-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update clojure packages #400
Comments
I'm just peanut gallery on this, so I'll leave it to @metasoarous :) Fwiw, dependabot (which we're using to auto-update github-actions, npm, and docker versions) doesn't yet work for clojure -- otherwise we'd probably be talking about turning that on. Related: @metasoarous how would you go about adding tests for the math component anyhow? Is that easy or worthwhile? (Happy to spin this out if it's a big convo) |
Also, could run something like this in a github action check, to keep us honest: |
https://github.com/xsc/lein-ancient is another tool to consider.
…---
Sent from Workspace ONE Boxer<https://whatisworkspaceone.com/boxer>
On July 3, 2020 at 10:46:03 PM PDT, Patrick Connolly <notifications@github.com> wrote:
Also, could run something like this in a github action check, to keep us honest:
* https://github.com/rm-hull/lein-nvd
* https://github.com/marketplace/actions/setup-clojure
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#400 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABOJ5V7ODJHADPJ6T2H3P33RZ26XZANCNFSM4OQHEDUQ>.
|
Rough strategy to get lay of landscape:
There ended up being a few packages with many critical vulns, which means that they've become behind on maintenance, as even the newest versions have some vulnerable dependencies. These are the ones most worth considering moving away from imho, when considering pkg updates. First two columns are output of Results
|
Updating the java version from 1.7 to 1.8 in |
No objection, but can you clarify what's easier about 1.8? I thought either one was just a line in |
Ah, found your comment in #244 (comment) that explains 👍
|
1.8 works in heroku. 1.7 does not because some supporting packages in the default heroku build are compiled under 1.8 and are not backward compatible.
The math logs for the docker build with 1.8 look normal, but they are not very informative.
C.
…---
Sent from Workspace ONE Boxer<https://whatisworkspaceone.com/boxer>
On August 4, 2020 at 10:06:17 AM PDT, Patrick Connolly <notifications@github.com> wrote:
Ah, found your comment in #244 (comment)<#244 (comment)> that explains 👍
math also seems to be working after I bumped the java version from "1.7" to "1.8". I'm trying the same change in docker right now.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#400 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABOJ5V7JQAQVDQU5YT54BFDR7A5YHANCNFSM4OQHEDUQ>.
|
Ah, seems this is likely that the files in |
@metasoarous in Gitter: https://gitter.im/pol-is/polisDeployment?at=5f2b0653028fac5e4d9ad609
|
Thanks for putting this out there @crkrenn. And @patcon for digging into the dep tree. This is definitely something we should tackle. I can update those Oz dependencies. Also, Incanter should really be removed as it's defunct, and I think it's just one or two utility functions using it. We should be using the tech.ml stack now (see the analysis repo). I actually have a few of these changes in progress on a local checkout from some data-poking I was doing recently, so I'll try to wrap that up. For the record though, a lot of these vulnerabilities don't really apply to the math worker as it never receives direct traffic from the web. But, that's not a good reason not to keep things up to date, and if someone got onto a machine, some of these vulnerabilities could presumably be problematic. Thanks again! |
Some work was recently done on this here which we should look at pulling in: DFE-Digital#51 |
@patcon & @metasoarous, what is the interest and importance of updating clojure packages?
polis-math is using a postgres driver from 2010: PostgreSQL JDBC Driver » 8.4-702.jdbc4 (Oct 04, 2010). The latest one is from June 2020.
There is an argument to not fixing what ain't broke, but I imagine that there are some bugs fixed and features added that might be beneficial.
The text was updated successfully, but these errors were encountered: