Bug #21654: Upgrade several dependencies from security reports - Arvados

Custom queries

All assigned issues
All issues assigned for grooming
My issues for grooming
My issues for grooming (no story pts)
Prioritized open issues

Actions

Copy link

Bug #21654

closed

Upgrade several dependencies from security reports

Added by Lucas Di Pentima 11 months ago. Updated 10 months ago.

Status:

Resolved

Priority:

Normal

Assigned To:

Lucas Di Pentima

Category:

Target version:

Development 2024-04-10 sprint

Story points:

Release:

Arvados 3.0

Release relationship:

Auto

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Updates at 21654-deps-updates

eff916e upgrades github.com/satori/go.uuid addressing CVE-2021-3538: developer-run-tests: #4139
9b12bf8 upgrades babel-traverse addressing CVE-2023-45133: developer-run-tests: #4142

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Status changed from In Progress to Resolved

Applied in changeset arvados|f674f8883fc075170a20ef592a2609e4f521f7b2.

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Status changed from Resolved to In Progress

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Updates at 4d3508c 21654-browserify-sign-upgrade

Upgrades browserify-sign to address CVE-2023-46234: developer-run-tests: #4148

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Updates at 6e1da3c 21654-nokogiri-upgrade

Upgrades nokogiri to address CVE-2024-25062: developer-run-tests: #4147

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Updates at 9542ef8 21654-go-jose-upgrade

Upgrades github.com/go-jose/go-jose/v3 to address CVE-2024-28180: developer-run-tests: #4149

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Updates at 7997c58 21654-rails-upgrade developer-run-tests: #4150

Upgrades rack to address CVE-2024-26141, CVE-2024-26146 & CVE-2024-25126.
Upgrades rails to 7.0.8.1 to address CVE-2024-26143.

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Updates at efe40af06f 21654-express-upgrade: developer-run-tests: #4153

Upgrades express to address CVE-2024-29041

Actions

Copy link

Updated by Lucas Di Pentima 11 months ago

Updates at 95c835b 21654-follow-redirects-upgrade: developer-run-tests: #4152

21654: Upgrades follow-redirects addressing CVE-2024-28849 & CVE-2023-26159

Actions

Copy link

#10

Updated by Lucas Di Pentima 11 months ago

Updates at 1e29fff 21654-protobuf-upgrade: developer-run-tests: #4156

Upgrades google.golang.org/protobuf to address CVE-2024-24786

Actions

Copy link

#11

Updated by Lucas Di Pentima 11 months ago

Updates at 0809ee6 21654-docker-upgrade: developer-run-tests: #4155

Upgrades github.com/docker/docker to address CVE-2024-24557

Actions

Copy link

#12

Updated by Lucas Di Pentima 11 months ago

Updates at 23c01a7 21654-wb2-deps-upgrades: developer-run-tests: #4160

Upgrades ip packages to address CVE-2023-42282
Upgrades ex5-ext to address CVE-2024-27088

Actions

Copy link

#13

Updated by Lucas Di Pentima 11 months ago

There one easily applicable upgrade pending, but not sure why it makes Cypress fail most of the tests with an error like the following:

18:08:37   3) Registered workflow panel tests
18:08:37        shows the appropriate buttons in the multiselect toolbar:
18:08:37      CypressError: Timed out retrying after 4050ms: `cy.click()` failed because this element:
18:08:37 
18:08:37 `<p class="MuiTypography-root-570 MuiTypography-body2-578 Component-listItemText-774 Component-active-775">Home Pr...</p>`
18:08:37 
18:08:37 is being covered by another element:
18:08:37 
18:08:37 `<iframe style="position: fixed; top: 0px; left: 0px; width: 100%; height: 100%; border: none; z-index: 2147483647;"></iframe>`
18:08:37 
18:08:37 Fix this problem, or use {force: true} to disable error checking.

