seal-community / patches Goto Github PK
View Code? Open in Web Editor NEWA centralized repository of standalone security patches for open source libraries.
Home Page: https://seal.security
License: MIT License
A centralized repository of standalone security patches for open source libraries.
Home Page: https://seal.security
License: MIT License
I am building a docker image and pushing it to AWS ECR. For Scanning i have enabled "Enhanced Scanning" with AWS Inspector. In scanning results i am getting "CVE-2023-42282 - ip" vulnerability.
In Remediation, i found:
Upgrade your installed software packages to the proposed fixed in version and release.
Update ip to 2.0.1
although i have installed [email protected] with npm install [email protected]
in my nodeJS project but still the vulnerability exists.
I have tried the https://github.com/json5/json5/tree/v2.0.1 by:
Downloading the repo & patch.
Move the downloaded patch file (0001-CVE-2022-46175.patch
) to the source code folder of json5.
Apply the patch: git apply 0001-CVE-2022-46175.patch
Pack it: npm pack
(it creates a tgz file)
Installing the patch: npm install <path_to_package_tgz>
But still i am unable to remove the ip vulnerability. How can i fix it?
Hi Team,
Thanks for the great work you are doing by patching the (security) vulnerabilities in the open-source projects! ๐๐๐
One quick question: do you contribute these patches back to the vendors or just collect it here?
I've seen that in case of the ip npm package
you proposed your fixes in a comment of a pull request that fixes the same problem in a different way.
However, in case of jackson-databind, I have not seen your proposed fixes in their repository. (Maybe I've missed the PR.)
I think, it would be a huge loss if your patches would be just laying around here without being contributed to the vendors, thereby helping their efforts of closing security loopholes and making the software ecosystem more secure and reliable.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.