Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(dependencies): Update OkHttp to 4.11.0 [SDK-4501] #684

Merged
merged 2 commits into from
Sep 11, 2023
Merged

build(dependencies): Update OkHttp to 4.11.0 [SDK-4501] #684

merged 2 commits into from
Sep 11, 2023

Conversation

evansims
Copy link
Member

@evansims evansims commented Aug 21, 2023
edited

Changes

This pull request updates the OkHttp dependency to address a moderate security vulnerability in the imported version. This bumps the included release to 4.11.0 to address CVE-2023-3635.

References

Please see internal ticket SDK-4501.

Testing

No added tests were necessary.

Checklist

@evansims evansims added the dependencies One or more dependencies are being bumped label Aug 21, 2023
@evansims
Copy link
Member Author

@jimmyjames Not familiar enough to really diagnose why the build is failing here; would you mind taking a look?

Appears to be related to a kotlin-stdlib-jdk8 dependency locking issue resolved in 4.11.0 which addresses the CVE, but not sure how to accommodate this change on our end

@evansims evansims marked this pull request as ready for review August 21, 2023 21:12
@evansims evansims requested a review from a team as a code owner August 21, 2023 21:12
poovamraj
poovamraj previously approved these changes Sep 11, 2023
View reviewed changes
Copy link
Contributor

@poovamraj poovamraj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a doubt on the "Unreleased" heading on the CHANGELOG. We usually add these during the release under the version. Is this something new we want to try out? Also this has to be removed during the release so is it automated or should the dev remember to remove this?

@evansims
Copy link
Member Author

Just a doubt on the "Unreleased" heading on the CHANGELOG. We usually add these during the release under the version. Is this something new we want to try out? Also this has to be removed during the release so is it automated or should the dev remember to remove this?

Ah apologies, just a (personal) practice picked up from the PHP side — not a new policy or anything or workflow thing. I don't use automated releasing, so this is a manual method for me to keep track. Force of habit!

@evansims
Copy link
Member Author

@poovamraj Removed the erroneous CHANGELOG update, if you'd be so kind as to re-review 😄

@evansims evansims merged commit 3394283 into main Sep 11, 2023
9 checks passed
@evansims evansims deleted the security/update-okhttp-dependency branch September 11, 2023 16:47
@poovamraj poovamraj mentioned this pull request Oct 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@poovamraj poovamraj poovamraj approved these changes

Assignees
No one assigned
Labels
dependencies One or more dependencies are being bumped
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@evansims @poovamraj