[cfe-dev] Fwd: [llvm-mirror/clang-tools-extra] One of your dependencies may have a security vulnerability

Hans Wennborg via cfe-dev cfe-dev at lists.llvm.org
Fri Oct 26 01:45:05 PDT 2018


This is from the clang-tidy plugin that Zach wrote
(clang-tools-extra/clang-tidy-vs/ClangTidy/).

I haven't published any packages for that, in fact I'm not sure where it is
published.

Zach: is this still maintained or should we remove it, or update the
YamlDotNet dependency?

On Fri, Oct 19, 2018 at 2:18 PM, Jonas Toth via cfe-dev <
cfe-dev at lists.llvm.org> wrote:

> +Hans, I believe he packaged the visual studio plugin this seems to come
> from.
>
> Am 17.10.2018 um 07:00 schrieb Will Dietz via cfe-dev:
>
> Hi folks, haven't looked into it but thought I'd forward this in case it's
> useful and worth acting on.  Apologies if entirely noise, but better safe
> than sorry :).
>
> Happy LLVM-ing,
> ~Will
>
> ---------- Forwarded message ---------
> From: GitHub <notifications at github.com>
> Date: Tue, Oct 16, 2018, 12:02 PM
> Subject: [llvm-mirror/clang-tools-extra] One of your dependencies may
> have a security vulnerability
> To: llvm-mirror/clang-tools-extra <clang-tools-extra at noreply.github.com>
> Cc: Security alert <security_alert at noreply.github.com>
>
>
>
> We found a potential security vulnerabilty in one of your dependencies
> [image: GitHub] <https://github.com> Sign in <https://github.com/login>
> *dtzWill,*
>
> We found a potential security vulnerability in a repository for which you
> have been granted security alert access.
> [image: @llvm-mirror] llvm-mirror/clang-tools-extra
> <https://github.com/llvm-mirror/clang-tools-extra>
> Known * high severity* security vulnerability detected in YamlDotNet <=
> 4.3.2 defined in packages.config
> <https://github.com/llvm-mirror/clang-tools-extra/blob/master/clang-tidy-vs/ClangTidy/packages.config>.
>
> packages.config
> <https://github.com/llvm-mirror/clang-tools-extra/blob/master/clang-tidy-vs/ClangTidy/packages.config>
> update suggested: YamlDotNet ~> 5.0.0.
> Always verify the validity and compatibility of suggestions with your
> codebase.
>
> Review vulnerable dependency
> <https://github.com/llvm-mirror/clang-tools-extra/network/alert/clang-tidy-vs/ClangTidy/packages.config/YamlDotNet/open>
> ------------------------------
>
> Only users who have been assigned access to security alerts will receive
> these notifications.
> Unsubscribe
> <https://github.com/notifications/unsubscribe-vulnerability/AAx4srgW3TNA-Qj-p1U44AZWq56EfX7Dks5ulhFBgaJpZM4XezKI>
> · Email preferences <https://github.com/settings/emails> · Terms
> <https://help.github.com/articles/github-terms-of-service/> · Privacy
> <https://help.github.com/articles/github-privacy-policy/> · Sign into
> GitHub <https://github.com/login>
>
> GitHub, Inc.
> 88 Colin P Kelly Jr St.
> San Francisco, CA 94107
>
>
>
> _______________________________________________
> cfe-dev mailing listcfe-dev at lists.llvm.orghttp://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20181026/5a348817/attachment-0001.html>


More information about the cfe-dev mailing list