From 90f9637c2f3e8555d094c8ace11630a733ac343e Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 23 Apr 2023 10:52:24 +0000 Subject: [PATCH 1/3] fix: rootfs/usr/local/lib/web/backend/requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-CERTIFI-3164749 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-1014645 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-1533435 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-559452 - https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-3319935 - https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-3319936 --- rootfs/usr/local/lib/web/backend/requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rootfs/usr/local/lib/web/backend/requirements.txt b/rootfs/usr/local/lib/web/backend/requirements.txt index 0590bd42..1dce592a 100644 --- a/rootfs/usr/local/lib/web/backend/requirements.txt +++ b/rootfs/usr/local/lib/web/backend/requirements.txt @@ -1,5 +1,5 @@ backports.ssl-match-hostname==3.7.0.1 -certifi==2019.9.11 +certifi==2022.12.7 chardet==3.0.4 Click==7.0 Flask==1.1.1 @@ -14,6 +14,6 @@ MarkupSafe==1.1.1 meld3==2.0.0 requests==2.22.0 six==1.12.0 -urllib3==1.25.6 +urllib3==1.26.5 websocket-client==0.47.0 -Werkzeug==0.16.0 +Werkzeug==2.2.3 From 65fd74351f499fe78529594790684bbd209985cb Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 23 Apr 2023 10:55:51 +0000 Subject: [PATCH 2/3] fix: web/package.json & web/yarn.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-1579269 --- web/package.json | 2 +- web/yarn.lock | 16 +++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/web/package.json b/web/package.json index b844f41e..91cf3d1a 100644 --- a/web/package.json +++ b/web/package.json @@ -13,7 +13,7 @@ "build": "node build/build.js" }, "dependencies": { - "axios": "^0.21.1", + "axios": "^0.21.3", "vue": "^2.5.2", "vue-material": "^1.0.0-beta-10.2", "vue-router": "^3.0.1" diff --git a/web/yarn.lock b/web/yarn.lock index 60581fed..3f8673ec 100644 --- a/web/yarn.lock +++ b/web/yarn.lock @@ -374,11 +374,12 @@ aws4@^1.8.0: version "1.8.0" resolved "https://registry.yarnpkg.com/aws4/-/aws4-1.8.0.tgz#f0e003d9ca9e7f59c7a508945d7b2ef9a04a542f" -axios@^0.21.1: - version "0.21.1" - resolved "https://registry.yarnpkg.com/axios/-/axios-0.21.1.tgz#22563481962f4d6bde9a76d516ef0e5d3c09b2b8" +axios@^0.21.3: + version "0.21.4" + resolved "https://registry.yarnpkg.com/axios/-/axios-0.21.4.tgz#c67b90dc0568e5c1cf2b0b858c43ba28e2eda575" + integrity sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg== dependencies: - follow-redirects "^1.10.0" + follow-redirects "^1.14.0" babel-code-frame@^6.22.0, babel-code-frame@^6.26.0: version "6.26.0" @@ -3023,10 +3024,15 @@ flush-write-stream@^1.0.0: inherits "^2.0.3" readable-stream "^2.3.6" -follow-redirects@^1.0.0, follow-redirects@^1.10.0: +follow-redirects@^1.0.0: version "1.13.3" resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.13.3.tgz#e5598ad50174c1bc4e872301e82ac2cd97f90267" +follow-redirects@^1.14.0: + version "1.15.2" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.2.tgz#b460864144ba63f2681096f274c4e57026da2c13" + integrity sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA== + for-in@^1.0.2: version "1.0.2" resolved "https://registry.yarnpkg.com/for-in/-/for-in-1.0.2.tgz#81068d295a8142ec0ac726c6e2200c30fb6d5e80" From 6d3defc9511832457a4590b4ed06e2ae06e8cad3 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 23 Apr 2023 10:58:01 +0000 Subject: [PATCH 3/3] fix: Dockerfile.amd64 to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-UBUNTU2004-NCURSES-1656318 - https://snyk.io/vuln/SNYK-UBUNTU2004-NCURSES-1656318 - https://snyk.io/vuln/SNYK-UBUNTU2004-NCURSES-2770341 - https://snyk.io/vuln/SNYK-UBUNTU2004-SHADOW-5425687 - https://snyk.io/vuln/SNYK-UBUNTU2004-SHADOW-5425687 --- Dockerfile.amd64 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index f36e07d6..83f6b169 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -4,7 +4,7 @@ # base system ################################################################################ -FROM ubuntu:20.04 as system +FROM ubuntu:kinetic as system @@ -82,7 +82,7 @@ RUN apt-get update \ ################################################################################ # builder ################################################################################ -FROM ubuntu:20.04 as builder +FROM ubuntu:kinetic as builder RUN sed -i 's#http://archive.ubuntu.com/ubuntu/#mirror://mirrors.ubuntu.com/mirrors.txt#' /etc/apt/sources.list;