search

opensearch-project / OpenSearch-Dashboards

📊 Open source visualization dashboards for OpenSearch.
https://opensearch.org/docs/latest/dashboards/index/
Apache License 2.0
1.7k stars 898 forks source link

[Release] Announce known vulnerabilities in each release #1273

Open jimpete opened 2 years ago

jimpete commented 2 years ago

I need the hapi version called out in the latest package.json to pass sysdig scanning. Looks like 1.2.0 was 6 months ago. What is your cadence? Can you build a new version with the current security patches? I need this fix: https://github.com/hapijs/hapi/commit/85d7801cc8bc38c5ad30b5e29ed36e328617fb28 which is already called out in the package.json

tmarkley commented 2 years ago

Hi @jimpete, the hapi-related security vulnerabilities were addressed with #1146. That is a breaking change, so we have to wait for v2.0 to release it. Our project roadmap shows that we're currently targeting May, 2022 for that release.

benwynn commented 2 years ago

@tmarkley When you release 1.3.0 and 1.4.0 can you include the list of known security vulnerabilities in your announcement?

tmarkley commented 2 years ago

@benwynn that is a great question. I don't think we have anything like that in place but we can discuss the options here.

tmarkley commented 2 years ago

A quick note, these are the CVEs that we're aware of and will not be fixed until v2.0.0: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+label%3Acve+label%3Av2.0.0+

jimpete commented 2 years ago

This is fantastic and may give me enough information to temporarily release 1.2.3 into production with a promise to have these closed.