[kolla][openstack-charms][openstack-chef][openstack-helm][openstackansible][packaging-sig][puppet-openstack][tripleo] XStatic and JS dependencies

Jeremy Stanley fungi at yuggoth.org
Tue Aug 2 15:05:48 UTC 2022


I'm sending this reply separately so I can bring the topic to the
attention of all our deployment projects without bloating the
subject line of the first post, since it seems like at least some of
them are falling into this trap and I'm not sure how to tell which
ones (if any) aren't. I've also included the Packaging SIG in order
to hopefully reach some of our downstream distribution package
maintainers.

In short, the XStatic packages we rely on for Horizon's integration
of JavaScript libraries include convenience copies of those JS libs
which are not to be assumed safe for production use, since we're not
the actual authors of that code and are unable address known
security vulnerabilities in them. See my longer message for all the
details:

https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029825.html
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220802/453b18ba/attachment.sig>


More information about the openstack-discuss mailing list