[Systems] Fwd: [GitHub] Your Dependabot alerts for the week of Jul 6 - Jul 13

Bernie Innocenti bernie at codewiz.org
Tue Jul 13 15:58:41 EDT 2021


I'm seeing a high-severity security bug in the version of grunt that 
we're using for the website. Could someone please upgrade?


-------- Forwarded Message --------
Subject: 	[GitHub] Your Dependabot alerts for the week of Jul 6 - Jul 13
Date: 	Tue, 13 Jul 2021 16:46:56 +0000 (UTC)
From: 	GitHub <noreply at github.com>
To: 	Bernie Innocenti <bernie at codewiz.org>



Dependabot alerts on GitHub

	
Explore this week on GitHub
Dependabot alerts


  GitHub <https://github.com> security alert digest

*codewiz’s* repository security updates from the week of *Jul 6 - Jul 13*

<https://github.com/sugarlabs> 	


      Sugar Labs organization <https://github.com/sugarlabs>

Warning! 	


      sugarlabs / *sugar-web* <https://github.com/sugarlabs/sugar-web>

Known security vulnerabilities detected

Dependency grunt 	Version < 1.3.0 	Upgrade to ~> 1.3.0
Defined in package.json
Vulnerabilities
CVE-2020-7729 High severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/sugar-web/security/dependabot>

Warning! 	


      sugarlabs / *sugar-gitbot*
      <https://github.com/sugarlabs/sugar-gitbot>

Known security vulnerabilities detected

Dependency express 	Version < 3.11.0 	Upgrade to ~> 3.11.0
Defined in package.json
Vulnerabilities
CVE-2014-6393 Moderate severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/sugar-gitbot/security/dependabot>

Warning! 	


      sugarlabs / *www-sugarlabs*
      <https://github.com/sugarlabs/www-sugarlabs>

Known security vulnerabilities detected

Dependency kramdown 	Version < 2.3.0 	Upgrade to ~> 2.3.0
Defined in Gemfile.lock
Vulnerabilities
CVE-2020-14001 High severity
CVE-2021-28834 High severity

Dependency nokogiri 	Version < 1.11.4 	Upgrade to ~> 1.11.4
Defined in Gemfile.lock 	Suggested update #334 
<https://github.com/sugarlabs/www-sugarlabs/pull/334>
Vulnerabilities
GHSA-7rrm-v45f-jp64 Moderate severity

Dependency addressable 	Version > 2.3.0 <= 2.7.0 	Upgrade to ~> 2.8.0
Defined in Gemfile.lock
Vulnerabilities
CVE-2021-32740 High severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/www-sugarlabs/security/dependabot>

Warning! 	


      sugarlabs / *musicblocks* <https://github.com/sugarlabs/musicblocks>

Known security vulnerabilities detected

Dependency is-svg 	Version >= 2.1.0 < 4.2.2 	Upgrade to ~> 4.2.2
Defined in package-lock.json
Vulnerabilities
CVE-2021-28092 High severity

Dependency hosted-git-info 	Version < 2.8.9 	Upgrade to ~> 2.8.9
Defined in package-lock.json 	Suggested update #2945 
<https://github.com/sugarlabs/musicblocks/pull/2945>
Vulnerabilities
CVE-2021-23362 Moderate severity

Dependency trim-newlines 	Version < 3.0.1 	Upgrade to ~> 3.0.1
Defined in package-lock.json
Vulnerabilities
CVE-2021-33623 High severity

Dependency glob-parent 	Version < 5.1.2 	Upgrade to ~> 5.1.2
Defined in package-lock.json
Vulnerabilities
CVE-2020-28469 High severity

Dependency postcss 	Version >= 7.0.0 < 7.0.36 	Upgrade to ~> 7.0.36
Defined in package-lock.json 	Suggested update #2964 
<https://github.com/sugarlabs/musicblocks/pull/2964>
Vulnerabilities
CVE-2021-23368 Moderate severity

