Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): always resolve momentjs version 2.29.4 #3182

Merged
merged 1 commit into from
Dec 4, 2023
Merged

build(deps): always resolve momentjs version 2.29.4 #3182

merged 1 commit into from
Dec 4, 2023

Conversation

linus345
Copy link
Contributor

@linus345 linus345 commented Nov 21, 2023
edited
Loading

Before this change both version 2.29.1 and version 2.29.4 of momentjs were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs: CVE-2022-24785 [1] and CVE-2022-31129 [2].

The most notable change comes with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change to remediate CVE-2022-24785: Forward slash and backward slash is no longer allowed in locale names. Locales containing either of those characters will not be loaded from the filesystem any longer [3].

Other than that it looks like there's only patch fixes which can be seen in the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this is a chore.
  • The title of the PR is (a) conventional with a list of types and scopes found here, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234".
    • Everything except (c) since this does not have a related issue, I can create one if required.
  • I've signed my commits with DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My builds are green. Try syncing with master if they are not.
  • My organization is added to USERS.md.

@codecov Codecov
Copy link

codecov bot commented Nov 22, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (87b7448) 81.85% compared to head (e9e1457) 81.83%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3182      +/-   ##
==========================================
- Coverage   81.85%   81.83%   -0.02%     
==========================================
  Files         134      134              
  Lines       20556    20556              
==========================================
- Hits        16826    16823       -3     
- Misses       2866     2869       +3     
  Partials      864      864

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 22, 2023
edited
Loading

Go Published Test Results

2 084 tests   2 084 ✔️  2m 47s ⏱️
   118 suites         0 💤
       1 files           0

Results for commit e9e1457.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 22, 2023
edited
Loading

E2E Tests Published Test Results

    4 files      4 suites   3h 26m 20s ⏱️
103 tests   94 ✔️   6 💤   3
422 runs  388 ✔️ 24 💤 10

For more details on these failures, see this check.

Results for commit e9e1457.

♻️ This comment has been updated with latest results.

@linus345
build(deps): always resolve momentjs version 2.29.4
e9e1457 
Before this change both version 2.29.1 and version 2.29.4 of momentjs
were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs:
CVE-2022-24785 [1] and CVE-2022-31129 [2]. The most notable change comes
with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change
to remediate CVE-2022-24785: Forward slash and backward slash is no
longer allowed in locale names. Locales containing either of those
characters will not be loaded from the filesystem any longer [3]. Other
than that it looks like there's only patch fixes which can be seen in
the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Signed-off-by: Linus Ekman <[email protected]>
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 22, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@zachaller zachaller modified the milestone: v1.7 Nov 22, 2023
@zachaller zachaller merged commit 3b60991 into argoproj:master Dec 4, 2023
25 checks passed
zachaller pushed a commit that referenced this pull request Dec 4, 2023
@linus345 @zachaller
build(deps): always resolve momentjs version 2.29.4 (#3182)
c7f7d1e 
Before this change both version 2.29.1 and version 2.29.4 of momentjs
were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs:
CVE-2022-24785 [1] and CVE-2022-31129 [2]. The most notable change comes
with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change
to remediate CVE-2022-24785: Forward slash and backward slash is no
longer allowed in locale names. Locales containing either of those
characters will not be loaded from the filesystem any longer [3]. Other
than that it looks like there's only patch fixes which can be seen in
the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Signed-off-by: Linus Ekman <[email protected]>
@zachaller zachaller added the cherry-pick-completed Used once we have cherry picked the PR to all requested releases label Dec 4, 2023
ashutosh16 pushed a commit to ashutosh16/argo-rollouts that referenced this pull request Dec 8, 2023
@linus345 @ashutosh16
build(deps): always resolve momentjs version 2.29.4 (argoproj#3182)
ab0bfe3 
Before this change both version 2.29.1 and version 2.29.4 of momentjs
were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs:
CVE-2022-24785 [1] and CVE-2022-31129 [2]. The most notable change comes
with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change
to remediate CVE-2022-24785: Forward slash and backward slash is no
longer allowed in locale names. Locales containing either of those
characters will not be loaded from the filesystem any longer [3]. Other
than that it looks like there's only patch fixes which can be seen in
the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Signed-off-by: Linus Ekman <[email protected]>
Signed-off-by: ashutosh16 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zachaller zachaller zachaller approved these changes

Assignees
No one assigned
Labels
cherry-pick/release-1.6 cherry-pick-completed Used once we have cherry picked the PR to all requested releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@linus345 @zachaller