search

dunglas / mercure

🪽 An open, easy, fast, reliable and battery-efficient solution for real-time communications
https://mercure.rocks
GNU Affero General Public License v3.0
3.83k stars 278 forks source link

fix: Security Vulnerabilities in dependencies/packages #890

Open stephenmayer opened 2 months ago

stephenmayer commented 2 months ago

CVE-2024-27289, CVE-2024-27304, GHSA-7jwh-3vrq-q3m8 Please update pgx to version >= 4.18.2 https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p

CVE-2024-27304
Please update pgproto3 to version >= v2.3.3 https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8

CVE-2024-22189, CVE-2023-49295 Please update quic-go to version v.0.40.1 https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf

dunglas commented 2 months ago

We don't use Postgres with Mercure, and we are on it for quic-go.

dunglas commented 2 months ago

For quic-go, we're already use v0.40.1 https://github.com/dunglas/mercure/blob/v0.15.10/caddy/go.mod#L121. To upgrade to v0.42 (#886), we need a Caddy release that includes https://github.com/caddyserver/caddy/pull/6176 first.