Closed robertbagge closed 3 months ago
I think we can push to use 1.6.8 and above, right?
I think we can push to use 1.6.8 and above, right?
Definitely. 1.6.5 was the latest release when this PR was created in Jan.
I think we can push to use 1.6.8 and above, right?
Definitely. 1.6.5 was the latest release when this PR was created in Jan.
Can you please update it in the PR? I can merge it. Thanks!
I think we can push to use 1.6.8 and above, right?
Definitely. 1.6.5 was the latest release when this PR was created in Jan.
Can you please update it in the PR? I can merge it. Thanks!
Done.
Unrelated. We found out about this vulnerability when running dependabot. The entire Twilio SDK ecosystem is full of outdated packages with vulnerabilities. Could work around most of them by manually patching, but it'd be great to see Twilio adopt something like dependabot as well to keep up to date with latest security practices.
I think we can push to use 1.6.8 and above, right?
Definitely. 1.6.5 was the latest release when this PR was created in Jan.
Can you please update it in the PR? I can merge it. Thanks!
Done.
Unrelated. We found out about this vulnerability when running dependabot. The entire Twilio SDK ecosystem is full of outdated packages with vulnerabilities. Could work around most of them by manually patching, but it'd be great to see Twilio adopt something like dependabot as well to keep up to date with latest security practices.
Hmmm, we do have dependabot for some repositories. Let me see if I can add one here. Thanks!
Fixes
That versions patches
follow-redirects
package to a version that does not have the following vulnerability - https://github.com/follow-redirects/follow-redirects/issues/235Checklist