Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TFRS - Dependency Update and Management #2728

Open
9 tasks
AlexZorkin opened this issue Nov 14, 2023 · 0 comments
Open
9 tasks

TFRS - Dependency Update and Management #2728

AlexZorkin opened this issue Nov 14, 2023 · 0 comments
Labels
Medium Medium priority Task Any work that does not directly impact the user

Comments

@AlexZorkin
Copy link
Collaborator

Describe the Task
This task involves a comprehensive update and management of dependencies across various parts of the TFRS (Team Zelda) application. The focus is on updating Python libraries in the backend and addressing security concerns in Go dependencies as flagged by dependabot and Snyk. The updates include critical libraries like urllib3, golang.org/x/net, and cryptography in Python, and address vulnerabilities in other dependencies such as certifi, django, and pyjwt.

Purpose
The main goal is to enhance the application's security, efficiency, and functionality. Updating dependencies is crucial for maintaining system health, addressing vulnerabilities, improving performance, and incorporating new features or fixes.

Acceptance Criteria

  • Update urllib3 from version 1.26.12 to 1.26.18 in /backend Dependencies python.
  • Address any breaking changes or issues resulting from this update.
  • Update golang.org/x/net from version 0.2.0 to 0.17.0 in /security-scan/scan-coordinator Dependencies go.
  • Resolve any conflicts or issues after the Go dependency update.
  • Update cryptography from version 39.0.1 to 41.0.4 in /backend Dependencies python.
  • Ensure application stability and functionality post-update.
  • Review and merge changes suggested in PR [Snyk] Fix for 8 vulnerabilities #2500 by kuanfandevops.
  • Validate that vulnerabilities are addressed after updating the dependencies, including those in certifi, django, and pyjwt.
  • Ensure no issues arise with existing project functionalities due to the updates.

Additional Context

  • Dependency update tickets #2678 and #2633 require review following dependabot alerts.
  • PR [Snyk] Fix for 8 vulnerabilities #2500 addresses vulnerabilities in pip dependencies as identified by Snyk.
  • Some vulnerabilities might exist in more than one direct dependency, so not all may be fully addressed.

Affected Files and Vulnerabilities

  • backend/requirements.txt: Update certifi to 2023.7.22, cryptography to 41.0.3, django to 3.2.20, and pyjwt to 2.4.0.
  • Address various severity levels of vulnerabilities ranging from critical to low, including issues like DoS, improper certificate validation, and ReDoS.

Note
Regular dependency updates are crucial for system security and performance, and this task should be approached with thorough testing and validation to ensure overall application integrity.
@AlexZorkin AlexZorkin added Medium Medium priority Task Any work that does not directly impact the user labels Nov 14, 2023
This was referenced Nov 14, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Medium Medium priority Task Any work that does not directly impact the user
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlexZorkin