-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix vulnerability issue reported by Trivy #742
Comments
Feel free to send a PR changing the revision for json-schema, I don't believe this code is used in this library in such a way as to cause a security issue, but I have no objections to reving the version, assuming tests pass. |
Thanks, @brendandburns for your reply. |
@eagleweb there is a large discussion of the challenge of replacing The tl;dr; is that replacing request would involve using a different generator, which would result in a different shaped client, which would be a major breaking change. For this specific security concern, I think we should just try updating the vulnerable library, since I'm fairly certain we don't use it anyway. |
The switch to fetch is now being tracked in #754. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Describe the bug
Trivy security scan reports that
json-schema
has critical vulnerabilities related to Prototype Pollution.** Client Version **
0.16.1
To Reproduce
Steps to reproduce the behavior:
run "yarn audit" or "trivy fs ."
The text was updated successfully, but these errors were encountered: