Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Upgrade express dependency #2036

Merged
merged 1 commit into from
Aug 1, 2024
Merged

🐛 Upgrade express dependency #2036

merged 1 commit into from
Aug 1, 2024

Conversation

sjd78
Copy link
Member

@sjd78 sjd78 commented Aug 1, 2024

Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the express dependency in the server workspace to resolve security issues.

@sjd78 sjd78 added cherry-pick/release-0.3 This PR should be cherry-picked to release-0.3 branch. cherry-pick/release-0.4 This PR should be cherry-picked to release-0.4 branch. cherry-pick/release-0.5 This PR should be cherry-picked to release-0.4 branch. labels Aug 1, 2024
@sjd78 sjd78 added this to the v0.5.1 milestone Aug 1, 2024
@sjd78 sjd78 requested a review from rayfordj August 1, 2024 19:29
@codecov Codecov
Copy link

codecov bot commented Aug 1, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 42.33%. Comparing base (b654645) to head (3062d2b).
Report is 206 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2036      +/-   ##
==========================================
+ Coverage   39.20%   42.33%   +3.13%     
==========================================
  Files         146      172      +26     
  Lines        4857     5525     +668     
  Branches     1164     1360     +196     
==========================================
+ Hits         1904     2339     +435     
- Misses       2939     3071     +132     
- Partials       14      115     +101
Flag Coverage Δ
client 42.33% <ø> (+3.13%) ⬆️
server ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

rayfordj
rayfordj requested changes Aug 1, 2024
View reviewed changes
Copy link

@rayfordj rayfordj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're still pulling in 4.18.2 as a dependency with this change.

$ curl -s 'https://cachito.engineering.redhat.com/api/v1/requests/1559257' | jq -r '.packages[].dependencies[]| select(.name == "express")'
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.18.2"
}
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.19.2"
}

@sjd78 sjd78 force-pushed the cve_express branch 2 times, most recently from 17e1ff5 to 8664495 Compare August 1, 2024 20:11
rayfordj
rayfordj approved these changes Aug 1, 2024
View reviewed changes
Copy link

@rayfordj rayfordj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Successful downstream scratch build with this change.

$ curl -s 'https://cachito.engineering.redhat.com/api/v1/requests/1559286' | jq -r '.packages[].dependencies[]| select(.name == "express")'
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.19.2"
}
{
  "dev": true,  # <-- devDependency, no concerns
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.18.2"
}

@sjd78
🐛 Upgrade express dependency
3062d2b 
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
@sjd78 sjd78 requested a review from rayfordj August 1, 2024 20:39
@sjd78
Copy link
Member Author

sjd78 commented Aug 1, 2024

Note to self: This PR needs to be manually backported to release-0.2 since the cherry-pick bot doesn't go back that far.

rayfordj
rayfordj approved these changes Aug 1, 2024
View reviewed changes
Copy link

@rayfordj rayfordj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even better 😎
Thanks, @sjd78 !

/lgtm

$ curl -s 'https://cachito.engineering.redhat.com/api/v1/requests/1559440' | jq -r '.packages[].dependencies[]| select(.name == "express")'
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.19.2"
}

@sjd78 sjd78 merged commit a342f27 into konveyor:main Aug 1, 2024
13 checks passed
github-actions bot pushed a commit that referenced this pull request Aug 1, 2024
@sjd78 @web-flow
🐛 Upgrade express dependency (#2036)
05324d1 
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
github-actions bot pushed a commit that referenced this pull request Aug 1, 2024
@sjd78 @web-flow
🐛 Upgrade express dependency (#2036)
6a6fa73 
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
github-actions bot pushed a commit that referenced this pull request Aug 1, 2024
@sjd78 @web-flow
🐛 Upgrade express dependency (#2036)
4540e6a 
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 pushed a commit that referenced this pull request Aug 2, 2024
@konveyor-ci-bot
🐛 [backport release-0.4] Upgrade express dependency (#2036) (#2041)
7553bf7 
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 pushed a commit that referenced this pull request Aug 2, 2024
@konveyor-ci-bot
🐛 [backport release-0.3] Upgrade express dependency (#2036) (#2040)
3960388 
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 added a commit to sjd78/tackle2-ui that referenced this pull request Aug 2, 2024
@sjd78
🐛 [backport release-0.2] Upgrade express dependency
376be72 
Backport-of: konveyor#2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
sjd78 added a commit to sjd78/tackle2-ui that referenced this pull request Aug 2, 2024
@sjd78
🐛 [backport release-0.2] Upgrade express dependency
2a4e3b0 
Backport-of: konveyor#2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
sjd78 added a commit to sjd78/tackle2-ui that referenced this pull request Aug 2, 2024
@sjd78
🐛 [backport release-0.2] Upgrade express dependency
eef1dc6 
Backport-of: konveyor#2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
@sjd78 sjd78 mentioned this pull request Aug 2, 2024
Merged
sjd78 pushed a commit that referenced this pull request Aug 2, 2024
@konveyor-ci-bot
🐛 [backport release-0.5] Upgrade express dependency (#2036) (#2039)
e1e97f8 
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 added a commit that referenced this pull request Aug 2, 2024
@sjd78
🐛 [backport release-0.2] Upgrade express dependency (#2036) (#2043)
67004b0 
Backport-of: #2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency across the
workspaces and as a dependency of a dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
@sjd78 sjd78 deleted the cve_express branch August 5, 2024 22:10
This was referenced Oct 1, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rayfordj rayfordj rayfordj approved these changes

@ibolton336 ibolton336 Awaiting requested review from ibolton336 ibolton336 is a code owner

@rszwajko rszwajko Awaiting requested review from rszwajko rszwajko is a code owner

Assignees
No one assigned
Labels
cherry-pick/release-0.3 This PR should be cherry-picked to release-0.3 branch. cherry-pick/release-0.4 This PR should be cherry-picked to release-0.4 branch. cherry-pick/release-0.5 This PR should be cherry-picked to release-0.4 branch.
Projects
None yet
Milestone
v0.5.1
Development

Successfully merging this pull request may close these issues.
2 participants
@sjd78 @rayfordj