CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] #3685

dpanshug · 2025-01-27T13:46:26Z

RHOAIENG-18494

Description

Upgrade undici package to resolve CVE

How Has This Been Tested?

cd backend
npm audit
In the vulnerability list, undici package should not exist.

Test Impact

None, just package upgrade

Request review criteria:

Self checklist (all need to be checked):

The developer has manually tested the changes and verified that the changes work
Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

Included any necessary screenshots or gifs if it was a UI change.
Included tags to the UX team if it was a UI/UX change.

After the PR is posted & before it merges:

The developer has tested their solution on a cluster by using the image produced by the PR to main

…ndom Values [main]

codecov · 2025-01-27T14:09:59Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.24%. Comparing base (cb6112c) to head (18346f3).
Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3685      +/-   ##
==========================================
- Coverage   84.26%   84.24%   -0.03%     
==========================================
  Files        1450     1450              
  Lines       33778    33778              
  Branches     9357     9357              
==========================================
- Hits        28463    28455       -8     
- Misses       5315     5323       +8

see 6 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cb6112c...18346f3. Read the comment docs.

Gkrumbach07

/lgtm

correct version is now installed

openshift-ci · 2025-01-27T22:41:37Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Gkrumbach07

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [Gkrumbach07]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

…pendatahub-io#3662) * Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Committing intermediate changes * Initial changes * Initial changes * Messy working test * Committing working test - not linted/cleaned up * Committing working test with exception of status check on UI * Committing fully working test on RHOAI * Linting fixes * Adding in description for bug relating to manifest links * Actioning PR comments * Comitting initial changes * Comitting working test for Single Model Creation * Comitting final completed test * Small amendment to select model server on ODH * Linting after merge conflict resolution --------- Co-authored-by: Fede Alonso <fealonso@redhat.com> made wording more consistent in storage dialog (opendatahub-io#3665) remove deprecated enabled nvidia manifest from rhoai (opendatahub-io#3666) Co-authored-by: “Bob <“bgregor@redhat.com”> Add Exclusions to Cypress e2e Nightly Executions (opendatahub-io#3671) * Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Initial commit * Fixed linting * adding package json * Swapped out cypress:run for cypress:e2e --------- Co-authored-by: Fede Alonso <fealonso@redhat.com> Adds required to environment variables (opendatahub-io#3653) * Adds required to environment variables * Accessibility fix Fix for notebook route link font size (opendatahub-io#3678) Update the positions of DW tabs (opendatahub-io#3677) Add default deployment mode selector as read only (opendatahub-io#3664) * Add default deployment mode selector read only * Use DashboardHelpTooltip and fix popper width Fix for page header layout when page has long description (opendatahub-io#3679) Update ownedByDSC to use correct label for checking what is created by operator (opendatahub-io#3682) feat: remove the NIM tile from Enabled page (opendatahub-io#3663) * feat: remove the NIM tile from Enabled page Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: rename function Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: add space after the here. Signed-off-by: Olga Lavtar <olavtar@redhat.com> --------- Signed-off-by: Olga Lavtar <olavtar@redhat.com> fix: label update for nim project from single serving to NVIDIA NIM Serving Enabled (opendatahub-io#3680) * fix: label update for nim from single serving to NVIDIA NIM Serving Enabled Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: label update Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: label update Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: fix cypress test Signed-off-by: Olga Lavtar <olavtar@redhat.com> --------- Signed-off-by: Olga Lavtar <olavtar@redhat.com> fix: move the permissions from the cluster-role to the role yaml file (opendatahub-io#3687) Signed-off-by: Olga Lavtar <olavtar@redhat.com> Apply hardware profile to notebook image settings table (opendatahub-io#3645) * Apply hardware profile to notebook image settings table * address comment * add name tooltip for the hardware profile table * Reuse recommended accelerator annotation for hardware profiles * Change name resource field to fix layout issues * fix tests refractor UsageBar and StorageSizeBar (opendatahub-io#3667) Hardware Profile Display Name is not trimmed (opendatahub-io#3670) Name, resource label, tolerations and Node selector fields - Unlimited size string (opendatahub-io#3672) CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] (opendatahub-io#3685)

* Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Cypress e2e Test - Admin Model Serving (Multi & Single Model) Tests (#3662) * Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Committing intermediate changes * Initial changes * Initial changes * Messy working test * Committing working test - not linted/cleaned up * Committing working test with exception of status check on UI * Committing fully working test on RHOAI * Linting fixes * Adding in description for bug relating to manifest links * Actioning PR comments * Comitting initial changes * Comitting working test for Single Model Creation * Comitting final completed test * Small amendment to select model server on ODH * Linting after merge conflict resolution --------- Co-authored-by: Fede Alonso <fealonso@redhat.com> made wording more consistent in storage dialog (#3665) remove deprecated enabled nvidia manifest from rhoai (#3666) Co-authored-by: “Bob <“bgregor@redhat.com”> Add Exclusions to Cypress e2e Nightly Executions (#3671) * Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Initial commit * Fixed linting * adding package json * Swapped out cypress:run for cypress:e2e --------- Co-authored-by: Fede Alonso <fealonso@redhat.com> Adds required to environment variables (#3653) * Adds required to environment variables * Accessibility fix Fix for notebook route link font size (#3678) Update the positions of DW tabs (#3677) Add default deployment mode selector as read only (#3664) * Add default deployment mode selector read only * Use DashboardHelpTooltip and fix popper width Fix for page header layout when page has long description (#3679) Update ownedByDSC to use correct label for checking what is created by operator (#3682) feat: remove the NIM tile from Enabled page (#3663) * feat: remove the NIM tile from Enabled page Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: rename function Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: add space after the here. Signed-off-by: Olga Lavtar <olavtar@redhat.com> --------- Signed-off-by: Olga Lavtar <olavtar@redhat.com> fix: label update for nim project from single serving to NVIDIA NIM Serving Enabled (#3680) * fix: label update for nim from single serving to NVIDIA NIM Serving Enabled Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: label update Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: label update Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: fix cypress test Signed-off-by: Olga Lavtar <olavtar@redhat.com> --------- Signed-off-by: Olga Lavtar <olavtar@redhat.com> fix: move the permissions from the cluster-role to the role yaml file (#3687) Signed-off-by: Olga Lavtar <olavtar@redhat.com> Apply hardware profile to notebook image settings table (#3645) * Apply hardware profile to notebook image settings table * address comment * add name tooltip for the hardware profile table * Reuse recommended accelerator annotation for hardware profiles * Change name resource field to fix layout issues * fix tests refractor UsageBar and StorageSizeBar (#3667) Hardware Profile Display Name is not trimmed (#3670) Name, resource label, tolerations and Node selector fields - Unlimited size string (#3672) CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] (#3685) * Comitting working tests * Small wording changes --------- Co-authored-by: Fede Alonso <fealonso@redhat.com>

…ndom Values [main] (opendatahub-io#3685)

