-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release v3.5 patch releases discussion #11997
Comments
#12025 needs to be fixed for this |
I am thinking about releasing v3.5.1 next week. The most important fix would be #12068 since it blocks people from upgrading to v3.5. |
Security fix: #12111 |
Would be good to get my UI code-splitting / bundle reductions changes into the next patch release once they're all merged in (#12061, #12097, #12150). They are primarily refactors in content, but their overall intent is to fix long wait times for the UI on slow networks or slow devices as described in #11970 |
TODO: @terrytangyuan to post a list of commits to cherry-pick here |
Could you add #12215 and #12214 to 3.5.2 please @terrytangyuan, just to ensure those tests are happening. |
Could we add the UI code-splitting PRs as I mentioned above? I don't think they have a big impact to that many users, so I'm fine with it going in 3.5.3 instead if you'd prefer to keep 3.5.2 smaller/more stable. Otherwise commit list LGTM ✅ |
Sounds good. In the future, let's make sure the PR titles can tell us that. |
Yea each PR individually is more of a refactor, but as a whole they are a fix -- in other words, a bunch of refactors that enable a fix. |
Working on branch https://github.com/argoproj/argo-workflows/tree/release-3.5.2 Note that I also included some merged dependabot PRs from master branch and some of the dependabot PRs cannot be cherry-picked. |
v3.5.2 tag created https://github.com/argoproj/argo-workflows/releases/tag/v3.5.2 |
Request to include #12353 |
This needs to be included #12470 |
#12421 is also a fix for a 3.5.0 feature |
Updating here that 3.5.3 was released |
#12397 for the next release |
could #12936 be added, some user needs it #12936 (comment) |
All added to the list. |
@terrytangyuan maybe I should've clarified before, I might've misunderstood the intent your question during this week's Contributor Meeting. I've also been using the Regarding this one, we should cherry-pick the original PR (#12736), the revert with CI fix (#13018), and the fixed PR (#13021). As that would reduce merge conflicts and have a cleaner and more matching |
UI security fix: #13069 |
@agilgur5 Can you help make sure all PRs in the list #11997 (comment) are cherry-picked into release branch and then we can push the tag? |
This would require a several other backports to make work as I detailed in #13069 (review).
Other than the above, yes, that was my plan. |
Released v3.5.7. Includes all merged fixes and security patches except for two due to #13069 (review) and #13012 (comment). Also lots of docs backports and a few CI security backports See the changelog for more details: #13096 |
Released v3.5.8. Includes all merged fixes and security patches except for the two skipped in 3.5.7 above and #13169 (comment). See the changelog for more details: #13206 |
Hey @agilgur5 - we've got a customer that needs one of the fixes in v3.5.11. I know you're dealing with some health issues. Would you like us to take the release to help out? We wish you a speedy recovery |
@JPZ13 Yes please, I would appreciate that. The WorkflowTaskResults and API query performance fixes are P1s so this has been very high on my list to get out as well. Unfortunately, I was busy reviewing some of those fixes etc that I didn't get to this before my current flare up. Was thinking I'd be feeling good enough over the weekend or this week to knock it out in a few hours, but I've honestly barely touched my desktop in a week 😞 If Alan or Isitha take this over, just make sure to note where I left off in 3.5.x backporting, i.e. things that I didn't merge in 3.5.10 or earlier had complex merge conflicts etc, can leave those unmerged and just backport things after 3.5.10 |
@agilgur5 sorry that you're still feeling rotten. Get well soon. Between us @isubasinghe and I will try to cut a 3.5.11 this week. |
Need to patch this high vuln security fix #13626 |
@terrytangyuan that one won't make it into 3.5 per #13069 (review), same as I wrote previously in this thread |
I've released v.3.5.11 without #13626. I'm happy to do a v.3.5.12 shortly if we can work out a way forward. @agilgur5 can you suggest or action a plan to allow us to do a release which patches this vulnerability. It the right choice to just leave it as is even though it is of minimal/no impact by our judgement. Security scanners will still be alerting that argo-workflows isn't safe. If that comes down to removing the API page that seems better than doing nothing. |
@Joibel on Slack I mentioned downgrading it to potentially workaround some of these CVEs since 3.4's version wasn't vulnerable (at least not to the first one, not sure about the most recent one). Regarding security scanners, actually no one's complained about 3.5 so far so they seem to actually not be detecting it, for better or for worse. (a scanner would have to detect the embedded UI bundles in the CLI/Server binary and then parse out deps from those bundles, one of which contains |
For the latest issue 3.4 is vulnerable as it is using dompurify 2.3.3. With that in mind I think we need to develop a strategy for 3.4 and 3.5. Any suggestions? Perhaps upgrading that to 2.5.4 would work? For 3.6 we should remove that API page I guess to reduce our surface area before RC2? Are you feeling up to a PR for that @agilgur5? |
Yes removing it and replacing it with a link to the versioned docs is on my to-do list. Per the Slack thread, not just for surface area, but also because it's a massive dep (2nd largest, itself being larger than the UI codebase excluding other deps) which increases load time, build time, etc etc.
Yes, in that vuin's case it would. |
is it possible to cherry-pick #13693 to the next patch release? Thank you! |
It looks like it will cherry pick nicely. We will try and bring it in. |
This issue tracks commits for 3.5 patch releases.
The text was updated successfully, but these errors were encountered: