Skip to end of banner
Go to start of banner

2021-01-08 Meeting Notes

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Date

08 Jan 2021

Attendees

Discussion items

TimeItemWhoNotes

Review Security IssuesTeamĀ Review Kanban board

Stripes Node version restriction

Julian Ladisch

The FOLIO Security Team should give the Technical Council a proposal how to proceed with STCOR-497 "Node.js TLS, HTTP and OpenSSL security vulnerabilities (CVE-2020-8265, CVE-2020-8287, CVE-2020-1971)" and the pull request stripes-core/pull/982.

Option a): Close as "Won't do" and create a separate Jira to create documentation for DevOps and SysOps about secure Node versions.

Option b): Commit.

The pull request is a one-line change in stripes-core package.json: "node": ">=15.5.1 || ^14.15.4 || ^12.20.1"
It rejects vulnerable Node versions, example from Jenkins:

The engine "node" is incompatible with this module.
Expected version ">=15.5.1 || ^14.15.4 || ^12.20.1". Got "12.20.0"

Stripes developers don't want to take care for DevOps and SysOps that fail to use a fully-patched system and suggest option a) whereas option b) requires less effort for the whole project and results in security by default. For details see the discussion on stripes-core/pull/982.


Safe harbor, policies

Mike Gorrell

Safe Harbor Statement/Acceptable Use Policy -

  • No labels