Progress Update: 1. After cross-version upgrade[1] of front-end components, these upgrades may be breaking change, but no compatibility problems have been found in functions so far. The number of front-end dependent security vulnerabilities dropped from 25 in the past to 8, this is a big milestone.
2. For the backend we still have a lot of dependency upgrades to eliminate dependency vulnerabilities. [1]. https://github.com/apache/incubator-seata/pull/6301 Warm regards, Ji Min Qiufeng Liu <[email protected]> 于2024年1月26日周五 09:31写道: > Hi, > I fully appreciate the gravity of these issues and am eager to contribute > to ensuring the integrity and security of Seata's functionalities. > I'm encouraged by the progress made in mitigating vulnerabilities, > particularly the efforts to reduce front-end vulnerabilities in the > incubator-seata project and the significant improvements on the Seata > official website. It's inspiring to see the dedication and hard work of > contributors in making Seata safer for all users. > I would be honored to join the fix plan and offer my expertise to help > resolve these vulnerabilities. Please provide me with more information on > how I can actively participate in this initiative. I am committed to > supporting the community and contributing to the ongoing security > enhancements of Seata. > Looking forward to your guidance and further details on how I can get > involved. > Warm regards, > Qiufeng Liu > ------------------------------------------------------------------ > 发件人:Min Ji <[email protected]> > 发送时间:2024年1月25日(星期四) 21:16 > 收件人:dev<[email protected]> > 抄 送:private<[email protected]> > 主 题:Call for Contributors to Address Dependency Security Vulnerabilities > Hi Seata Community, > As you are aware, Seata is a transaction middleware designed to ensure data > consistency across various resources. Its extensive extension mechanisms > allow plug-in support for storage, RPC, database, and configuration > registry. > With such a broad scope of functionalities, Seata inherently relies on > numerous third-party dependencies. These dependencies are often the subject > of reported security vulnerabilities over time. It is in this context that > I am reaching out to the community to rally our collective effort in > addressing these critical security concerns. > We need proactive participation from contributors like you to help patch > these vulnerabilities, ensuring that any upgrades or replacements maintain > the compatibility and integrity of Seata's features. Our commitment to > dependency security is unwavering; we have successfully remediated over 200 > dependency vulnerabilities to date. > We have set up a dedicated project[1] to track and address these security > vulnerabilities. I earnestly hope that you will appreciate the gravity of > these security issues and join us in our endeavor to resolve them. Our > primary focus at the moment is on the Seata, seata-go, and the official > Seata website projects. > Here are the recent updates on our progress: > 1. Thanks to the monumental efforts of liuqiufeng[2] and ptyin[3], the > reconstruction of the saga designer framework and a wide-scale upgrade of > dependencies have reduced the number of front-end vulnerabilities in the > incubator-seata project to 25. However, we still have over 50 back-end > vulnerabilities that need attention. > 2. The security vulnerabilities on the Seata official website were > significantly diminished from over 50 to less than 10, through an upgrade > to the docusaurus from the docsite framework. Special thanks to > chai001125[4] for this achievement. > We invite you to join our fix plan and help make Seata safer and more > reliable. Your expertise and contributions are invaluable to our community, > and together, we can ensure a more secure environment for all Seata users. > To participate or for more information on how you can help, please reply to > this email. > Thank you for your dedication to the Seata community and for considering > this important initiative. Let's work together to continue to safeguard our > technology. > [1]. https://github.com/apache/incubator-seata/projects/12 < > https://github.com/apache/incubator-seata/projects/12 > > [2]. https://github.com/liuqiufeng <https://github.com/liuqiufeng > > [3]. https://github.com/ptyin <https://github.com/ptyin > > [4]. https://github.com/chai001125 <https://github.com/chai001125 > > Warm regards, > Ji Min >
