Merge pull request #889 from rstudio/security-update-2025-01

Update Snyk exclusions 2025-01
rstudio · Jan 28, 2025 · c40a695 · c40a695
2 parents c112f58 + c19b182
commit c40a695
Show file tree

Hide file tree

Showing 7 changed files with 75 additions and 49 deletions.
diff --git a/connect/.snyk b/connect/.snyk
@@ -2,9 +2,4 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-GOLANG-GITHUBCOMJACKCPGXV4-7416900:
-    - '*':
-        reason: 'Reported upstream in https://github.com/rstudio/connect/issues/27482'
-        expires: 2024-07-31T00:00:00.000Z
-        created: 2024-07-03T13:49:12.040Z
 patch: {}
diff --git a/package-manager/.snyk b/package-manager/.snyk
@@ -2,11 +2,19 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-GOLANG-GITHUBCOMJACKCPGXV4-7416900:
+  SNYK-GOLANG-GOLANGORGXNETHTML-8535262:
     - '*':
-        reason: >-
-          Reported upstream in
-          https://github.com/rstudio/package-manager/issues/13981
-        expires: 2024-10-01T00:00:00.000Z
-        created: 2024-07-03T14:03:16.019Z
+        reason: Patch will be ingested in next release
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:05:55.359Z
+  SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBING-8602520:
+    - '*':
+        reason: Patch will be ingested in next release
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:08:04.773Z
+  SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611:
+    - '*':
+        reason: Patch will be ingested in next release
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:08:19.247Z
 patch: {}
diff --git a/r-session-complete/.snyk b/r-session-complete/.snyk
@@ -2,19 +2,18 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016:
+  SNYK-JS-SEMVER-3247795:
     - '*':
         reason: >-
-          Reported upstream in
-          https://github.com/rstudio/rstudio-pro/issues/6529
-        expires: 2024-08-31T00:00:00.000Z
-        created: 2024-07-02T20:33:30.847Z
-  SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
+          Awaiting upstream patch in jupyterlab, but exploit should not be
+          reachable.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:42:36.788Z
+  SNYK-JS-WS-7266574:
     - '*':
         reason: >-
-          Confirmed fixed upstream in
-          https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
-          ingested in Workbench 2024.08.0 (expected within 1 week).
-        expires: 2024-08-07T00:00:00.000Z
-        created: 2024-07-31T17:46:24.852Z
+          Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
+          package component affected.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:58:55.561Z
 patch: {}
diff --git a/workbench-for-google-cloud-workstations/.snyk b/workbench-for-google-cloud-workstations/.snyk
@@ -2,24 +2,18 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016:
+  SNYK-JS-SEMVER-3247795:
     - '*':
         reason: >-
-          Reported upstream in
-          https://github.com/rstudio/rstudio-pro/issues/6529
-        expires: 2024-08-31T00:00:00.000Z
-        created: 2024-07-02T20:33:30.847Z
-  SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
+          Awaiting upstream patch in jupyterlab, but exploit should not be
+          reachable.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:42:36.788Z
+  SNYK-JS-WS-7266574:
     - '*':
         reason: >-
-          Confirmed fixed upstream in
-          https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
-          ingested in Workbench 2024.08.0 (expected within 1 week).
-        expires: 2024-08-07T00:00:00.000Z
-        created: 2024-07-31T17:46:24.852Z
-  SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285:
-    - '*':
-        reason: Vulnerability in Google Cloud SDK.
-        expires: 2024-09-01T00:00:00.000Z
-        created: 2024-07-31T19:45:25.728Z
+          Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
+          package component affected.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:58:55.561Z
 patch: {}
diff --git a/workbench-session-init/.snyk b/workbench-session-init/.snyk
@@ -0,0 +1,12 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JS-BODYPARSER-7926860:
+    - '*':
+        reason: >-
+          Patched upstream in Positron by upgrading express to 4.19.2. Will be
+          ingested next Workbench release.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T02:04:47.267Z
+patch: {}
diff --git a/workbench-session/.snyk b/workbench-session/.snyk
@@ -0,0 +1,19 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JS-SEMVER-3247795:
+    - '*':
+        reason: >-
+          Awaiting upstream patch in jupyterlab, but exploit should not be
+          reachable.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:42:36.788Z
+  SNYK-JS-WS-7266574:
+    - '*':
+        reason: >-
+          Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
+          package component affected.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:58:55.561Z
+patch: {}
diff --git a/workbench/.snyk b/workbench/.snyk
@@ -2,19 +2,18 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-GOLANG-GITHUBCOMCREWJAMSAML-5971016:
+  SNYK-JS-SEMVER-3247795:
     - '*':
         reason: >-
-          Reported upstream in
-          https://github.com/rstudio/rstudio-pro/issues/6529
-        expires: 2024-08-31T00:00:00.000Z
-        created: 2024-07-02T20:33:30.847Z
-  SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737:
+          Awaiting upstream patch in jupyterlab, but exploit should not be
+          reachable.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:42:36.788Z
+  SNYK-JS-WS-7266574:
     - '*':
         reason: >-
-          Confirmed fixed upstream in
-          https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be
-          ingested in Workbench 2024.08.0 (expected within 1 week).
-        expires: 2024-08-07T00:00:00.000Z
-        created: 2024-07-31T17:46:24.852Z
+          Awaiting upstream patch in jupyterlab, but Jupyterlab is not using the
+          package component affected.
+        expires: 2025-03-31T00:00:00.000Z
+        created: 2025-01-24T01:58:55.561Z
 patch: {}