Dependabot pull-requests

[github-actions[bot]]

This is an automatically created issue used to list dependabot pull requests every 3 months.

It was created by the .github/workflows/dependabot-prs-issue.yml workflow in the silverstripe/.github repository.

Triage instructions (Silverstripe Ltd CMS Squad)

1. Put on the following labels:
   • type/bug
   • impact/low
2. Move this issue to the "Ready" column on our internal zenhub board
3. If there is an open issue for JS PRs, block this issue on it - those PRs may resolve some dependabot alerts

Dependabot pull-requests:

See the list of dependabot pull-requests in Rhino.

• Make a quick determination as to whether the vulnerability fixed by the PR warrants using our security process
  • You can check to see if the dependabot alert affects non-dev dependencies by running yarn audit --groups dependencies locally on default branch of the module.
  • Use yarn audit --groups devDependencies to see dev-only dependencies.
• Merge these PRs if there are no merge-conflicts and CI is green
• If there are conflicts or CI isn't green, get dependabot to recreate the PR
• If there are still problems, manually resolve them and open your own PR
• Backport anything that seems like it needs to be patched immediately

Dependabot alerts:

After all of the above have been completed and resolved, check for any outstanding dependabot alerts in the list below.

• Make a quick determination as to whether any alerts warrant using our security process
• Ignore or dismiss any alerts that aren't relevant
• Try to resolve any relevant alerts which dependabot is unable to resolve automatically

Respositories with alerts:

• bringyourownideas/silverstripe-maintenance
• colymba/GridFieldBulkEditingTools
• silverstripe/cwp-agencyextensions
• silverstripe/cwp-starter-theme
• silverstripe/cwp-watea-theme
• silverstripe/silverstripe-elemental
• silverstripe/silverstripe-admin
• silverstripe/silverstripe-asset-admin
• silverstripe/silverstripe-blog
• silverstripe/silverstripe-campaign-admin
• silverstripe/silverstripe-cms
• silverstripe/silverstripe-contentreview
• silverstripe/silverstripe-documentconverter
• silverstripe/silverstripe-elemental-bannerblock
• silverstripe/silverstripe-externallinks
• silverstripe/silverstripe-gridfieldqueuedexport
• silverstripe/silverstripe-linkfield
• silverstripe/silverstripe-lumberjack
• silverstripe/silverstripe-realme
• silverstripe/silverstripe-session-manager
• silverstripe/silverstripe-segment-field
• silverstripe/silverstripe-sharedraftcontent
• silverstripe/silverstripe-sitewidecontent-report
• silverstripe/silverstripe-subsites
• silverstripe/silverstripe-tagfield
• silverstripe/silverstripe-userforms
• silverstripe/silverstripe-versioned-admin
• symbiote/silverstripe-advancedworkflow
• symbiote/silverstripe-multivaluefield
• tractorcow-farm/silverstripe-fluent
• silverstripe/silverstripe-mfa
• silverstripe/silverstripe-totp-authenticator
• silverstripe/silverstripe-webauthn-authenticator
• silverstripe/silverstripe-login-forms

PRs

• https://github.com/silverstripe/cwp-starter-theme/pull/263

[GuySartorelli]

Merged what was mergable, and told dependabot to rebase a bunch of stuff. Currently waiting for those to be rebased and for CI to run on them.

[GuySartorelli]

Remaining alert pages to look at:

• https://github.com/silverstripe/cwp-starter-theme/security/dependabot
• https://github.com/silverstripe/cwp-watea-theme/security/dependabot
• https://github.com/silverstripe/silverstripe-versioned-admin/security/dependabot
• https://github.com/silverstripe/silverstripe-mfa/security/dependabot

[GuySartorelli]

All done