…hub-io#3696) * Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Cypress e2e Test - Admin Model Serving (Multi & Single Model) Tests (opendatahub-io#3662) * Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Committing intermediate changes * Initial changes * Initial changes * Messy working test * Committing working test - not linted/cleaned up * Committing working test with exception of status check on UI * Committing fully working test on RHOAI * Linting fixes * Adding in description for bug relating to manifest links * Actioning PR comments * Comitting initial changes * Comitting working test for Single Model Creation * Comitting final completed test * Small amendment to select model server on ODH * Linting after merge conflict resolution --------- Co-authored-by: Fede Alonso <fealonso@redhat.com> made wording more consistent in storage dialog (opendatahub-io#3665) remove deprecated enabled nvidia manifest from rhoai (opendatahub-io#3666) Co-authored-by: “Bob <“bgregor@redhat.com”> Add Exclusions to Cypress e2e Nightly Executions (opendatahub-io#3671) * Initial WIP version of resource creation test * Experimental changes to poll the UI for updates * Working version if resource is present * increase card timeout and delete active wait * Added changes to find namespace from variables * Final changes to read variables, cleaned up utils * Small change to a comment * Dummy change to trigger mocks * Save changes on cypress-RHOAIENG-12649 * Changed file directories and names as requested on a PR comment * Saving changes to current branch * Additional directory/file name changes * Additional changes to save * Resolving timeout issue breaking mock tests, also resolved latest PR comments * Further changes for this test * Changes to revert the exist method appended to getCardView. * Fixed linting * Linting fixes * Final comments added * Fixed merge conflict * Small change to page object name * dummy commit * Removed RHOAI bug workaround * Removed comments * Last comment change * Initial commit * Fixed linting * adding package json * Swapped out cypress:run for cypress:e2e --------- Co-authored-by: Fede Alonso <fealonso@redhat.com> Adds required to environment variables (opendatahub-io#3653) * Adds required to environment variables * Accessibility fix Fix for notebook route link font size (opendatahub-io#3678) Update the positions of DW tabs (opendatahub-io#3677) Add default deployment mode selector as read only (opendatahub-io#3664) * Add default deployment mode selector read only * Use DashboardHelpTooltip and fix popper width Fix for page header layout when page has long description (opendatahub-io#3679) Update ownedByDSC to use correct label for checking what is created by operator (opendatahub-io#3682) feat: remove the NIM tile from Enabled page (opendatahub-io#3663) * feat: remove the NIM tile from Enabled page Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: rename function Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: add space after the here. Signed-off-by: Olga Lavtar <olavtar@redhat.com> --------- Signed-off-by: Olga Lavtar <olavtar@redhat.com> fix: label update for nim project from single serving to NVIDIA NIM Serving Enabled (opendatahub-io#3680) * fix: label update for nim from single serving to NVIDIA NIM Serving Enabled Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: label update Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: label update Signed-off-by: Olga Lavtar <olavtar@redhat.com> * fix: fix cypress test Signed-off-by: Olga Lavtar <olavtar@redhat.com> --------- Signed-off-by: Olga Lavtar <olavtar@redhat.com> fix: move the permissions from the cluster-role to the role yaml file (opendatahub-io#3687) Signed-off-by: Olga Lavtar <olavtar@redhat.com> Apply hardware profile to notebook image settings table (opendatahub-io#3645) * Apply hardware profile to notebook image settings table * address comment * add name tooltip for the hardware profile table * Reuse recommended accelerator annotation for hardware profiles * Change name resource field to fix layout issues * fix tests refractor UsageBar and StorageSizeBar (opendatahub-io#3667) Hardware Profile Display Name is not trimmed (opendatahub-io#3670) Name, resource label, tolerations and Node selector fields - Unlimited size string (opendatahub-io#3672) CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] (opendatahub-io#3685) * Comitting working tests * Small wording changes --------- Co-authored-by: Fede Alonso <fealonso@redhat.com>

CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Ra…

18346f3

…ndom Values [main]

openshift-ci bot requested review from christianvogt and mturley January 27, 2025 13:46

Gkrumbach07 approved these changes Jan 27, 2025

View reviewed changes

openshift-ci bot assigned Gkrumbach07 Jan 27, 2025

openshift-ci bot added the lgtm label Jan 27, 2025

openshift-ci bot added the approved label Jan 27, 2025

openshift-merge-bot bot merged commit ddbd55a into opendatahub-io:main Jan 28, 2025
29 checks passed

ashley-o0o pushed a commit to ashley-o0o/odh-dashboard that referenced this pull request Feb 7, 2025

CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Ra…

1b7bc4d

…ndom Values [main] (opendatahub-io#3685)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] #3685

CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] #3685

dpanshug commented Jan 27, 2025

codecov bot commented Jan 27, 2025 •

edited

Loading

Gkrumbach07 left a comment

openshift-ci bot commented Jan 27, 2025

CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] #3685

CVE-2025-22150 odh-dashboard-container: Undici Uses Insufficiently Random Values [main] #3685

Conversation

dpanshug commented Jan 27, 2025

Description

How Has This Been Tested?

Test Impact

Request review criteria:

codecov bot commented Jan 27, 2025 • edited Loading

Codecov Report

Gkrumbach07 left a comment

Choose a reason for hiding this comment

openshift-ci bot commented Jan 27, 2025

codecov bot commented Jan 27, 2025 •

edited

Loading