You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm struggling with how to deal with constant dependabot notices about Nokogiri vulnerabilities. Specifically, this one:"
Nokogiri patches vendored libxml2 to resolve multiple CVEs [Critical]
I think I'm ok because it's used by a Github Pages/Jekyll sub-project, which doesn't accept XML input from users of my Pages site. (SOOOO glad I figured out how to do vite-based Github pages since I wrote that documentation set, Jekyll is vile!, and the constant stream of Nokogiri vulnerability notices that I get because I'm using Jeckyll at Github's recommendation is... exhausting). But...
As I read the vulnerability, it requires an update to libxml, which surely is a GiitHub problem, and not an issue that I can address, since it would require a patch to the servers that host gihub pages. And given that it's not actually possible for a Github page to accept an HTML POST request that contains XML and then parse it...
Do you guys just auto-generate these vulnerability notices automatically, or is there a human involved evaluating them?
It would be nice if you could provide SOME analysis in the Dependabot notice. Like mentioning that the vulnerability is only a vulnerability if your Github site accepts POST requests containing XML (which a Github page can't do anyway). And that the vulnerability can only be fixed by Github. That would be nice too.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm struggling with how to deal with constant dependabot notices about Nokogiri vulnerabilities. Specifically, this one:"
Nokogiri patches vendored libxml2 to resolve multiple CVEs [Critical]
I think I'm ok because it's used by a Github Pages/Jekyll sub-project, which doesn't accept XML input from users of my Pages site. (SOOOO glad I figured out how to do vite-based Github pages since I wrote that documentation set, Jekyll is vile!, and the constant stream of Nokogiri vulnerability notices that I get because I'm using Jeckyll at Github's recommendation is... exhausting). But...
As I read the vulnerability, it requires an update to libxml, which surely is a GiitHub problem, and not an issue that I can address, since it would require a patch to the servers that host gihub pages. And given that it's not actually possible for a Github page to accept an HTML POST request that contains XML and then parse it...
Do you guys just auto-generate these vulnerability notices automatically, or is there a human involved evaluating them?
It would be nice if you could provide SOME analysis in the Dependabot notice. Like mentioning that the vulnerability is only a vulnerability if your Github site accepts POST requests containing XML (which a Github page can't do anyway). And that the vulnerability can only be fixed by Github. That would be nice too.
Beta Was this translation helpful? Give feedback.
All reactions