Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): upgrade undici from 5.28.2 to 5.28.3 due to CVE #12763

Merged
merged 1 commit into from
Mar 17, 2024
Merged

fix(deps): upgrade undici from 5.28.2 to 5.28.3 due to CVE #12763

merged 1 commit into from
Mar 17, 2024

Conversation

agilgur5
Copy link
Member

@agilgur5 agilgur5 commented Mar 8, 2024
edited

Partial fix for #12031, "Vulnerabilities"

Motivation

After the Snyk failure for #12753, I also checked OpenSSF Scorecard's current vuln report and found this vuln too: GHSA-3787-6prv-h9w3

Modifications

  • update yarn.lock to bump undici
    • undici is a transitive dep, used by swagger-ui-react
      • swagger-ui-react -> swagger-client -> undici

Verification

  1. Ran yarn after, no additional changes
  2. Ran npx yarn-audit-fix && yarn deduplicate to check for more vulns and auto-update them (same as chore(deps): automatically audit fix UI deps #12036), no others popped up
    • Same for plain yarn audit: 0 vulnerabilities found - Packages audited: 1488
  3. Ran yarn again, no additional changes

@agilgur5
fix(deps): upgrade undici from 5.28.2 to 5.28.3 due to CVE
8be317b 
- c.f. GHSA-3787-6prv-h9w3
  - `undici` is a transitive dep, used by `swagger-ui-react`
    - `swagger-ui-react` -> `swagger-client` -> `undici`

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5 agilgur5 added type/security Security related type/dependencies PRs and issues specific to updating dependencies javascript Pull requests that update Javascript dependencies prioritized-review For members of the Sustainability Effort labels Mar 8, 2024
@agilgur5
Copy link
Member Author

agilgur5 commented Mar 8, 2024

Dependabot is still not updating these deps timely. I thought it might be the "weekly" schedule in the dependabot.yml, but apparently the schedule is entirely ignored for security updates anyway.

Something else is going on... I'm wondering if we have security updates disabled or something at the repo or org level? Or is dependabot just very slow / not have the most up-to-date info? A lot of these vulns were reported with GHSAs, so GitHub should have these available in their CVE DB for dependabot...

@agilgur5
Copy link
Member Author

agilgur5 commented Mar 9, 2024
edited

I'm wondering if we have security updates disabled or something at the repo or org level?

I think this is the case -- "Dependabot alerts" are not enabled, and those seem to be required for security updates

That would explain #12635 (comment), #12526 (comment), #12470 (comment), and other manual dependency security updates we've had to do.

I've added this as a topic to the next Contributors Meeting

@juliev0 juliev0 merged commit 87899e5 into argoproj:main Mar 17, 2024
17 checks passed
@agilgur5 agilgur5 deleted the fix-deps-undici-cve branch March 17, 2024 17:13
@agilgur5 agilgur5 mentioned this pull request Mar 28, 2024
Merged
@agilgur5 agilgur5 added this to the v3.5.x patches milestone Apr 3, 2024
agilgur5 added a commit that referenced this pull request Apr 3, 2024
@agilgur5
fix(deps): upgrade undici to 5.28.3 due to CVE (#12763)
6d41e8c 
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5
Copy link
Member Author

agilgur5 commented Apr 3, 2024
edited

Cherry-picked into release-3.5 as 6d41e8c

  • Fixed a merge conflict as the version was older on release-3.5

@agilgur5 agilgur5 mentioned this pull request Apr 4, 2024
Merged
isubasinghe pushed a commit to isubasinghe/argo-workflows that referenced this pull request May 6, 2024
@agilgur5 @isubasinghe
fix(deps): upgrade undici from 5.28.2 to 5.28.3 due to CVE (argopro…
ee69afe 
…j#12763)

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
isubasinghe pushed a commit to isubasinghe/argo-workflows that referenced this pull request May 7, 2024
@agilgur5 @isubasinghe
fix(deps): upgrade undici from 5.28.2 to 5.28.3 due to CVE (argopro…
82d14db 
…j#12763)

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blkperl blkperl blkperl approved these changes

@juliev0 juliev0 juliev0 approved these changes

Assignees
No one assigned
Labels
javascript Pull requests that update Javascript dependencies prioritized-review For members of the Sustainability Effort type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
v3.5.x patches
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@agilgur5 @blkperl @juliev0