-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: mitigate CVE-2023-28155, CVE-2023-26136 #25385
Conversation
Changed Packages
|
Thanks for the contribution! |
4e8c0f9
to
3315285
Compare
@mclarke47 I know you're pretty slammed at the min, but is there any chance you could take a look and test this out? 🙏 |
@coreydaley thanks for taking this on! |
There seem to be some test failures in CI. I'll run this locally and do some basic manual testing |
Thank you @mclarke47 , if you figure it out please let me know and I can update my pull request. |
014631f
to
648e935
Compare
6e37cd7
to
6f8e5e6
Compare
This PR has a conflict now. |
17e827b
to
d6a60fc
Compare
d6a60fc
to
179f4b2
Compare
Any traction on the vulnerability fix? |
179f4b2
to
a103251
Compare
I am back working on this, the only part I have left is what was discussed in #25385 (review) |
a103251
to
3187b77
Compare
@mclarke47 I think I will just stick with this approach then. Looks like I need one more approving review before I can merge. Thanks! |
Verify Docs Quality failing due to #27154 |
2a4878b
to
f8bc725
Compare
I have rebased (again) and all tests are passing if anyone has time for a second approving review. Thanks! |
f8bc725
to
33c4f08
Compare
It needs another rebase 😞 |
Thank you for this amazing contribution btw! 🙏 Sorry it's been such a slog |
33c4f08
to
f2189a4
Compare
No problem, it's been a good learning experience and I appreciate all of the help along the way :) I would like to get it merged soon though if possible ... |
f2189a4
to
dafe280
Compare
I'll try to get one of the maintainers to look, when they come online STO time tomorrow. |
I would appreciate that, thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you! 😁
Just need to avoid mock-fs
Head branch was pushed to by a user without write access
485376c
to
bba7855
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! 🎉
Just a small nit left
Signed-off-by: Corey Daley <cdaley@redhat.com>
bba7855
to
71b8704
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, let's , thank you! 🎉
Thank you for contributing to Backstage! The changes in this pull request will be part of the |
Hi coreydaley and team, Since you superseded the PR Description from PR(#23320), can you remove the "Contribution is Signed-off-by: Daniel Meyer (external expert on behalf of DB InfraGO) daniel.di.meyer-extern@deutschebahn.com" statement as this is not true anymore. |
@meda1028 Updated, please let me know if that is ok or you would like further modifications. |
Hey, I just made a Pull Request!
This pull request builds off of #23320 and supersedes it, fixing the conflicts that it had with the main branch when it was abandoned.
This pull request updates the
@kubernetes/client-node
dependency from version0.20.0
to1.0.0-rc7
. This update is critical as it addresses two known security vulnerabilities related to therequest
package, a dependency of@kubernetes/client-node
, and its transitive dependencytough-cookie
:request
package, which could potentially allow attackers to perform various attacks due to improper input validation.tough-cookie
package, a transitive dependency ofrequest
, which could allow attackers to craft cookies that may bypass intended security restrictions, leading to potential information disclosure or session hijacking.By updating to
@kubernetes/client-node
version1.0.0-rc7
, these vulnerabilities are mitigated through the inclusion of patched versions of the affected packages. It is highly recommended to merge this pull request at the earliest to ensure the security of our application and protect against potential exploits leveraging these vulnerabilities.Fixes #18742
Changes:
@kubernetes/client-node
from0.20.0
to1.0.0-rc7
inpackage.json
.Impact:
request
andtough-cookie
packages.Please review the changes and merge this pull request to enhance our application's security posture.
Thank you.
Built upon a contribution by Daniel Meyer (external expert on behalf of DB InfraGO) daniel.di.meyer-extern@deutschebahn.com
✔️ Checklist
Signed-off-by
line in the message. (more info)