Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bump dependencies to fix CVEs #3563

Merged
merged 1 commit into from
Jan 10, 2023
Merged

fix: bump dependencies to fix CVEs #3563

merged 1 commit into from
Jan 10, 2023
+30 −28

Conversation

phisco
Copy link
Contributor

@phisco phisco commented Jan 10, 2023

Signed-off-by: Philippe Scorsolini p.scorsolini@gmail.com

Description of your changes

Bumping a few dependencies to fix CRITICAL and HIGH vulnerabilities found by trivy.

Fixes #3562

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable to ensure this PR is ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

trivy fs . before this patch was reporting a few CVEs, which are not present anymore with these changes.

@phisco
fix: bump dependencies to fix CVEs
9f813da 
Signed-off-by: Philippe Scorsolini <p.scorsolini@gmail.com>
@phisco phisco requested review from a team as code owners January 10, 2023 15:07
@phisco phisco requested review from negz and ezgidemirel and removed request for a team January 10, 2023 15:07
hasheddan
hasheddan approved these changes Jan 10, 2023
View reviewed changes
Copy link
Member

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @phisco! I'll add backports to relevant active branches here, as we'll likely want to do patches on each 👍🏻

@hasheddan hasheddan merged commit ff4c3e0 into crossplane:master Jan 10, 2023
@github-actions
Copy link

Backport failed for release-1.8, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-1.8
git worktree add -d .worktree/backport-3563-to-release-1.8 origin/release-1.8
cd .worktree/backport-3563-to-release-1.8
git checkout -b backport-3563-to-release-1.8
ancref=$(git merge-base 1d85c436146f6fb81f409e1b28874763dc77f4c1 9f813da0b47d176383bba7bbe6a0582b2de4716d)
git cherry-pick -x $ancref..9f813da0b47d176383bba7bbe6a0582b2de4716d

@github-actions
Copy link

Backport failed for release-1.9, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-1.9
git worktree add -d .worktree/backport-3563-to-release-1.9 origin/release-1.9
cd .worktree/backport-3563-to-release-1.9
git checkout -b backport-3563-to-release-1.9
ancref=$(git merge-base 1d85c436146f6fb81f409e1b28874763dc77f4c1 9f813da0b47d176383bba7bbe6a0582b2de4716d)
git cherry-pick -x $ancref..9f813da0b47d176383bba7bbe6a0582b2de4716d

@github-actions
Copy link

Backport failed for release-1.10, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-1.10
git worktree add -d .worktree/backport-3563-to-release-1.10 origin/release-1.10
cd .worktree/backport-3563-to-release-1.10
git checkout -b backport-3563-to-release-1.10
ancref=$(git merge-base 1d85c436146f6fb81f409e1b28874763dc77f4c1 9f813da0b47d176383bba7bbe6a0582b2de4716d)
git cherry-pick -x $ancref..9f813da0b47d176383bba7bbe6a0582b2de4716d

This was referenced Jan 12, 2023
Merged
Closed
@phisco phisco deleted the fix/bump-dependencies branch January 13, 2023 08:41
@phisco phisco mentioned this pull request Jan 16, 2023
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hasheddan hasheddan hasheddan approved these changes

@negz negz Awaiting requested review from negz negz is a code owner automatically assigned from crossplane/crossplane-maintainers

@ezgidemirel ezgidemirel Awaiting requested review from ezgidemirel ezgidemirel was automatically assigned from crossplane/crossplane-reviewers

Assignees
No one assigned
Labels
backport release-1.8 backport release-1.9 backport release-1.10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVEs reported requiring dependencies bump
2 participants
@phisco @hasheddan