Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove wait-on package for CVE-2023-25166 #8814

Merged
merged 2 commits into from
Feb 22, 2023
Merged

Remove wait-on package for CVE-2023-25166 #8814

merged 2 commits into from
Feb 22, 2023

Conversation

bnussman-akamai
Copy link
Member

@bnussman-akamai bnussman-akamai commented Feb 22, 2023
edited
Loading

Description 📝

  • Removes wait-on package to solve CVE-2023-25166 dependabot
  • wait-on depended on @sideway/formula and @sideway/formula has a ReDoS Vulnerability
  • Thankfully, we no longer use wait-on so we can just remove it, resulting in us no longer depending on @sideway/formula
    • For context, we previously used wait-on for e2e pipelines but we now use docker livelesness checks

How to test 🧪

  • Test general features of Cloud Manager
  • Verify e2es pass

@bnussman-akamai bnussman-akamai added the Dependencies Pull requests that update a dependency file label Feb 22, 2023
@bnussman-akamai bnussman-akamai self-assigned this Feb 22, 2023
@jaalah-akamai
Copy link
Contributor

Do we use/need wait-on as a dependency, can we remove it?

@bnussman-akamai
Copy link
Member Author

@jaalah-akamai I was wondering the same thing, and I verfied with @jdamore-linode we should be able to remove it!

@jaalah-akamai
Copy link
Contributor

@jaalah-akamai I was wondering the same thing, and I verfied with @jdamore-linode we should be able to remove it!

I didn't know if we needed it for some CLI work, but if we do and we're having trouble bumping the external library - concurrently might be an alternative.

@bnussman-akamai bnussman-akamai changed the title Use yarn resolution to update @sideway/formula to 3.0.1 for CVE-2023-25166 Remove wait-on package for CVE-2023-25166 Feb 22, 2023
@bnussman-akamai
Copy link
Member Author

@jaalah-akamai Pushed 09e5b8c to remove the dependency and updated the PR description with some context

@bnussman-akamai bnussman-akamai merged commit bb67ae9 into linode:develop Feb 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaalah-akamai jaalah-akamai jaalah-akamai approved these changes

@jdamore-linode jdamore-linode jdamore-linode approved these changes

Assignees

@bnussman-akamai bnussman-akamai

Labels
Dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bnussman-akamai @jaalah-akamai @jdamore-linode @bnussman