Bump version of deps for CVEs

2025-12-08 22:25:01 -05:00 · 2025-09-23 17:09:57 +05:30 · 2025-09-23 17:09:57 +05:30 · 74bd44574f
commit 74bd44574f
parent 9680ef23fe
2 changed files with 9 additions and 3 deletions
--- a/bypy/sources.json
+++ b/bypy/sources.json
@ -509,12 +509,12 @@
    },

    {
-        "name": "nodejs 20.19.2",
+        "name": "nodejs 20.19.4",
 		"type": "build",
 		"comment": "Needed for building Qt WebEngine",
        "os": "macos,linux",
        "unix": {
-            "hash": "sha256:045deaf3179e85ddd871e925f39b04214f37c7d16b6980fab2f061d6739d8207",
+            "hash": "sha256:a87cf69f4df8deece34165ebf668e3279e12352c4f077a9cc87641f4c9d21a96",
            "urls": ["https://github.com/nodejs/node/archive/refs/tags/v{version}.{file_extension}"]
        }
    },
--- a/setup/unix-ci.py
+++ b/setup/unix-ci.py
@ -168,7 +168,13 @@ IGNORED_DEPENDENCY_CVES = [
    'CVE-2025-8194',  # DoS in tarfile
    'CVE-2025-6069',  # DoS in HTMLParser
    # glib
-    'CVE-2025-4056',  # Only affects Windows, on which we dont run
+    'CVE-2025-4056',  # Only affects Windows, on which we dont use glib
+    # libtiff
+    'CVE-2025-8851',  # this is erroneously marked as fixed in the database but no release of libtiff has been made with the fix
+    # hyphen
+    'CVE-2017-1000376',  # false match in the database
+    # espeak
+    'CVE-2023-4990',  # false match because we currently build with a specific commit pending release of espeak 1.53
 ]