You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 31, 2024. It is now read-only.
time: for time dependency, we don't need to fix it. In summary, time package is only used by chrono in our dependency tree. And chrono does not use the vulnerable part of the time crate. CVE-2020-26235 advisory for time 0.1 dependency聽chronotope/chrono#602 (comment)
In the upcoming release of chrono, they will get rid of time.
owning_ref: The same goes for owning_ref, the prometheus dependency in our substrate fork, does not use the vulnerable part of the owning_ref. And soon, it will be upgraded to a newer version of prometheus, which does not use owning_ref.
As mentioned on the Dev Sync, frontend dependencies with vulnerabilities (got and git-clone) are devDependencies, which are not included in the production bundle. I also notified Quasar devs about these vulnerabilities and they promised to fix/update those
The remaining unticked dependencies above, are not security issues, but rather warnings about unmaintained dependencies. Thus, they are not blockers for the audit. It is sufficient to have an issue for them to keep track.
These are indirect dependencies, and there are opened issues for replacing these unmaintained ones with alternatives. When the parent dependencies of these indirect ones, replace these unmaintained ones, we can upgrade our dependencies as well, and these minor warnings will be resolved then.
Again, since these are NOT security issues, it's not mandatory but a good to have to replace them when the appropriate time comes.
馃搵 slack audit
#6
We should update the dependencies listed from the Audit see
The text was updated successfully, but these errors were encountered: