search

bcgov / MFIN-Data-Catalogue

The Finance Data Catalogue enables users to discover data holdings at the BC Ministry of Finance and offers information and functionality that benefits consumers of data for business purposes. The product is built using Drupal and adheres to the Government of BC's Core Administrative and Descriptive etadata Standard.
Other
6 stars 0 forks source link

Review and assess alert from June 2024 #524

Open NicoledeGreef opened 3 months ago

NicoledeGreef commented 3 months ago

GitHub vulnerability alert received on June 10th via email.

Please review and adjust our practices (if applicable).

chrislaick commented 1 month ago

The current latest stable release of Composer is 2.7.9.

I've realized in our GitHub Actions workflows (Build, Deploy to Development) we are building our images using a specific branch (10.2.x-php8.2) of the https://github.com/drupalwxt/docker-scaffold repo:

https://github.com/bcgov/MFIN-Data-Catalogue/blob/789e4b4e3dddd1bf043d45bba0b96fdd066a31bb/.github/workflows/dev.yml#L36

The 10.2.x-php8.2 branch is specifying the Composer version 2.7.6 to download and use:

https://github.com/drupalwxt/docker-scaffold/blob/1807cf4dea5f638011958d1db792120114c3785b/Dockerfile#L69

chrislaick commented 1 month ago

Recommend we submit a PR to drupalwxt/docker-scaffold 10.2.x-php8.2 branch to update Composer version, or we utilize a different, newer branch of the drupalwxt/docker-scaffold repo.