3. Release process regarding vulnerability fix PRs

Release process regarding vulnerability fix PRs

  • R

    I use jsreport for a project in which we run SNYK every now and then, in which jsreport tends to show up through some npm packages (directly or inderictly).
    In the last few weeks we have created some PRs to resolve some of these vulnerabilities (mine was closed, but that is beside the point).
    If we create PRs and get them merged, will this result in a new release being made which contains just the fix for the vulnerability, or would we still need to wait for you to decide when a release is ready?

    0

  • Automated audit tools can be useful, but they often report false positives. In large, dependency-heavy projects like jsreport, these reports frequently flag issues that are not exploitable in practice and therefore don’t always provide meaningful, actionable security value.

    For this reason, we won’t be releasing jsreport hotfixes on a more frequent schedule.

    We take security seriously and run multiple audit scans as part of every release, working to satisfy their requirements. This process already requires significant time and effort, and we don’t plan to extend it beyond our current scope.

    0
Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.