[Systems] Fwd: [GitHub] Your Dependabot alerts for the week of Jul 6 - Jul 13

Chihurumnaya Ibiam ibiam at sugarlabs.org
Tue Jul 13 19:47:58 EDT 2021


Done.

-- 

Ibiam Chihurumnaya
ibiam at sugarlabs.org



On Tue, Jul 13, 2021 at 8:58 PM Bernie Innocenti <bernie at codewiz.org> wrote:

> I'm seeing a high-severity security bug in the version of grunt that
> we're using for the website. Could someone please upgrade?
>
>
> -------- Forwarded Message --------
> Subject:        [GitHub] Your Dependabot alerts for the week of Jul 6 -
> Jul 13
> Date:   Tue, 13 Jul 2021 16:46:56 +0000 (UTC)
> From:   GitHub <noreply at github.com>
> To:     Bernie Innocenti <bernie at codewiz.org>
>
>
>
> Dependabot alerts on GitHub
>
>
> Explore this week on GitHub
> Dependabot alerts
>
>
>   GitHub <https://github.com> security alert digest
>
> *codewiz’s* repository security updates from the week of *Jul 6 - Jul 13*
>
> <https://github.com/sugarlabs>
>
>
>       Sugar Labs organization <https://github.com/sugarlabs>
>
> Warning!
>
>
>       sugarlabs / *sugar-web* <https://github.com/sugarlabs/sugar-web>
>
> Known security vulnerabilities detected
>
> Dependency grunt        Version < 1.3.0         Upgrade to ~> 1.3.0
> Defined in package.json
> Vulnerabilities
> CVE-2020-7729 High severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs/sugar-web/security/dependabot>
>
> Warning!
>
>
>       sugarlabs / *sugar-gitbot*
>       <https://github.com/sugarlabs/sugar-gitbot>
>
> Known security vulnerabilities detected
>
> Dependency express      Version < 3.11.0        Upgrade to ~> 3.11.0
> Defined in package.json
> Vulnerabilities
> CVE-2014-6393 Moderate severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs/sugar-gitbot/security/dependabot>
>
> Warning!
>
>
>       sugarlabs / *www-sugarlabs*
>       <https://github.com/sugarlabs/www-sugarlabs>
>
> Known security vulnerabilities detected
>
> Dependency kramdown     Version < 2.3.0         Upgrade to ~> 2.3.0
> Defined in Gemfile.lock
> Vulnerabilities
> CVE-2020-14001 High severity
> CVE-2021-28834 High severity
>
> Dependency nokogiri     Version < 1.11.4        Upgrade to ~> 1.11.4
> Defined in Gemfile.lock         Suggested update #334
> <https://github.com/sugarlabs/www-sugarlabs/pull/334>
> Vulnerabilities
> GHSA-7rrm-v45f-jp64 Moderate severity
>
> Dependency addressable  Version > 2.3.0 <= 2.7.0        Upgrade to ~> 2.8.0
> Defined in Gemfile.lock
> Vulnerabilities
> CVE-2021-32740 High severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs/www-sugarlabs/security/dependabot>
>
> Warning!
>
>
>       sugarlabs / *musicblocks* <https://github.com/sugarlabs/musicblocks>
>
> Known security vulnerabilities detected
>
> Dependency is-svg       Version >= 2.1.0 < 4.2.2        Upgrade to ~> 4.2.2
> Defined in package-lock.json
> Vulnerabilities
> CVE-2021-28092 High severity
>
> Dependency hosted-git-info      Version < 2.8.9         Upgrade to ~> 2.8.9
> Defined in package-lock.json    Suggested update #2945
> <https://github.com/sugarlabs/musicblocks/pull/2945>
> Vulnerabilities
> CVE-2021-23362 Moderate severity
>
> Dependency trim-newlines        Version < 3.0.1         Upgrade to ~> 3.0.1
> Defined in package-lock.json
> Vulnerabilities
> CVE-2021-33623 High severity
>
> Dependency glob-parent  Version < 5.1.2         Upgrade to ~> 5.1.2
> Defined in package-lock.json
> Vulnerabilities
> CVE-2020-28469 High severity
>
> Dependency postcss      Version >= 7.0.0 < 7.0.36       Upgrade to ~>
> 7.0.36
> Defined in package-lock.json    Suggested update #2964
> <https://github.com/sugarlabs/musicblocks/pull/2964>
> Vulnerabilities
> CVE-2021-23368 Moderate severity
>
> Dependency color-string         Version < 1.5.5         Upgrade to ~> 1.5.5
> Defined in package-lock.json    Suggested update #2967
> <https://github.com/sugarlabs/musicblocks/pull/2967>
> Vulnerabilities
> CVE-2021-29060 Moderate severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs/musicblocks/security/dependabot>
