Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core): Upgrade Rudderstack SDK to address CVE-2023-45857 #8368

Merged
merged 2 commits into from
Jan 26, 2024
Merged

feat(core): Upgrade Rudderstack SDK to address CVE-2023-45857 #8368

merged 2 commits into from
Jan 26, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Jan 17, 2024
edited
Loading

This helps remove some of the older versions of transient dependencies, like axios 0.x and ioredis 4.x.

This needs some thorough testing before we can merge this.

Review / Merge checklist

  • PR title and summary are descriptive

@netroy netroy changed the title feat(core): Upgrade Rudderstack SDK feat(core): Upgrade Rudderstack SDK to address CVE-2023-45857 Jan 17, 2024
@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Jan 17, 2024
@netroy
feat(core): Upgrade Rudderstack SDK (no-changelog)
cf1b4d5 
This helps remove some of the older versions of transient dependencies,
like axios 0.x and ioredis 4.x.
netroy
netroy commented Jan 26, 2024
View reviewed changes
packages/cli/src/telemetry/index.ts
axiosInstance,
logLevel,
dataPlaneUrl,
gzip: false,
Copy link
Member Author

@netroy netroy Jan 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unless we upgrade the dataplane to version 1.4 or above, gzipped payloads will cause 500s.
Since we haven't been gzipping telemetry payloads so far, this is not a blocker.

@netroy netroy marked this pull request as ready for review January 26, 2024 14:09
krynble
krynble approved these changes Jan 26, 2024
View reviewed changes
Copy link
Contributor

@krynble krynble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw this CVE but was afraid I could not properly test rudderstack's SDK so I did not touch it. Can we certify that, since this is a major version upgrade, things are still working? Feel free to disregard if you've gone through this already.

@cypress Cypress
Copy link

cypress bot commented Jan 26, 2024

1 flaky test on run #3938 ↗︎

0 338 5 0 Flakiness 1

Details:

🌳 🖥️ browsers:node18.12.0-chrome107 🤖 netroy 🗃️ e2e/*
Project: n8n Commit: c39cf8b349
Status: Passed Duration: 03:30 💡
Started: Jan 26, 2024 3:49 PM Ended: Jan 26, 2024 3:52 PM
Flakiness  cypress/e2e/5-ndv.cy.ts • 1 flaky test

View Output Video

Test Artifacts
NDV > should not retrieve remote options when required params throw errors Test Replay Screenshots Video

Review all test suite changes for PR #8368 ↗︎

@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy merged commit 2fba0e8 into master Jan 26, 2024
29 checks passed
@netroy netroy deleted the upgrade-rudderstack-sdk branch January 26, 2024 15:58
@github-actions github-actions bot mentioned this pull request Jan 31, 2024
Merged
@janober
Copy link
Member

janober commented Feb 2, 2024

Got released with n8n@1.27.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krynble krynble krynble approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @krynble