Vulnerability in dependencies

[Nanoseb]

Github shows the message "We found a potential security vulnerability in one of your dependencies."
Is there something that can be done about it?

@zysim do you want to have a look at this?

[zysim]

Oh boy a dependency vulnerability that's probably out of my control.
I will take a look at it tomorrow it is 4 in the morning right now I am very tired

[takluyver]

Usually when Github alerts us about something like this, we just need to update the version of a dependency - and Github tells us which one. You may need access to see that page.

I'm not too concerned about vulnerabilities in this repo, because it's served as a static site, so there's no server to attack. The Ruby dependencies are used by Jekyll to convert the source files to HTML, but that runs before it's served. The WRSC tracking site, on the other hand, does run as a Rails server, so security issues are more important.

[zysim]

I guess if I'll put this issue on the backburner for now. Once I've got everything else sorted out, then I'll work on this.

[Nanoseb]

yeah, it is probably nothing important. It was mainly to remove this big scary banner ;)

[takluyver]

The security vulnerabilities page now has a button to dismiss the alerts. I'm inclined to do this - as I mentioned before, I don't think we need to worry about vulnerabilities in code we're using to generate a static site.

The only attack I can see is to include malicious code in one of the files and then get someone else to build the site, to attack their computer. But I'd assume a static site build can run arbitrary code at some point, even if everything is working correctly, so you're effectively trusting anyone who can edit it.

[zysim]

Sorry it took me more than a year to get back to this..

Yeah I think dismissing the alerts would be fine enough. I could still update the dependencies anyway, later today.

I'd assume a static site build can run arbitrary code at some point
You think it's worth me checking this out?

[takluyver]

If you've got time to update the dependencies and make sure it all still works, that might mean fewer warnings in the future too.

You think it's worth me checking this out?

I'm pretty confident in it - e.g. the config file contains a list of Jekyll plugins. I presume those can be written by anyone. So if you wrote a malicious plugin and included it in the config, you could attack anyone who built the site. That sounds bad, but it's just like collaborating on code.

I guess if it was a concern, we could work out how to build the site in a docker container, and describe that in the README.

[zysim]

👌 I know what I'm gonna do for my lunch break

[zysim]

So this is taking a lot longer than expected. I've made the PR for it (#19), but it's still a WIP.