Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Upgrade express dependency #2036

Merged
merged 1 commit into from
Aug 1, 2024
Merged

🐛 Upgrade express dependency #2036

merged 1 commit into from
Aug 1, 2024

Conversation

sjd78
Copy link
Member

@sjd78 sjd78 commented Aug 1, 2024

Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the express dependency in the server workspace to resolve security issues.

@sjd78 sjd78 added cherry-pick/release-0.3 This PR should be cherry-picked to release-0.3 branch. cherry-pick/release-0.4 This PR should be cherry-picked to release-0.4 branch. cherry-pick/release-0.5 This PR should be cherry-picked to release-0.5 branch. labels Aug 1, 2024
@sjd78 sjd78 added this to the v0.5.1 milestone Aug 1, 2024
@sjd78 sjd78 requested a review from rayfordj August 1, 2024 19:29
Copy link

codecov bot commented Aug 1, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 42.33%. Comparing base (b654645) to head (3062d2b).
Report is 206 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2036      +/-   ##
==========================================
+ Coverage   39.20%   42.33%   +3.13%     
==========================================
  Files         146      172      +26     
  Lines        4857     5525     +668     
  Branches     1164     1360     +196     
==========================================
+ Hits         1904     2339     +435     
- Misses       2939     3071     +132     
- Partials       14      115     +101     
Flag Coverage Δ
client 42.33% <ø> (+3.13%) ⬆️
server ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link

@rayfordj rayfordj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're still pulling in 4.18.2 as a dependency with this change.

$ curl -s 'https://cachito.engineering.redhat.com/api/v1/requests/1559257' | jq -r '.packages[].dependencies[]| select(.name == "express")'
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.18.2"
}
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.19.2"
}

@sjd78 sjd78 force-pushed the cve_express branch 2 times, most recently from 17e1ff5 to 8664495 Compare August 1, 2024 20:11
Copy link

@rayfordj rayfordj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Successful downstream scratch build with this change.

$ curl -s 'https://cachito.engineering.redhat.com/api/v1/requests/1559286' | jq -r '.packages[].dependencies[]| select(.name == "express")'
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.19.2"
}
{
  "dev": true,  # <-- devDependency, no concerns
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.18.2"
}

Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
@sjd78 sjd78 requested a review from rayfordj August 1, 2024 20:39
@sjd78
Copy link
Member Author

sjd78 commented Aug 1, 2024

Note to self: This PR needs to be manually backported to release-0.2 since the cherry-pick bot doesn't go back that far.

Copy link

@rayfordj rayfordj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even better 😎
Thanks, @sjd78 !

/lgtm

$ curl -s 'https://cachito.engineering.redhat.com/api/v1/requests/1559440' | jq -r '.packages[].dependencies[]| select(.name == "express")'
{
  "dev": false,
  "name": "express",
  "replaces": null,
  "type": "npm",
  "version": "4.19.2"
}

@sjd78 sjd78 merged commit a342f27 into konveyor:main Aug 1, 2024
13 checks passed
github-actions bot pushed a commit that referenced this pull request Aug 1, 2024
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
github-actions bot pushed a commit that referenced this pull request Aug 1, 2024
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
github-actions bot pushed a commit that referenced this pull request Aug 1, 2024
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 pushed a commit that referenced this pull request Aug 2, 2024
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 pushed a commit that referenced this pull request Aug 2, 2024
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 added a commit to sjd78/tackle2-ui that referenced this pull request Aug 2, 2024
Backport-of: konveyor#2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
sjd78 added a commit to sjd78/tackle2-ui that referenced this pull request Aug 2, 2024
Backport-of: konveyor#2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
sjd78 added a commit to sjd78/tackle2-ui that referenced this pull request Aug 2, 2024
Backport-of: konveyor#2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency
across the workspaces and as a dependency of a
dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
sjd78 pushed a commit that referenced this pull request Aug 2, 2024
Resolves: https://issues.redhat.com/browse/MTA-2934

Upgrade the `express` dependency in the server workspace to resolve
security issues.

Signed-off-by: Scott J Dickerson <[email protected]>
Signed-off-by: Cherry Picker <[email protected]>
sjd78 added a commit that referenced this pull request Aug 2, 2024
Backport-of: #2036
Resolves: https://issues.redhat.com/browse/MTA-2934

Resolve security issues for the `express` dependency across the
workspaces and as a dependency of a dependency.

Signed-off-by: Scott J Dickerson <[email protected]>
@sjd78 sjd78 deleted the cve_express branch August 5, 2024 22:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cherry-pick/release-0.3 This PR should be cherry-picked to release-0.3 branch. cherry-pick/release-0.4 This PR should be cherry-picked to release-0.4 branch. cherry-pick/release-0.5 This PR should be cherry-picked to release-0.5 branch.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants