<div dir="ltr">Done.<br clear="all"><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><pre style="color:rgb(46,52,54);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px"><span style="font-family:monospace,monospace">-- <br></span></pre><div style="color:rgb(46,52,54);font-size:14.6667px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;width:71ch"><span style="font-family:monospace,monospace"><span></span><span></span>Ibiam Chihurumnaya</span></div><div style="color:rgb(46,52,54);font-size:14.6667px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;width:71ch"><span style="font-family:monospace,monospace"><a href="mailto:ibiam@sugarlabs.org" target="_blank">ibiam@sugarlabs.org</a><br></span></div><br></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 13, 2021 at 8:58 PM Bernie Innocenti <<a href="mailto:bernie@codewiz.org">bernie@codewiz.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I'm seeing a high-severity security bug in the version of grunt that <br>
we're using for the website. Could someone please upgrade?<br>
<br>
<br>
-------- Forwarded Message --------<br>
Subject:        [GitHub] Your Dependabot alerts for the week of Jul 6 - Jul 13<br>
Date:   Tue, 13 Jul 2021 16:46:56 +0000 (UTC)<br>
From:   GitHub <<a href="mailto:noreply@github.com" target="_blank">noreply@github.com</a>><br>
To:     Bernie Innocenti <<a href="mailto:bernie@codewiz.org" target="_blank">bernie@codewiz.org</a>><br>
<br>
<br>
<br>
Dependabot alerts on GitHub<br>
<br>
<br>
Explore this week on GitHub<br>
Dependabot alerts<br>
<br>
<br>
  GitHub <<a href="https://github.com" rel="noreferrer" target="_blank">https://github.com</a>> security alert digest<br>
<br>
*codewiz’s* repository security updates from the week of *Jul 6 - Jul 13*<br>
<br>
<<a href="https://github.com/sugarlabs" rel="noreferrer" target="_blank">https://github.com/sugarlabs</a>>  <br>
<br>
<br>
      Sugar Labs organization <<a href="https://github.com/sugarlabs" rel="noreferrer" target="_blank">https://github.com/sugarlabs</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *sugar-web* <<a href="https://github.com/sugarlabs/sugar-web" rel="noreferrer" target="_blank">https://github.com/sugarlabs/sugar-web</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency grunt        Version < 1.3.0         Upgrade to ~> 1.3.0<br>
Defined in package.json<br>
Vulnerabilities<br>
CVE-2020-7729 High severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/sugar-web/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/sugar-web/security/dependabot</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *sugar-gitbot*<br>
      <<a href="https://github.com/sugarlabs/sugar-gitbot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/sugar-gitbot</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency express      Version < 3.11.0        Upgrade to ~> 3.11.0<br>
Defined in package.json<br>
Vulnerabilities<br>
CVE-2014-6393 Moderate severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/sugar-gitbot/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/sugar-gitbot/security/dependabot</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *www-sugarlabs*<br>
      <<a href="https://github.com/sugarlabs/www-sugarlabs" rel="noreferrer" target="_blank">https://github.com/sugarlabs/www-sugarlabs</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency kramdown     Version < 2.3.0         Upgrade to ~> 2.3.0<br>
Defined in Gemfile.lock<br>
Vulnerabilities<br>
CVE-2020-14001 High severity<br>
CVE-2021-28834 High severity<br>
<br>
Dependency nokogiri     Version < 1.11.4        Upgrade to ~> 1.11.4<br>
Defined in Gemfile.lock         Suggested update #334 <br>
<<a href="https://github.com/sugarlabs/www-sugarlabs/pull/334" rel="noreferrer" target="_blank">https://github.com/sugarlabs/www-sugarlabs/pull/334</a>><br>
Vulnerabilities<br>
GHSA-7rrm-v45f-jp64 Moderate severity<br>
<br>
Dependency addressable  Version > 2.3.0 <= 2.7.0        Upgrade to ~> 2.8.0<br>
Defined in Gemfile.lock<br>
Vulnerabilities<br>
