Usually dependabot creates a PR for security alerts, but here it couldn't, because of an error described in that link. I couldn't reproduce the error, the dependabot log wasn't helpful ... and the security vulnerability is still in the code (rexml < 3.2.5).
More strangeness: the same rexml version is in liquid-decidim-demo but there is no security alert there.
Edit: the same vulnerability was alerted in api-client but dependabot was able to create that PR liquidvotingio/api-client#25 successfully.
I propose to 1) bump rexml in our repos, and 2) accept the mystery of why dependabot failed here, and didn't report in liquid-decidim-demo, until we see the problem again.
I had this github notification:
which links to this dependabot alert
Usually dependabot creates a PR for security alerts, but here it couldn't, because of an error described in that link. I couldn't reproduce the error, the dependabot log wasn't helpful ... and the security vulnerability is still in the code (rexml < 3.2.5).
More strangeness: the same rexml version is in
liquid-decidim-demobut there is no security alert there. Edit: the same vulnerability was alerted inapi-clientbut dependabot was able to create that PR liquidvotingio/api-client#25 successfully.I propose to 1) bump rexml in our repos, and 2) accept the mystery of why dependabot failed here, and didn't report in
liquid-decidim-demo, until we see the problem again.Here's vulnerability itself CVE-2021-28965