Investigate dependabot security alerts

OWASP / threat-dragon

An open source threat modeling tool from OWASP

https://owasp.org/www-project-threat-dragon/

Apache License 2.0

933 stars 251 forks source link

Investigate dependabot security alerts #665

Closed jgadsden closed 1 year ago

jgadsden commented 1 year ago

Describe the bug There are outstanding security alerts at https://github.com/OWASP/threat-dragon/security/dependabot

Expected behaviour would be nice to clean these up

Environment

Version: 2.0.2
Platform: both Web App / Desktop App
OS: all MacOS / Windows / Linux
Browser: all chrome, firefox, safari

To Reproduce

Any additional context, screenshots, etc

jgadsden commented 1 year ago

updating got stopped tests running and was reverted in 2414d095a2fcb5389e2b8a78c1981e4c06a9333c

professorabhay commented 1 year ago

Hey @jgadsden, I just checked it out. Do I just have to dismiss these alerts because as you said that all changes are reverted ?

jgadsden commented 1 year ago

Yes, good point @professorabhay - ignore these alerts It may be that the test packages have been updated and we can upversion got, but this needs investigation

professorabhay commented 1 year ago

Hey @jgadsden, I just take a look to td.vue/package-lock.json file as per the Dependabot alerts #93 of SSRF in Requests and found that is requesting that older version - We need to update it in the file. So, that the error resolve.

jgadsden commented 1 year ago

dismissed the dependabot alerts because there is nothing we can do about request and got