You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the end of July, I submitted a PR to fix CVE-2023-37460 which was then merged ( see #673 ).
During the july 31 meeting, the question of doing a release was discussed, however it wasn't yet decided if it would be a 5.x or a 6.0, but 6.0 was more likely. It was then said that if there was a release, it probably wouldn't be before fall.
My question is: is there an (I hate to say the word) estimated 6.0 release window? If there isn't, would you consider releasing a 5.X patch that includes the CVE-2023-37460 fix?
The problem here is that automated security tools analyse the dependencies of the latest release, find the bad dependency, and therefore flag the whole project as a risk. I realize that the CVE is on a transitive dependency used only at the build step, and that the actual risk incurred is probably trivial if it even exists, however security analysis tools don't have that nuance.
I initially made the PR on the 5.0 branch, but we later merged it on develop. I can make another PR on release/5.0 if you're willing to release the patch.
I hope this doesn't come out as the stereotypical open source user demanding work from maintainers. While this release would honestly make my life easier, I totally understand if it's not possible.
Camille
The text was updated successfully, but these errors were encountered:
Hello,
First, thank you for your work on Cantaloupe!
At the end of July, I submitted a PR to fix CVE-2023-37460 which was then merged ( see #673 ).
During the july 31 meeting, the question of doing a release was discussed, however it wasn't yet decided if it would be a 5.x or a 6.0, but 6.0 was more likely. It was then said that if there was a release, it probably wouldn't be before fall.
My question is: is there an (I hate to say the word) estimated 6.0 release window? If there isn't, would you consider releasing a 5.X patch that includes the CVE-2023-37460 fix?
The problem here is that automated security tools analyse the dependencies of the latest release, find the bad dependency, and therefore flag the whole project as a risk. I realize that the CVE is on a transitive dependency used only at the build step, and that the actual risk incurred is probably trivial if it even exists, however security analysis tools don't have that nuance.
I initially made the PR on the 5.0 branch, but we later merged it on develop. I can make another PR on release/5.0 if you're willing to release the patch.
I hope this doesn't come out as the stereotypical open source user demanding work from maintainers. While this release would honestly make my life easier, I totally understand if it's not possible.
Camille
The text was updated successfully, but these errors were encountered: