search

LBNL-ETA / LPDM

Local Power Distribution Manager (LPDM)
Other
5 stars 1 forks source link

One of your dependencies may have a security vulnerability #8

Closed RDmitchell closed 5 years ago

RDmitchell commented 5 years ago

@CJKohler / @StephenCzarnecki -- I am putting this in an issue because I don't know who all the contributors are. Maybe you already got this email, but here is the content -- there were several of them

  LBNL-ETA/LPDM
Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json.package.json update suggested: morgan ~> 1.9.1.Always verify the validity and compatibility of suggestions with your codebase. Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json. package.json update suggested: morgan ~> 1.9.1. Always verify the validity and compatibility of suggestions with your codebase.

Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json. package.json update suggested: morgan ~> 1.9.1. Always verify the validity and compatibility of suggestions with your codebase.

  LBNL-ETA/LPDM
Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt.requirements.txt update suggested: Jinja2 ~> 2.10.1.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt. requirements.txt update suggested: Jinja2 ~> 2.10.1. Always verify the validity and compatibility of suggestions with your codebase.

Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt. requirements.txt update suggested: Jinja2 ~> 2.10.1. Always verify the validity and compatibility of suggestions with your codebase.

  LBNL-ETA/LPDM
Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt.requirements.txt update suggested: paramiko ~> 2.1.5.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.5. Always verify the validity and compatibility of suggestions with your codebase.

Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.5. Always verify the validity and compatibility of suggestions with your codebase.

  LBNL-ETA/LPDM
Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt.requirements.txt update suggested: paramiko ~> 2.1.6.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.6. Always verify the validity and compatibility of suggestions with your codebase.

Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.6. Always verify the validity and compatibility of suggestions with your codebase.

  LBNL-ETA/LPDM
Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt.requirements.txt update suggested: requests ~> 2.20.0.Always verify the validity and compatibility of suggestions with your codebase Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt. requirements.txt update suggested: requests ~> 2.20.0. Always verify the validity and compatibility of suggestions with your codebase

Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt. requirements.txt update suggested: requests ~> 2.20.0. Always verify the validity and compatibility of suggestions with your codebase

bnordman commented 5 years ago

For context, we recently split the LPDM repository into two. LPDM has the CBERD/Volttron code. The new LPD one has CERC code.

I thought that we had already completed the split so that none of us would have been working in LPDM in the last few days. That said, I had thought that LPDM was archived for the time being so am not sure who would have done edits. I am not a github expert or even amateur.

--Bruce

On Wed, Apr 17, 2019 at 11:13 AM RDmitchell notifications@github.com wrote:

@CJKohler https://github.com/CJKohler / @StephenCzarnecki https://github.com/StephenCzarnecki -- I am putting this in an issue because I don't know who all the contributors are. Maybe you already got this email, but here is the content -- there were several of them LBNL-ETA/LPDM Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json.package.json update suggested: morgan ~> 1.9.1.Always verify the validity and compatibility of suggestions with your codebase. Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json. Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json. package.json update suggested: morgan ~> 1.9.1. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt.requirements.txt update suggested: Jinja2 ~> 2.10.1.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt. Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt. requirements.txt update suggested: Jinja2 ~> 2.10.1. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt.requirements.txt update suggested: paramiko ~> 2.1.5.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.5. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt.requirements.txt update suggested: paramiko ~> 2.1.6.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.6. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt.requirements.txt update suggested: requests ~> 2.20.0.Always verify the validity and compatibility of suggestions with your codebase Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt. Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt. requirements.txt update suggested: requests ~> 2.20.0. Always verify the validity and compatibility of suggestions with your codebase

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LBNL-ETA/LPDM/issues/8, or mute the thread https://github.com/notifications/unsubscribe-auth/ACJLHH4LMXNLRMWNWMSJDTLPQ5SDJANCNFSM4HGWUB2Q .

-- Bruce Nordman Lawrence Berkeley National Laboratory nordman.lbl.gov http://nordman.lbl.gov BNordman@LBL.gov 510-486-7089 m: 510-501-7943

bnordman commented 5 years ago

Hi,

I made these edits. I have make CBERD the default branch and I have responded to these security vulnerabilities. Some older version of the nodejs (package.json) and python (requirements.txt) dependencies for the dashboard were flagged by github and I've upgraded the requirements and thus have handled the vulnerabilities.

It'd be useful if someone can check if the code still works with the new version of these dependencies though.

Thanks Anand

On Wed, Apr 17, 2019 at 11:38 AM Bruce Nordman bnordman@lbl.gov wrote:

For context, we recently split the LPDM repository into two. LPDM has the CBERD/Volttron code. The new LPD one has CERC code.

I thought that we had already completed the split so that none of us would have been working in LPDM in the last few days. That said, I had thought that LPDM was archived for the time being so am not sure who would have done edits. I am not a github expert or even amateur.

--Bruce

On Wed, Apr 17, 2019 at 11:13 AM RDmitchell notifications@github.com wrote:

@CJKohler https://github.com/CJKohler / @StephenCzarnecki https://github.com/StephenCzarnecki -- I am putting this in an issue because I don't know who all the contributors are. Maybe you already got this email, but here is the content -- there were several of them LBNL-ETA/LPDM Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json.package.json update suggested: morgan ~> 1.9.1.Always verify the validity and compatibility of suggestions with your codebase. Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json. Known moderate severity security vulnerability detected in morgan < 1.9.1 defined in package.json. package.json update suggested: morgan ~> 1.9.1. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt.requirements.txt update suggested: Jinja2 ~> 2.10.1.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt. Known high severity security vulnerability detected in Jinja2 < 2.10.1 defined in requirements.txt. requirements.txt update suggested: Jinja2 ~> 2.10.1. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt.requirements.txt update suggested: paramiko ~> 2.1.5.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.5defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.5. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt.requirements.txt update suggested: paramiko ~> 2.1.6.Always verify the validity and compatibility of suggestions with your codebase. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt. Known high severity security vulnerability detected in paramiko >= 2.1.0, < 2.1.6defined in requirements.txt. requirements.txt update suggested: paramiko ~> 2.1.6. Always verify the validity and compatibility of suggestions with your codebase. LBNL-ETA/LPDM Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt.requirements.txt update suggested: requests ~> 2.20.0.Always verify the validity and compatibility of suggestions with your codebase Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt. Known moderate severity security vulnerability detected in requests <= 2.19.1defined in requirements.txt. requirements.txt update suggested: requests ~> 2.20.0. Always verify the validity and compatibility of suggestions with your codebase

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LBNL-ETA/LPDM/issues/8, or mute the thread https://github.com/notifications/unsubscribe-auth/ACJLHH4LMXNLRMWNWMSJDTLPQ5SDJANCNFSM4HGWUB2Q .

-- Bruce Nordman Lawrence Berkeley National Laboratory nordman.lbl.gov http://nordman.lbl.gov BNordman@LBL.gov 510-486-7089 m: 510-501-7943

-- Anand Krishnan Prakash Lawrence Berkeley National Laboratory 1 Cyclotron Road (Office 90-2056E), Berkeley CA 94720 akprakash@lbl.gov 412-983-2256

anandkp92 commented 5 years ago

Closing the this issue because it has been resolved with this commit