CVE-2021-32740 High severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/www-sugarlabs/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/www-sugarlabs/security/dependabot</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *musicblocks* <<a href="https://github.com/sugarlabs/musicblocks" rel="noreferrer" target="_blank">https://github.com/sugarlabs/musicblocks</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency is-svg       Version >= 2.1.0 < 4.2.2        Upgrade to ~> 4.2.2<br>
Defined in package-lock.json<br>
Vulnerabilities<br>
CVE-2021-28092 High severity<br>
<br>
Dependency hosted-git-info      Version < 2.8.9         Upgrade to ~> 2.8.9<br>
Defined in package-lock.json    Suggested update #2945 <br>
<<a href="https://github.com/sugarlabs/musicblocks/pull/2945" rel="noreferrer" target="_blank">https://github.com/sugarlabs/musicblocks/pull/2945</a>><br>
Vulnerabilities<br>
CVE-2021-23362 Moderate severity<br>
<br>
Dependency trim-newlines        Version < 3.0.1         Upgrade to ~> 3.0.1<br>
Defined in package-lock.json<br>
Vulnerabilities<br>
CVE-2021-33623 High severity<br>
<br>
Dependency glob-parent  Version < 5.1.2         Upgrade to ~> 5.1.2<br>
Defined in package-lock.json<br>
Vulnerabilities<br>
CVE-2020-28469 High severity<br>
<br>
Dependency postcss      Version >= 7.0.0 < 7.0.36       Upgrade to ~> 7.0.36<br>
Defined in package-lock.json    Suggested update #2964 <br>
<<a href="https://github.com/sugarlabs/musicblocks/pull/2964" rel="noreferrer" target="_blank">https://github.com/sugarlabs/musicblocks/pull/2964</a>><br>
Vulnerabilities<br>
CVE-2021-23368 Moderate severity<br>
<br>
Dependency color-string         Version < 1.5.5         Upgrade to ~> 1.5.5<br>
Defined in package-lock.json    Suggested update #2967 <br>
<<a href="https://github.com/sugarlabs/musicblocks/pull/2967" rel="noreferrer" target="_blank">https://github.com/sugarlabs/musicblocks/pull/2967</a>><br>
Vulnerabilities<br>
CVE-2021-29060 Moderate severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/musicblocks/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/musicblocks/security/dependabot</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *edit-fonts-activity*<br>
      <<a href="https://github.com/sugarlabs/edit-fonts-activity" rel="noreferrer" target="_blank">https://github.com/sugarlabs/edit-fonts-activity</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency underscore   Version >= 1.3.2 < 1.12.1       Upgrade to ~> 1.12.1<br>
Defined in underscore.js<br>
Vulnerabilities<br>
CVE-2021-23358 High severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/edit-fonts-activity/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/edit-fonts-activity/security/dependabot</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *aventura-matematica-activity*<br>
      <<a href="https://github.com/sugarlabs/aventura-matematica-activity" rel="noreferrer" target="_blank">https://github.com/sugarlabs/aventura-matematica-activity</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency grunt        Version < 1.3.0         Upgrade to ~> 1.3.0<br>
Defined in package.json<br>
Vulnerabilities<br>
CVE-2020-7729 High severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/aventura-matematica-activity/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/aventura-matematica-activity/security/dependabot</a>> <br>
<br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *diamond-fusion-activity*<br>
      <<a href="https://github.com/sugarlabs/diamond-fusion-activity" rel="noreferrer" target="_blank">https://github.com/sugarlabs/diamond-fusion-activity</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency grunt        Version < 1.3.0         Upgrade to ~> 1.3.0<br>
Defined in package.json<br>
Vulnerabilities<br>
CVE-2020-7729 High severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/diamond-fusion-activity/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/diamond-fusion-activity/security/dependabot</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs / *hfoss-sugar-snake*<br>
      <<a href="https://github.com/sugarlabs/hfoss-sugar-snake" rel="noreferrer" target="_blank">https://github.com/sugarlabs/hfoss-sugar-snake</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency <a href="http://socket.io" rel="noreferrer" target="_blank">socket.io</a>    Version < 2.4.0         Upgrade to ~> 2.4.0<br>
