Skip to content

TFRS - Dependency Update and Management #2728

New issue
New issue
Open
Open
TFRS - Dependency Update and Management#2728
Labels
MediumMedium priorityTaskAny work that does not directly impact the user
@AlexZorkin

Description

@AlexZorkin
AlexZorkin
opened on Nov 14, 2023

Describe the Task
This task involves a comprehensive update and management of dependencies across various parts of the TFRS (Team Zelda) application. The focus is on updating Python libraries in the backend and addressing security concerns in Go dependencies as flagged by dependabot and Snyk. The updates include critical libraries like urllib3, golang.org/x/net, and cryptography in Python, and address vulnerabilities in other dependencies such as certifi, django, and pyjwt.

Purpose
The main goal is to enhance the application's security, efficiency, and functionality. Updating dependencies is crucial for maintaining system health, addressing vulnerabilities, improving performance, and incorporating new features or fixes.

Acceptance Criteria

  • Update urllib3 from version 1.26.12 to 1.26.18 in /backend Dependencies python.
  • Address any breaking changes or issues resulting from this update.
  • Update golang.org/x/net from version 0.2.0 to 0.17.0 in /security-scan/scan-coordinator Dependencies go.
  • Resolve any conflicts or issues after the Go dependency update.
  • Update cryptography from version 39.0.1 to 41.0.4 in /backend Dependencies python.
  • Ensure application stability and functionality post-update.
  • Review and merge changes suggested in PR [Snyk] Fix for 8 vulnerabilities #2500 by kuanfandevops.
  • Validate that vulnerabilities are addressed after updating the dependencies, including those in certifi, django, and pyjwt.
  • Ensure no issues arise with existing project functionalities due to the updates.

Additional Context

  • Dependency update tickets #2678 and #2633 require review following dependabot alerts.
  • PR [Snyk] Fix for 8 vulnerabilities #2500 addresses vulnerabilities in pip dependencies as identified by Snyk.
  • Some vulnerabilities might exist in more than one direct dependency, so not all may be fully addressed.

Affected Files and Vulnerabilities

  • backend/requirements.txt: Update certifi to 2023.7.22, cryptography to 41.0.3, django to 3.2.20, and pyjwt to 2.4.0.
  • Address various severity levels of vulnerabilities ranging from critical to low, including issues like DoS, improper certificate validation, and ReDoS.

Note
Regular dependency updates are crucial for system security and performance, and this task should be approached with thorough testing and validation to ensure overall application integrity.

Metadata

Metadata

Assignees

No one assigned

    Labels

    MediumMedium priorityTaskAny work that does not directly impact the user

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions