Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport 1.17.x: resolves braces < 3.0.3 dep vulnerability and ws < 8.17.1 #27676

Merged
merged 5 commits into from
Jul 3, 2024
Merged

Backport 1.17.x: resolves braces < 3.0.3 dep vulnerability and ws < 8.17.1 #27676

merged 5 commits into from
Jul 3, 2024

Conversation

hellobontempo
Copy link
Contributor

@hellobontempo hellobontempo commented Jul 3, 2024
edited
Loading

Description

"Backport" of: #27657

This PR makes a few dependency package updates to address the security vulnerability in braces v3.0.3 and upgrades ws to 8.17.1. I recommend reviewing by commit, general breakdown of each commit:

  1. Deleted the yarn.lock file and re-ran yarn resolved some of the issues
  2. Added braces to the resolution block resolved some more vulnerable versions
  3. There was one test failure after upgrading, but the test ran the same before and after the package changes. Closing the modal in the test resolved the issue.
  • enterprise tests

TODO only if you're a HashiCorp employee

  • Labels: If this PR is the CE portion of an ENT change, and that ENT change is
    getting backported to N-2, use the new style backport/ent/x.x.x+ent labels
    instead of the old style backport/x.x.x labels.
  • Labels: If this PR is a CE only change, it can only be backported to N, so use
    the normal backport/x.x.x label (there should be only 1).
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@hellobontempo hellobontempo requested a review from a team as a code owner July 3, 2024 17:40
@hellobontempo hellobontempo added this to the 1.17.2 milestone Jul 3, 2024
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 3, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 3, 2024

Build Results:
All builds succeeded! ✅

@hellobontempo hellobontempo mentioned this pull request Jul 3, 2024
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 3, 2024
edited
Loading

CI Results:
All Go tests succeeded! ✅

@hellobontempo hellobontempo changed the title Backport 1.17.x: UI/vault 28021/braces dep vulnerability 1.17.x Backport 1.17.x: resolves braces < 3.0.3 dep vulnerability and ws < 8.17.1 Jul 3, 2024
@hellobontempo hellobontempo enabled auto-merge (squash) July 3, 2024 20:23
@hellobontempo hellobontempo merged commit b43087b into release/1.17.x Jul 3, 2024
24 checks passed
@hellobontempo hellobontempo deleted the ui/VAULT-28021/braces-dep-vulnerability-1.17.x branch July 3, 2024 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Monkeychip Monkeychip Monkeychip approved these changes

Assignees
No one assigned
Labels
backport hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.17.2
Development

Successfully merging this pull request may close these issues.
2 participants
@hellobontempo @Monkeychip