Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tileserver-gl/GHSA-rmvr-2pp2-xj38/GHSA-xx4v-prfh-6cgc/GHSA-h5c3-5r3r-rr8q advisory updates #13443

Merged
merged 2 commits into from
Feb 26, 2025
Merged

tileserver-gl/GHSA-rmvr-2pp2-xj38/GHSA-xx4v-prfh-6cgc/GHSA-h5c3-5r3r-rr8q advisory updates #13443

merged 2 commits into from
Feb 26, 2025

Conversation

jamie-albert
Copy link
Member

1. GHSA-h5c3-5r3r-rr8q

  • pending-upstream-fix: This CVE is a multi layered transitive dependency ultimately caused by the dependency @maplibre/maplibre-gl-native which tileserver-gl is on the latest version of. Further, the most recent version of the intermediary dependency node-pre-gyp-github, which @octokit/plugin-paginate-rest is a direct dependency of, also contains these old versions major versions (v2.x.x) the fix versions of this dependency are several major versions higher (v9.2.2 or v11.4.1) and will require upstream maintainers to implement. thus is pending an upstream fix

2. GHSA-xx4v-prfh-6cgc

  • pending-upstream-fix: This CVE is a multi layered transitive dependency ultimately caused by the dependency @maplibre/maplibre-gl-native which tileserver-gl is on the latest version of. Further, the most recent version of the intermediary dependency node-pre-gyp-github, which @octokit/request-error is a direct dependency of, also contains these old versions major versions (v2.x.x) the fix versions of this dependency are several major versions higher (v5.1.1 or v6.1.7) and will require upstream maintainers to implement.

3. GHSA-rmvr-2pp2-xj38

  • pending-upstream-fix: This CVE is a multi layered transitive dependency ultimately caused by the dependency express 5.0.1 which tileserver-gl is on the latest version of. Further, the most recent version of the intermediary dependency Once 1.4.0 which @octokit/request is a direct dependency of, also contains these old versions major versions (v5.x.x) the fix versions of this dependency are several major versions higher (8.4.1or v9.2.1) and will require upstream maintainers to implement.

@jamie-albert jamie-albert requested a review from a team February 26, 2025 19:04
@jamie-albert @powersj
Update tileserver-gl.advisories.yaml
dcfe1ca 
Co-authored-by: Joshua Powers <[email protected]>
Signed-off-by: jamie-albert <[email protected]>
@jamie-albert jamie-albert requested a review from powersj February 26, 2025 20:47
@powersj powersj added this pull request to the merge queue Feb 26, 2025
Merged via the queue into wolfi-dev:main with commit 53d9f92 Feb 26, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@powersj powersj powersj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jamie-albert @powersj