Here are some projects to consider!

Share us your project for Hacktoberfest 2024! 🎃

Thomas Bnt ☕ ・ Oct 2

#discuss #hacktoberfest #opensource #webdev

Some of my repositories using GitHub Pages and the Ruby gem github-pages version 232 got a security alert.

I did some reading about the issue and saw that it had been patched and a new version of the dependency webrick had been released. But I could not find any issues or PRs in the repository for the github-pages gem.

I started out by patching my own repositories (4) with a hard-dependency on webrick 1.8.2, but after a few days of consideration and no news I decided to create a PR for a patch of the github-pages gem.

The issue is that webrick prior to 1.8.2, the patched release, suffers from a vulnerability named: HTTP Request Smuggling

• The Snyk description of the webrick vulnerability
  • The CVE on the webrick vulnerability
• And finally the CWE on the vulnerability in general

The PR simply bumps the dependency, which is fairly trivial, I do not understand why nobody else reacted on this.

First PR created in the spirit and in the season of Hacktoberfest.

Second day on the "job".

Have created PRs at several repositories and have commented on several with open PRs, where the spellcheck GitHub action is in use and using a very old version.

I am in the process of sunsetting the olders versions used in quite a few repositories as by the sunset policy I set up.

I try to inform some of the users on very old versions that version 0.32.0 was a recommended security update.

At the same time I have found some misconfigurations and other small things and I try to help the users to the best of my efforts.

Many versions to evaluate, many repositories to inspect and many PRs to create. Unfortunately none of them are participating in Hacktoberfest - but well it is still open source contribution.