Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] enable dependabot and start updating lib dependencies especially when there are security issues #3000

Open
pjfanning opened this issue Jan 19, 2025 · 1 comment · Fixed by #2989
Open

[Question] enable dependabot and start updating lib dependencies especially when there are security issues #3000

pjfanning opened this issue Jan 19, 2025 · 1 comment · Fixed by #2989
Labels
dependencies Pull requests that update a dependency file good first issue Good for newcomers question Further information is requested task

Comments

@pjfanning
Copy link
Contributor

Question

I tested in my fork and dependabot reports about 70 security issues (CVEs) due to outdated dependencies in Hertzbeat. Most are NPM based but some are Java issues (commons-net, kafka-client, mysql).
@pjfanning pjfanning added the question Further information is requested label Jan 19, 2025
@tomsun28
Copy link
Contributor

Hi, yes, not sure if higher version dependencies work, we can only solve upgrades one by one. the dependabot is enabled.

@tomsun28 tomsun28 added good first issue Good for newcomers task dependencies Pull requests that update a dependency file labels Jan 20, 2025
@tomsun28 tomsun28 linked a pull request Jan 26, 2025 that will close this issue
[type:improve] fix dependencies vulnerabilites #2989
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file good first issue Good for newcomers question Further information is requested task
Projects
Apache HertzBeat (Incubating)
Status: To do
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[type:improve] fix dependencies vulnerabilites Aias00/hertzbeat
2 participants
@pjfanning @tomsun28