[jira] [Commented] (SLING-12492) Apache Sling Scripting JavaScript 3.1.4 is affected by vulnerabilities CVE-2022-32549 and CVE-2021-29425.

Wed, 11 Dec 2024 16:33:05 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-12492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904978#comment-17904978
 ] 

Eric Norman commented on SLING-12492:
-------------------------------------

{quote}you have to find this PR in closed PRs and reopen and reprocess it
{quote}
[~sseifert] Ok, I didn't find any PR that seemed to be related to that. 

No dependabot.yml file existed in the repository so I was not entirely clear to 
me where the dependabot configuration would be coming from.  Is there a 
centralized location where the default settings are defined for the whole sling 
organization or something?

I tried creating the dependabot.yml file as suggested in the github dependency 
graph UI and that triggered an action that opened up 5 "version update" pull 
requests instead of the 1 "security update" pull request I was looking for.   
So I reverted that change and closed those 5 pull requests until I had a better 
idea about what was happening.

 

Also there was something at [1] about configuring dependabot via the .asf.yaml 
file but it doesn't say what the defaults are when those settings are not 
specified.  So I would appreciate some guidance on what the proper way to 
ensure that the "security update" dependabot actions are enabled properly.
 # 
[https://github.com/apache/infrastructure-asfyaml/blob/main/README.md#dependabot-alerts-and-updates]
 

 

> Apache Sling Scripting JavaScript 3.1.4 is affected by vulnerabilities 
> CVE-2022-32549 and CVE-2021-29425.
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: SLING-12492
>                 URL: https://issues.apache.org/jira/browse/SLING-12492
>             Project: Sling
>          Issue Type: Improvement
>          Components: Scripting
>    Affects Versions: Scripting JavaScript 3.1.4
>            Reporter: Scott Yuan
>            Assignee: Eric Norman
>            Priority: Minor
>             Fix For: Scripting JavaScript 3.1.6
>
>
> The MVN Repository reports that the latest release, Apache Sling Scripting 
> JavaScript 3.1.4, is affected by vulnerabilities CVE-2022-32549 and 
> CVE-2021-29425 due to outdated dependencies. For more details, visit MVN 
> Repository.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to