>
> Warning!
>
>
>       sugarlabs / *edit-fonts-activity*
>       <https://github.com/sugarlabs/edit-fonts-activity>
>
> Known security vulnerabilities detected
>
> Dependency underscore   Version >= 1.3.2 < 1.12.1       Upgrade to ~>
> 1.12.1
> Defined in underscore.js
> Vulnerabilities
> CVE-2021-23358 High severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs/edit-fonts-activity/security/dependabot>
>
> Warning!
>
>
>       sugarlabs / *aventura-matematica-activity*
>       <https://github.com/sugarlabs/aventura-matematica-activity>
>
> Known security vulnerabilities detected
>
> Dependency grunt        Version < 1.3.0         Upgrade to ~> 1.3.0
> Defined in package.json
> Vulnerabilities
> CVE-2020-7729 High severity
>
>
>
> Review all vulnerable dependencies
> <
> https://github.com/sugarlabs/aventura-matematica-activity/security/dependabot>
>
>
>
> Warning!
>
>
>       sugarlabs / *diamond-fusion-activity*
>       <https://github.com/sugarlabs/diamond-fusion-activity>
>
> Known security vulnerabilities detected
>
> Dependency grunt        Version < 1.3.0         Upgrade to ~> 1.3.0
> Defined in package.json
> Vulnerabilities
> CVE-2020-7729 High severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs/diamond-fusion-activity/security/dependabot>
>
> Warning!
>
>
>       sugarlabs / *hfoss-sugar-snake*
>       <https://github.com/sugarlabs/hfoss-sugar-snake>
>
> Known security vulnerabilities detected
>
> Dependency socket.io    Version < 2.4.0         Upgrade to ~> 2.4.0
> Defined in package.json
> Vulnerabilities
> CVE-2020-28481 Moderate severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs/hfoss-sugar-snake/security/dependabot>
>
> <https://github.com/sugarlabs-infra>
>
>
>       sugarlabs-infra organization <https://github.com/sugarlabs-infra>
>
> Warning!
>
>
>       sugarlabs-infra / *helios-server*
>       <https://github.com/sugarlabs-infra/helios-server>
>
> Known security vulnerabilities detected
>
> Dependency gunicorn     Version < 19.5.0        Upgrade to ~> 19.5.0
> Defined in requirements.txt
> Vulnerabilities
> CVE-2018-1000164 Moderate severity
>
> Dependency requests     Version <= 2.19.1       Upgrade to ~> 2.20.0
> Defined in requirements.txt
> Vulnerabilities
> CVE-2018-18074 Moderate severity
>
> Dependency django       Version < 1.11.18       Upgrade to ~> 1.11.18
> Defined in requirements.txt
> Vulnerabilities
> CVE-2020-9402 High severity
> CVE-2021-33203 High severity
> CVE-2019-3498 Low severity
> CVE-2019-6975 Moderate severity
> CVE-2019-19844 Moderate severity
> View 1 more
> <
> https://github.com/sugarlabs-infra/helios-server/security/dependabot/requirements.txt/django/open>
>
>
>
> Dependency bleach       Version < 3.1.1         Upgrade to ~> 3.1.1
> Defined in requirements.txt
> Vulnerabilities
> CVE-2020-6802 Moderate severity
> CVE-2020-6816 Moderate severity
> CVE-2020-6817 Moderate severity
> CVE-2021-23980 Moderate severity
>
>
>
> Review all vulnerable dependencies
> <https://github.com/sugarlabs-infra/helios-server/security/dependabot>
>
> Always verify the validity and compatibility of suggestions with your
> codebase.
>
> ------------------------------------------------------------------------
>
> Change how you receive security alert emails in your notification
> preferences
> <https://github.com/settings/notifications#vulnerability-alerts-heading>.
>
> Unsubscribe
> <
> https://github.com/email/unsubscribe?token=AAJBF3DVGSNEPYLTJTEDVKLCZ33QBANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS>
>
> · Email preferences <https://github.com/settings/emails> · Terms
> <https://docs.github.com/articles/github-terms-of-service> · Privacy
> <https://docs.github.com/articles/github-privacy-policy> · Sign into
> GitHub <https://github.com/login>
>
> GitHub, Inc.
> 88 Colin P Kelly Jr St.
> San Francisco, CA 94107
>
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20210714/e6e09f46/attachment.htm>


More information about the Systems mailing list