Defined in package.json<br>
Vulnerabilities<br>
CVE-2020-28481 Moderate severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs/hfoss-sugar-snake/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs/hfoss-sugar-snake/security/dependabot</a>><br>
<br>
<<a href="https://github.com/sugarlabs-infra" rel="noreferrer" target="_blank">https://github.com/sugarlabs-infra</a>>    <br>
<br>
<br>
      sugarlabs-infra organization <<a href="https://github.com/sugarlabs-infra" rel="noreferrer" target="_blank">https://github.com/sugarlabs-infra</a>><br>
<br>
Warning!        <br>
<br>
<br>
      sugarlabs-infra / *helios-server*<br>
      <<a href="https://github.com/sugarlabs-infra/helios-server" rel="noreferrer" target="_blank">https://github.com/sugarlabs-infra/helios-server</a>><br>
<br>
Known security vulnerabilities detected<br>
<br>
Dependency gunicorn     Version < 19.5.0        Upgrade to ~> 19.5.0<br>
Defined in requirements.txt<br>
Vulnerabilities<br>
CVE-2018-1000164 Moderate severity<br>
<br>
Dependency requests     Version <= 2.19.1       Upgrade to ~> 2.20.0<br>
Defined in requirements.txt<br>
Vulnerabilities<br>
CVE-2018-18074 Moderate severity<br>
<br>
Dependency django       Version < 1.11.18       Upgrade to ~> 1.11.18<br>
Defined in requirements.txt<br>
Vulnerabilities<br>
CVE-2020-9402 High severity<br>
CVE-2021-33203 High severity<br>
CVE-2019-3498 Low severity<br>
CVE-2019-6975 Moderate severity<br>
CVE-2019-19844 Moderate severity<br>
View 1 more <br>
<<a href="https://github.com/sugarlabs-infra/helios-server/security/dependabot/requirements.txt/django/open" rel="noreferrer" target="_blank">https://github.com/sugarlabs-infra/helios-server/security/dependabot/requirements.txt/django/open</a>> <br>
<br>
<br>
Dependency bleach       Version < 3.1.1         Upgrade to ~> 3.1.1<br>
Defined in requirements.txt<br>
Vulnerabilities<br>
CVE-2020-6802 Moderate severity<br>
CVE-2020-6816 Moderate severity<br>
CVE-2020-6817 Moderate severity<br>
CVE-2021-23980 Moderate severity<br>
<br>
<br>
<br>
Review all vulnerable dependencies <br>
<<a href="https://github.com/sugarlabs-infra/helios-server/security/dependabot" rel="noreferrer" target="_blank">https://github.com/sugarlabs-infra/helios-server/security/dependabot</a>><br>
<br>
Always verify the validity and compatibility of suggestions with your <br>
codebase.<br>
<br>
------------------------------------------------------------------------<br>
<br>
Change how you receive security alert emails in your notification <br>
preferences <br>
<<a href="https://github.com/settings/notifications#vulnerability-alerts-heading" rel="noreferrer" target="_blank">https://github.com/settings/notifications#vulnerability-alerts-heading</a>>.<br>
<br>
Unsubscribe <br>
<<a href="https://github.com/email/unsubscribe?token=AAJBF3DVGSNEPYLTJTEDVKLCZ33QBANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS" rel="noreferrer" target="_blank">https://github.com/email/unsubscribe?token=AAJBF3DVGSNEPYLTJTEDVKLCZ33QBANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS</a>> <br>
· Email preferences <<a href="https://github.com/settings/emails" rel="noreferrer" target="_blank">https://github.com/settings/emails</a>> · Terms <br>
<<a href="https://docs.github.com/articles/github-terms-of-service" rel="noreferrer" target="_blank">https://docs.github.com/articles/github-terms-of-service</a>> · Privacy <br>
<<a href="https://docs.github.com/articles/github-privacy-policy" rel="noreferrer" target="_blank">https://docs.github.com/articles/github-privacy-policy</a>> · Sign into <br>
GitHub <<a href="https://github.com/login" rel="noreferrer" target="_blank">https://github.com/login</a>><br>
<br>
GitHub, Inc.<br>
88 Colin P Kelly Jr St.<br>
San Francisco, CA 94107<br>
<br>
_______________________________________________<br>
Systems mailing list<br>
<a href="mailto:Systems@lists.sugarlabs.org" target="_blank">Systems@lists.sugarlabs.org</a><br>
<a href="http://lists.sugarlabs.org/listinfo/systems" rel="noreferrer" target="_blank">http://lists.sugarlabs.org/listinfo/systems</a><br>
</blockquote></div>