Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update dependencies of sample apps to fix security vulnerability #660

Merged
merged 5 commits into from
Sep 26, 2023
Merged

update dependencies of sample apps to fix security vulnerability #660

merged 5 commits into from
Sep 26, 2023

Conversation

johnsonshih
Copy link
Contributor

@johnsonshih johnsonshih commented Sep 25, 2023
edited
Loading

What this PR does / why we need it:
Update the version of sample application dependencies to fix security vulnerability.
https://github.com/project-akri/akri/security/dependabot/22
https://github.com/project-akri/akri/security/dependabot/23
https://github.com/project-akri/akri/security/dependabot/41
https://github.com/project-akri/akri/security/dependabot/42
https://github.com/project-akri/akri/security/dependabot/50
https://github.com/project-akri/akri/security/dependabot/51

Special notes for your reviewer:

If applicable:

  • this PR has an associated PR with documentation in akri-docs
  • this PR contains unit tests
  • added code adheres to standard Rust formatting (cargo fmt)
  • code builds properly (cargo build)
  • code is free of common mistakes (cargo clippy)
  • all Akri tests succeed (cargo test)
  • inline documentation builds (cargo doc)
  • all commits pass the DCO bot check by being signed off -- see the failing DCO check for instructions on how to retroactively sign commits

diconico07
diconico07 approved these changes Sep 25, 2023
View reviewed changes
Copy link
Contributor

@diconico07 diconico07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearly nice to upgrade, but, are those versions tested ?
And as I just see that our image builds don't use these versions (they use the ones from debian package manager), does it matter at all ?

@kate-goldenring
Copy link
Contributor

@johnsonshih which CVE is this for? can you add the issue with fixes?

@johnsonshih
Copy link
Contributor Author

@johnsonshih which CVE is this for? can you add the issue with fixes?

add the security alerts in PR description

@johnsonshih
Copy link
Contributor Author

Clearly nice to upgrade, but, are those versions tested ? And as I just see that our image builds don't use these versions (they use the ones from debian package manager), does it matter at all ?

I had updated the build to pick up specified version for dependencies, both sample app tested.

@johnsonshih
remove duplicate installation
06498b1 
Signed-off-by: Johnson Shih <[email protected]>
@johnsonshih
Copy link
Contributor Author

/version patch

@github-actions github-actions bot added the version/patch Patch version change is needed label Sep 26, 2023
@github-actions
Update patch version
4f59bdb 
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@johnsonshih johnsonshih merged commit 95adb80 into project-akri:main Sep 26, 2023
1 check passed
@johnsonshih johnsonshih deleted the user/jshih/security-patch branch September 26, 2023 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diconico07 diconico07 diconico07 approved these changes

@bfjelds bfjelds Awaiting requested review from bfjelds bfjelds is a code owner

@kate-goldenring kate-goldenring Awaiting requested review from kate-goldenring kate-goldenring is a code owner

@jiria jiria Awaiting requested review from jiria jiria is a code owner

@Britel Britel Awaiting requested review from Britel Britel is a code owner

@romoh romoh Awaiting requested review from romoh romoh is a code owner

@adithyaj adithyaj Awaiting requested review from adithyaj adithyaj is a code owner

Assignees
No one assigned
Labels
version/patch Patch version change is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@johnsonshih @kate-goldenring @diconico07