Dependency color-string 	Version < 1.5.5 	Upgrade to ~> 1.5.5
Defined in package-lock.json 	Suggested update #2967 
<https://github.com/sugarlabs/musicblocks/pull/2967>
Vulnerabilities
CVE-2021-29060 Moderate severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/musicblocks/security/dependabot>

Warning! 	


      sugarlabs / *edit-fonts-activity*
      <https://github.com/sugarlabs/edit-fonts-activity>

Known security vulnerabilities detected

Dependency underscore 	Version >= 1.3.2 < 1.12.1 	Upgrade to ~> 1.12.1
Defined in underscore.js
Vulnerabilities
CVE-2021-23358 High severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/edit-fonts-activity/security/dependabot>

Warning! 	


      sugarlabs / *aventura-matematica-activity*
      <https://github.com/sugarlabs/aventura-matematica-activity>

Known security vulnerabilities detected

Dependency grunt 	Version < 1.3.0 	Upgrade to ~> 1.3.0
Defined in package.json
Vulnerabilities
CVE-2020-7729 High severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/aventura-matematica-activity/security/dependabot> 


Warning! 	


      sugarlabs / *diamond-fusion-activity*
      <https://github.com/sugarlabs/diamond-fusion-activity>

Known security vulnerabilities detected

Dependency grunt 	Version < 1.3.0 	Upgrade to ~> 1.3.0
Defined in package.json
Vulnerabilities
CVE-2020-7729 High severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/diamond-fusion-activity/security/dependabot>

Warning! 	


      sugarlabs / *hfoss-sugar-snake*
      <https://github.com/sugarlabs/hfoss-sugar-snake>

Known security vulnerabilities detected

Dependency socket.io 	Version < 2.4.0 	Upgrade to ~> 2.4.0
Defined in package.json
Vulnerabilities
CVE-2020-28481 Moderate severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs/hfoss-sugar-snake/security/dependabot>

<https://github.com/sugarlabs-infra> 	


      sugarlabs-infra organization <https://github.com/sugarlabs-infra>

Warning! 	


      sugarlabs-infra / *helios-server*
      <https://github.com/sugarlabs-infra/helios-server>

Known security vulnerabilities detected

Dependency gunicorn 	Version < 19.5.0 	Upgrade to ~> 19.5.0
Defined in requirements.txt
Vulnerabilities
CVE-2018-1000164 Moderate severity

Dependency requests 	Version <= 2.19.1 	Upgrade to ~> 2.20.0
Defined in requirements.txt
Vulnerabilities
CVE-2018-18074 Moderate severity

Dependency django 	Version < 1.11.18 	Upgrade to ~> 1.11.18
Defined in requirements.txt
Vulnerabilities
CVE-2020-9402 High severity
CVE-2021-33203 High severity
CVE-2019-3498 Low severity
CVE-2019-6975 Moderate severity
CVE-2019-19844 Moderate severity
View 1 more 
<https://github.com/sugarlabs-infra/helios-server/security/dependabot/requirements.txt/django/open> 


Dependency bleach 	Version < 3.1.1 	Upgrade to ~> 3.1.1
Defined in requirements.txt
Vulnerabilities
CVE-2020-6802 Moderate severity
CVE-2020-6816 Moderate severity
CVE-2020-6817 Moderate severity
CVE-2021-23980 Moderate severity


	
Review all vulnerable dependencies 
<https://github.com/sugarlabs-infra/helios-server/security/dependabot>

Always verify the validity and compatibility of suggestions with your 
codebase.

------------------------------------------------------------------------

Change how you receive security alert emails in your notification 
preferences 
<https://github.com/settings/notifications#vulnerability-alerts-heading>.

Unsubscribe 
<https://github.com/email/unsubscribe?token=AAJBF3DVGSNEPYLTJTEDVKLCZ33QBANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS> 
· Email preferences <https://github.com/settings/emails> · Terms 
<https://docs.github.com/articles/github-terms-of-service> · Privacy 
<https://docs.github.com/articles/github-privacy-policy> · Sign into 
GitHub <https://github.com/login>

GitHub, Inc.
88 Colin P Kelly Jr St.
San Francisco, CA 94107



More information about the Systems mailing list