[SERVER-84615] Define a version for linenoise Created: 05/Jan/24 Updated: 05/Feb/24 Resolved: 05/Feb/24 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 8.0.0-rc0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Backport Requested: |
v7.3, v7.0, v6.0, v5.0, v4.4
|
||||||||||||
| Sprint: | Security 2024-02-05, Security 2024-02-19 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
When we vendor third party libraries, we must ensure that they've been sourced from known origins and possess meaningful version identifiers. We use version identifiers to track security vulnerabilities and their mitigations, and libraries without versions cannot be easily audited. As we work toward publishing an SBOM, this information will be made public so that our customers can make informed decisions about supply chain risk. Library linenoise doesn’t seem to be vendored from a specific release identified by a version identifier issued by its upstream vendor. Please either identify the release which originated the library and update README.third_party.md, update your library to a named release, or migrate to an alternative. If you require an exception, please reach out to stacey.kingpoling@mongodb.com. |
| Comments |
| Comment by Githook User [ 02/Feb/24 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: GitOrigin-RevId: 4170a601d84f2a8189e32e830a73cbfb4f9fe363 |