[CKAN-Security] Vulnerabilities due to outdated sofware.

David Read david.read at hackneyworkshop.com
Fri Sep 29 10:03:25 UTC 2017


Interesting to receive this. Sadly, bad timing straight after we did
the last one. I for one am all out of time at the moment to work on
this, sadly, so hopefully someone can step up.

So they read through the changelogs for all the deps and highlighted
anything that looked like a vulnerability. My experience suggests that
dependencies are rarely fully used, so the vulnerabilities tend not to
affect the dependee. But you just can't be sure without raking through
the details :( Simplest thing is to be on the latest version.

No doubt someone should see if we can upgrade all of these. I bet
there will be some difficulties though and that will raise the
questions.

Do we look to update deps on just CKAN 2.7? or 2.4, 2.5 and 2.6 too?

As a general thing, I've heard Snyk mentioned a few times, which I
believe we can add to our Travis for free, that is supposed to look at
dependencies and give you levels of risk.

Dave



More information about the Security mailing list