Overrides tough-cookie library #1563
Comments
|
As We can not say for sure, 0.19.0 requires I couldn't find the changelog for version 3.0.0 quickly. You should try if it works and let us know. |
|
oh ok, will test and confirm here. Thanks. |
|
kubernetes/client-node is different than kubernetes-client, kubernetes/client-node is the official one, kubernetes-client was developed independently by Godaddy and others. The request version of this client is basically deprecated, we're keeping it around until we're certain that we won't break people. In the meantime, if you want a non-request based client, you can use this pre-release: |
|
@brendandburns Thanks, the latest RC4 doesn't support Kubernetes API v1.26 (using open shift) , hence stuck at this point. |
|
With a bit of work involved you could regenerate the API specific code. That means you would be able to use older versions of this client with a newer kubernetes version or newer versions of the client with an older kubernetes version. A downside though is that you need to version/build the code yourself all the time. I can try to get some steps outlined for how to do this maybe tomorrow. |
|
RC4 should support 1.26, it was generated from 1.28 afaik and there's 2 version backward compatability. Have you tested RC4 against 1.26? |
|
Also, I believe you can override the dependency yourself in your own project by editing the package-lock.json file: |
|
@brendandburns done, testing it for issues with override. Tried with RC4 for 1.26 and the library had issues with existing code. @mstruebing Would be great if you can share the steps to refractor the code. Thanks |
|
@surajprsd the easiest thing to do is to override the dependency in your package-lock.json as described above. I could be wrong, but I don't think we have easy to use docs to regenerate, and I'm not sure it's worth the effort to create them for this niche use-case. |
|
Overriding this dependency is definitely the better way here. If you really want to generate your own client I outline the steps here:
That generates you a client you can use with every CRD you have available in your cluster. |
|
Are there any update to fix the dependency chain to address CVE-2023-26136? The used request library is not maintained anymore. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
Describe the bug
Using version 0.19.0 and its has issues with request and tough-cookie library vulnerability.
This I have resolved with the overrides option in package.json in my node app as shown below to resolve the tough cookie issue.Please note that we cannot use the new rc4 version as our kubernetes api version is 1.26
"overrides": {
"tough-cookie": "4.1.3"
},
Want to understand if overriding tough-cookie to 4.1.3 in kubernetes/client v 0.19.0 has any known issue or possible issues with the same. Thanks
The text was updated successfully, but these errors were encountered: