[Release] Announce known vulnerabilities in each release #1273
Comments
|
Hi @jimpete, the hapi-related security vulnerabilities were addressed with #1146. That is a breaking change, so we have to wait for |
|
@tmarkley When you release 1.3.0 and 1.4.0 can you include the list of known security vulnerabilities in your announcement? |
tmarkley
changed the title
|
@benwynn that is a great question. I don't think we have anything like that in place but we can discuss the options here. |
|
A quick note, these are the CVEs that we're aware of and will not be fixed until v2.0.0: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+label%3Acve+label%3Av2.0.0+ |
|
This is fantastic and may give me enough information to temporarily release 1.2.3 into production with a promise to have these closed. |
I need the hapi version called out in the latest package.json to pass sysdig scanning. Looks like 1.2.0 was 6 months ago. What is your cadence? Can you build a new version with the current security patches? I need this fix: hapijs/hapi@85d7801 which is already called out in the package.json
The text was updated successfully, but these errors were encountered: