Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge dependabot security PRs #4847

Open
14 tasks
mikesposito opened this issue Oct 24, 2024 · 0 comments
Open
14 tasks

Merge dependabot security PRs #4847

mikesposito opened this issue Oct 24, 2024 · 0 comments
Assignees
@MajorLift @mikesposito @cryptodev-2s
Labels
team-wallet-framework

Comments

@mikesposito
Copy link
Member

mikesposito commented Oct 24, 2024
edited by desi
Loading

There are several PR related to security vulnerabilities from dependabot in repos owned by Wallet Framework (for full list, see https://github.com/MetaMask/MetaMask-planning/issues/3540).

In some cases, we should also prioritize release and update of affected packages in their consumers in order to mitigate the security issues, based on their EPSS value.

When to release the package

  • if EPSS is >= 1% then release the package and deliver to clients
  • if EPSS is < 1%
    • if the package is released (and delivered to clients) frequently then just merge the dependabot PR
    • if the package is rarely updated, release and deliver to (at least) other packages that are released more frequently, or to clients if it makes sense

To get the EPSS value

@mikesposito

@mcmire

@MajorLift

@mcmire
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MajorLift MajorLift

@mikesposito mikesposito

@cryptodev-2s cryptodev-2s

Labels
team-wallet-framework
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MajorLift @mikesposito @kanthesha @cryptodev-2s