Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNV-52642: fix nanoid cve #2364

Merged
merged 1 commit into from
Jan 14, 2025
Merged

CNV-52642: fix nanoid cve #2364

merged 1 commit into from
Jan 14, 2025
+117 −145

Conversation

upalatucci
Copy link
Member

@upalatucci upalatucci commented Jan 14, 2025
edited
Loading

📝 Description

upgrade mocha (a tool used for unit tests) as 9.2 uses a fixed version of nanoid that has the vulnerability . 10 version does not even use nanoid.

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Jan 14, 2025
edited by openshift-ci bot
Loading

@upalatucci: This pull request references CNV-52642 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.19.0" version, but no target version was set.

In response to this:

📝 Description

upgrade mocha (a tool used for unit tests) as it uses a fixed version of nanoid that has the vulnerability

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the approved This issue is something we want to fix label Jan 14, 2025
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Jan 14, 2025
edited by openshift-ci bot
Loading

@upalatucci: This pull request references CNV-52642 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.19.0" version, but no target version was set.

In response to this:

📝 Description

upgrade mocha (a tool used for unit tests) as 9.2 uses a fixed version of nanoid that has the vulnerability . 10 version does not even use nanoid.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the lgtm Passed code review, ready for merge label Jan 14, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 14, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: metalice, upalatucci

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [metalice,upalatucci]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit c11f274 into kubevirt-ui:main Jan 14, 2025
10 checks passed
@upalatucci
Copy link
Member Author

/cherry-pick release-4.17

@openshift-cherrypick-robot
Copy link
Collaborator

@upalatucci: #2364 failed to apply on top of branch "release-4.17":

Applying: CNV-52642: fix nanoid cve
Using index info to reconstruct a base tree...
M	package.json
M	yarn.lock
Falling back to patching base and 3-way merge...
Auto-merging yarn.lock
CONFLICT (content): Merge conflict in yarn.lock
Auto-merging package.json
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 CNV-52642: fix nanoid cve

In response to this:

/cherry-pick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@upalatucci upalatucci mentioned this pull request Jan 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@metalice metalice metalice approved these changes

@avivtur avivtur Awaiting requested review from avivtur

@vojtechszocs vojtechszocs Awaiting requested review from vojtechszocs

Assignees

@metalice metalice

Labels
approved This issue is something we want to fix jira/valid-reference lgtm Passed code review, ready for merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@upalatucci @openshift-ci-robot @openshift-cherrypick-robot @metalice