Draft: Update the version of the git-lfs dependency (!4404) · Merge requests · GitLab.org / gitaly

Nick Thomas requested to merge update-git-lfs-version into master Mar 11, 2022

This clears some false-positive security issues. Noticed as I was looking at the gitlab-shell vulnerability report, which has a dependency on gitaly, which has a dependency on git-lfs v1.5.1

We're just using it to decode the LFS pointer files, but not having to track why we're not vulnerable is a bonus, right?

I see the same dependency shows up as "critical" in the gitaly vulnerability report too: https://gitlab.com/gitlab-org/gitaly/-/security/vulnerability_report . We could just dismiss it, but there's no harm to the update and we even get a few small improvements: https://github.com/git-lfs/git-lfs/compare/v1.5.1...v3.1.2

Related to gitlab-shell#546 (closed)

Edited Mar 11, 2022 by Nick Thomas

Draft: Update the version of the git-lfs dependency

Merge request reports