Closed ryanh-orca closed 2 months ago
Could you upgrade the dependencies with poetry and submit a pull-request?
Hi, can I have permission to do the PR? `[devenvx2] ~/s/celery-exporter ❯❯❯ git push --set-upstream origin patching-cves ✘ 128 patching-cves ERROR: Permission to danihodovic/celery-exporter.git denied to ryanh-orca. fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists. [devenvx2] ~/s/celery-exporter ❯❯❯`
You will have to fork the repository and submit a PR.
https://github.com/danihodovic/celery-exporter/pull/311
I can't upgrade mem and braces packages for https://github.com/advisories/GHSA-4xcv-9jjx-gfj3 and https://github.com/advisories/GHSA-g95f-p29q-9xw4. Hitting "Because prometheus-exporter-celery depends on mem (^4.0.0) which doesn't match any versions, version solving failed."
Can you please help to patch these 2 packages?
Where are you getting the list of CVEs from?
I've merged your PR and made another batch of dependency updates in #312. I've released it as v0.10.8
Hi, we are getting the list of the CVEs from our vulnerability scanners. For this v0.10.8 image, all CVEs are cleared except for GHSA-4xcv-9jjx-gfj3 and the affected package is: /app/package-lock.json
-rw-r--r-- 1 root root 178511 Jan 14 16:38 package-lock.json -rw-r--r-- 1 root root 128 Jan 14 16:38 package.json
Can you please help to upgrade the mem package to 4.0 version? or tell me how to do it?
The dockerfile doesn't have any Nodejs process in it. It seems like it's copied from my local machine. I can remove it from the image, but I don't think there is any security problem present. I think it's there because I tried to run all-contributors to generate contributors avatars in the README.
Can you please remove them? We really appreciate it.
Is it to check the box for your vulnerability software or is this an actual vulnerability?
If this package is installed as it's shown in the package-lock.json, then it is an actual vulnerability.
The package is never installed. There is node Nodejs process in the image. https://github.com/danihodovic/celery-exporter/blob/master/Dockerfile
Thanks for the confirmation. We will mark it as FP in our scanner.
The package.json and package-lock.json will be removed from the Docker image in the next release, but I'm too lazy to make a release now when no code has been merged since the last release.
Hi, The following CVEs exist 0.10.7 image. Can you please patch them?