package-lock.json > Vulnerabilities > CVE-2021-28092 High severity > > Dependency hosted-git-info Version < 2.8.9 Upgrade to ~> 2.8.9 > Defined in package-lock.json Suggested update #2945 > > Vulnerabilities > CVE-2021-23362 Moderate severity > > Dependency trim-newlines Version < 3.0.1 Upgrade to ~> 3.0.1 > Defined in package-lock.json > Vulnerabilities > CVE-2021-33623 High severity > > Dependency glob-parent Version < 5.1.2 Upgrade to ~> 5.1.2 > Defined in package-lock.json > Vulnerabilities > CVE-2020-28469 High severity > > Dependency postcss Version >= 7.0.0 < 7.0.36 Upgrade to ~> > 7.0.36 > Defined in package-lock.json Suggested update #2964 > > Vulnerabilities > CVE-2021-23368 Moderate severity > > Dependency color-string Version < 1.5.5 Upgrade to ~> 1.5.5 > Defined in package-lock.json Suggested update #2967 > > Vulnerabilities > CVE-2021-29060 Moderate severity > > > > Review all vulnerable dependencies > > > Warning! > > > sugarlabs / *edit-fonts-activity* > > > Known security vulnerabilities detected > > Dependency underscore Version >= 1.3.2 < 1.12.1 Upgrade to ~> > 1.12.1 > Defined in underscore.js > Vulnerabilities > CVE-2021-23358 High severity > > > > Review all vulnerable dependencies > > > Warning! > > > sugarlabs / *aventura-matematica-activity* > > > Known security vulnerabilities detected > > Dependency grunt Version < 1.3.0 Upgrade to ~> 1.3.0 > Defined in package.json > Vulnerabilities > CVE-2020-7729 High severity > > > > Review all vulnerable dependencies > < > https://github.com/sugarlabs/aventura-matematica-activity/security/dependabot> > > > > Warning! > > > sugarlabs / *diamond-fusion-activity* > > > Known security vulnerabilities detected > > Dependency grunt Version < 1.3.0 Upgrade to ~> 1.3.0 > Defined in package.json > Vulnerabilities > CVE-2020-7729 High severity > > > > Review all vulnerable dependencies > > > Warning! > > > sugarlabs / *hfoss-sugar-snake* > > > Known security vulnerabilities detected > > Dependency socket.io Version < 2.4.0 Upgrade to ~> 2.4.0 > Defined in package.json > Vulnerabilities > CVE-2020-28481 Moderate severity > > > > Review all vulnerable dependencies > > > > > > sugarlabs-infra organization > > Warning! > > > sugarlabs-infra / *helios-server* > > > Known security vulnerabilities detected > > Dependency gunicorn Version < 19.5.0 Upgrade to ~> 19.5.0 > Defined in requirements.txt > Vulnerabilities > CVE-2018-1000164 Moderate severity > > Dependency requests Version <= 2.19.1 Upgrade to ~> 2.20.0 > Defined in requirements.txt > Vulnerabilities > CVE-2018-18074 Moderate severity > > Dependency django Version < 1.11.18 Upgrade to ~> 1.11.18 > Defined in requirements.txt > Vulnerabilities > CVE-2020-9402 High severity > CVE-2021-33203 High severity > CVE-2019-3498 Low severity > CVE-2019-6975 Moderate severity > CVE-2019-19844 Moderate severity > View 1 more > < > https://github.com/sugarlabs-infra/helios-server/security/dependabot/requirements.txt/django/open> > > > > Dependency bleach Version < 3.1.1 Upgrade to ~> 3.1.1 > Defined in requirements.txt > Vulnerabilities > CVE-2020-6802 Moderate severity > CVE-2020-6816 Moderate severity > CVE-2020-6817 Moderate severity > CVE-2021-23980 Moderate severity > > > > Review all vulnerable dependencies > > > Always verify the validity and compatibility of suggestions with your > codebase. > > ------------------------------------------------------------------------ > > Change how you receive security alert emails in your notification > preferences > . > > Unsubscribe > < > https://github.com/email/unsubscribe?token=AAJBF3DVGSNEPYLTJTEDVKLCZ33QBANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS> > > ? Email preferences ? Terms > ? Privacy > ? Sign into > GitHub > > GitHub, Inc. > 88 Colin P Kelly Jr St. > San Francisco, CA 94107 > > _______________________________________________ > Systems mailing list > Systems at lists.sugarlabs.org > http://lists.sugarlabs.org/listinfo/systems > -------------- next part -------------- An HTML attachment was scrubbed... URL: