You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
We are currently using Lemur in an enterprise environment and have identified multiple security vulnerabilities related to Bower-managed dependencies. Additionally, as Lemur is limited to Python 3.9, this further restricts our ability to update key dependencies.
Issues Identified:
Bower is deprecated and no longer maintained, making it difficult to address security vulnerabilities in its dependencies.
Vulnerabilities found in Bower-managed dependencies (e.g., tough-cookie, lodash, angular, etc.), flagged by security scanners (e.g., GitLab’s Container Scanning).
Python 3.9 compatibility prevents migration to more secure package managers like npm or yarn, which require newer Python versions for modern builds.
Impact:
Increased security risks due to outdated dependencies.
Potential compliance issues for organizations requiring up-to-date dependency management.
Limited upgrade paths due to Bower's deprecation and Python 3.9 constraints.
Suggested Solutions:
Replace Bower with modern alternatives (npm, yarn, or pnpm).
Refactor frontend dependencies to remove reliance on Bower.
Provide official guidance on securing Lemur in Python 3.9 environments.
Investigate Python 3.10+ compatibility to facilitate future dependency upgrades.
We appreciate any insights from the Lemur maintainers on addressing these issues while maintaining stability in enterprise environments. Please let us know if there's an existing roadmap or any plans to phase out Bower in favor of more secure dependency management.
Thank you so much for your time and consideration!
The text was updated successfully, but these errors were encountered:
Description:
We are currently using Lemur in an enterprise environment and have identified multiple security vulnerabilities related to Bower-managed dependencies. Additionally, as Lemur is limited to Python 3.9, this further restricts our ability to update key dependencies.
Issues Identified:
Bower is deprecated and no longer maintained, making it difficult to address security vulnerabilities in its dependencies.
Vulnerabilities found in Bower-managed dependencies (e.g., tough-cookie, lodash, angular, etc.), flagged by security scanners (e.g., GitLab’s Container Scanning).
Python 3.9 compatibility prevents migration to more secure package managers like npm or yarn, which require newer Python versions for modern builds.
Impact:
Increased security risks due to outdated dependencies.
Potential compliance issues for organizations requiring up-to-date dependency management.
Limited upgrade paths due to Bower's deprecation and Python 3.9 constraints.
Suggested Solutions:
We appreciate any insights from the Lemur maintainers on addressing these issues while maintaining stability in enterprise environments. Please let us know if there's an existing roadmap or any plans to phase out Bower in favor of more secure dependency management.
Thank you so much for your time and consideration!
The text was updated successfully, but these errors were encountered: