Zulip Chat Archive

Stream: FLT

Topic: github security warnings

Kevin Buzzard (Jun 17 2024 at 11:50):

I see these security warnings on the FLT repo:

FLT.png

What's happening and what do I do?

Ruben Van de Velde (Jun 17 2024 at 12:44):

Do we need all those dependencies just to render the static page at https://imperialcollegelondon.github.io/FLT/ ?

Mauricio Collares (Jun 17 2024 at 12:57):

Those are Jekyll dependencies, so they're needed to create the html files which get served under https://imperialcollegelondon.github.io/FLT/

Mauricio Collares (Jun 17 2024 at 13:00):

(deleted)

Mauricio Collares (Jun 17 2024 at 13:01):

Gemfile seems to pin a version of tzinfo, so the Gemfile itself might need updating (as well as running bundle update inside the docs directory, which is Ruby's equivalent of lake update).

Alex Meiburg (Jun 17 2024 at 14:59):

It's worth noting that none of these are remotely urgent. These are all bugs of the form (1) letting someone see files on your website that are private, or (2) that if users uploaded malicious data, they could denial-of-service your webserver or see data of other uses. But neither applies here.

They still should be fixed I mean, but they also aren't things you should feel guilty putting off for a month

Julian Berman (Jun 17 2024 at 16:07):

Here's a PR doing that (bundle update, which seems not to break the site locally at least). https://github.com/ImperialCollegeLondon/FLT/pull/106

Julian Berman (Jun 17 2024 at 16:08):

Agree that it's all noise for this kind of thing, though Kevin you can also go here: https://github.com/ImperialCollegeLondon/FLT/settings/security_analysis and click "Enable" on Dependabot Security Updates and then it will attempt to at least automatically send you mindless PRs you can merge to fix this sort of thing.

Ruben Van de Velde (Jun 18 2024 at 10:16):

Looks like the updates broke things, though: https://github.com/ImperialCollegeLondon/FLT/actions/runs/9553547988/job/26332600543

Kevin Buzzard (Jun 18 2024 at 12:07):

ffi-1.17.0-x86_64-linux requires rubygems version >= 3.3.22, which is
incompatible with the current version, 3.2.33

So close!

Julian Berman (Jun 18 2024 at 12:23):

Ah. I'll have a look in an hour when I'm back at a computer, that should be easy to fix

Julian Berman (Jun 18 2024 at 13:51):

https://github.com/ImperialCollegeLondon/FLT/pull/107

Last updated: May 02 2025 at 03:31 UTC