Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

images/ansible-operator/base.Dockerfile: pin pip3~=21.1 #4877

Merged
merged 1 commit into from May 5, 2021
Merged

images/ansible-operator/base.Dockerfile: pin pip3~=21.1 #4877

merged 1 commit into from May 5, 2021

Conversation

estroz
Copy link
Member

@estroz estroz commented May 5, 2021

Description of the change:

  • images/ansible-operator/base.Dockerfile: pin pip3~=21.1

Motivation for the change: fix unicode split vuln that pipenv check complains about

/area dependency

Checklist

If the pull request includes user-facing changes, extra documentation is required:

@estroz
images/ansible-operator/base.Dockerfile: pin pip3~=21.1 to fix unicod…
939a7a1 
…e split vuln

Signed-off-by: Eric Stroczynski <ericstroczynski@gmail.com>
@openshift-ci-robot openshift-ci-robot added the area/dependency Issues or PRs related to dependency changes label May 5, 2021
@estroz
Copy link
Member Author

estroz commented May 5, 2021

/cherry-pick v1.7.x

@openshift-cherrypick-robot
Copy link

@estroz: once the present PR merges, I will cherry-pick it on top of v1.7.x in a new PR and assign it to you.

In response to this:

/cherry-pick v1.7.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@estroz
Copy link
Member Author

estroz commented May 5, 2021

/cherry-pick v1.6.x

@openshift-cherrypick-robot
Copy link

@estroz: once the present PR merges, I will cherry-pick it on top of v1.6.x in a new PR and assign it to you.

In response to this:

/cherry-pick v1.6.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@estroz
Copy link
Member Author

estroz commented May 5, 2021

/cc @jmrodri

@jmrodri jmrodri requested review from asmacdo and removed request for jmccormick2001 May 5, 2021 17:47
estroz
estroz commented May 5, 2021
View reviewed changes
changelog/fragments/pip3-21.1.yaml
@@ -0,0 +1,4 @@
entries:
- description: >
Pinned pip3 to 21.1 in the ansible-operator image to fix https://github.com/pypa/pip/pull/9827
Copy link
Member Author

@estroz estroz May 5, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only kinda user-facing because they may install other python packages using the pre-installed pip3 in their operator's image, i.e. this is only a build vulnerability that most image consumers won't be exposed to.

pip3 must be upgraded because pipenv check errors otherwise.

fabianvf
fabianvf approved these changes May 5, 2021
View reviewed changes
Copy link
Member

@fabianvf fabianvf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 5, 2021
@estroz estroz merged commit 1851810 into operator-framework:master May 5, 2021
@estroz estroz deleted the deps/pin-pip3 branch May 5, 2021 18:01
@openshift-cherrypick-robot
Copy link

@estroz: new pull request created: #4878

In response to this:

/cherry-pick v1.7.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 5, 2021
Merged
@openshift-cherrypick-robot
Copy link

@estroz: new pull request created: #4879

In response to this:

/cherry-pick v1.6.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabianvf fabianvf fabianvf approved these changes

@jmrodri jmrodri Awaiting requested review from jmrodri

@asmacdo asmacdo Awaiting requested review from asmacdo

Assignees

@fabianvf fabianvf

Labels
area/dependency Issues or PRs related to dependency changes lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@estroz @openshift-cherrypick-robot @fabianvf @openshift-ci-robot