chore: Create CVE troubleshooting guide#2456
Conversation
|
|
||
| If the fixed version falls within the SDK's declared semver range (i.e., no major version bump), you can update the vulnerable package in your own project: | ||
|
|
||
| ``` |
There was a problem hiding this comment.
[pp] pnpm will sometimes require pnpm update --recursive <package-name>
There was a problem hiding this comment.
Should we add instructions on other package managers than npm? I was thinking that if you use pnpm you probably don't need this guide. Also, AFAIK we only have instructions for npm everywhere else.
There was a problem hiding this comment.
That's fair, but pnpm is actually notable here because for us dependabot routinely fails to handle security remediation PRs.
There was a problem hiding this comment.
as discussed, we will ultimately not add it.
Co-authored-by: David Knaack <david.knaack@sap.com>
| ``` | ||
|
|
||
| :::note | ||
| Be aware of the [`min-release-age`](https://docs.npmjs.com/cli/v10/using-npm/config#min-release-age) setting in both directions: |
There was a problem hiding this comment.
[req] This was added in v11:
| Be aware of the [`min-release-age`](https://docs.npmjs.com/cli/v10/using-npm/config#min-release-age) setting in both directions: | |
| Be aware of the [`min-release-age`](https://docs.npmjs.com/cli/v11/using-npm/config#min-release-age) setting in both directions: |
| If the fixed version falls within the SDK's declared semver range (i.e., no major version bump), update the vulnerable package: | ||
|
|
||
| ``` | ||
| npm update PACKAGE_NAME |
There was a problem hiding this comment.
[req] Both npm update and npm audit appear to respect min-release-age during dependency resolution.
| npm update PACKAGE_NAME | |
| npm update --min-release-age=0 PACKAGE_NAME |
2 participants
I created a guide on what to do in case users encounter a CVE from a Cloud SDK dependency. I have the impression this is coming up more often now and users sometimes start to panic and ask us to fix the vulnerability, while they are able to fix it on their own. This should hopefully make it easier for us to guide them towards a solution and them to understand the steps that are needed.