The upgrade just consists in changing axios from 0.21.4 to 0.28.1, haven't found any clue as to why this happens.

diff --git a/services/workbench2/package.json b/services/workbench2/package.json
index 94e35029c4..4b3a81db24 100644
--- a/services/workbench2/package.json
+++ b/services/workbench2/package.json
@@ -28,7 +28,7 @@
     "@types/react-window": "1.8.2",
     "@types/redux-form": "7.4.12",
     "@types/shell-escape": "^0.2.0",
-    "axios": "^0.21.1",
+    "axios": "^0.28.0",
     "bootstrap": "^5.3.2",
     "caniuse-lite": "1.0.30001606",
     "classnames": "2.2.6",
diff --git a/services/workbench2/yarn.lock b/services/workbench2/yarn.lock
index 21fcc817c5..c917e529ef 100644
--- a/services/workbench2/yarn.lock
+++ b/services/workbench2/yarn.lock
@@ -4162,7 +4162,7 @@ __metadata:
     "@types/shell-escape": ^0.2.0
     "@types/sinon": 7.5
     "@types/uuid": 3.4.4
-    axios: ^0.21.1
+    axios: ^0.28.0
     axios-mock-adapter: 1.17.0
     bootstrap: ^5.3.2
     caniuse-lite: 1.0.30001606
@@ -4439,12 +4439,14 @@ __metadata:
   languageName: node
   linkType: hard

-"axios@npm:^0.21.1":
-  version: 0.21.4
-  resolution: "axios@npm:0.21.4" 
+"axios@npm:^0.28.0":
+  version: 0.28.1
+  resolution: "axios@npm:0.28.1" 
   dependencies:
-    follow-redirects: ^1.14.0
-  checksum: 44245f24ac971e7458f3120c92f9d66d1fc695e8b97019139de5b0cc65d9b8104647db01e5f46917728edfc0cfd88eb30fc4c55e6053eef4ace76768ce95ff3c
+    follow-redirects: ^1.15.0
+    form-data: ^4.0.0
+    proxy-from-env: ^1.1.0
+  checksum: 5115a38d79064d07437c5a28f15841e3607634040e3120ec06a2c4367a7d07cf213b16496eab53b6f58ebc5fb377a440ba9ed4782529b14449a1e285734bfb54
   languageName: node
   linkType: hard

@@ -5851,7 +5853,7 @@ __metadata:
   languageName: node
   linkType: hard

-"combined-stream@npm:^1.0.6, combined-stream@npm:~1.0.6":
+"combined-stream@npm:^1.0.6, combined-stream@npm:^1.0.8, combined-stream@npm:~1.0.6":
   version: 1.0.8
   resolution: "combined-stream@npm:1.0.8" 
   dependencies:
@@ -8712,7 +8714,7 @@ __metadata:
   languageName: node
   linkType: hard

-"follow-redirects@npm:^1.0.0, follow-redirects@npm:^1.14.0":
+"follow-redirects@npm:^1.0.0, follow-redirects@npm:^1.15.0":
   version: 1.15.6
   resolution: "follow-redirects@npm:1.15.6" 
   peerDependenciesMeta:
@@ -8777,6 +8779,17 @@ __metadata:
   languageName: node
   linkType: hard

+"form-data@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "form-data@npm:4.0.0" 
+  dependencies:
+    asynckit: ^0.4.0
+    combined-stream: ^1.0.8
+    mime-types: ^2.1.12
+  checksum: 01135bf8675f9d5c61ff18e2e2932f719ca4de964e3be90ef4c36aacfc7b9cb2fceb5eca0b7e0190e3383fe51c5b37f4cb80b62ca06a99aaabfcfd6ac7c9328c
+  languageName: node
+  linkType: hard
+
 "form-data@npm:~2.3.2":
   version: 2.3.3
   resolution: "form-data@npm:2.3.3" 
@@ -15335,6 +15348,13 @@ __metadata:
   languageName: node
   linkType: hard

+"proxy-from-env@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "proxy-from-env@npm:1.1.0" 
+  checksum: ed7fcc2ba0a33404958e34d95d18638249a68c430e30fcb6c478497d72739ba64ce9810a24f53a7d921d0c065e5b78e3822759800698167256b04659366ca4d4
+  languageName: node
+  linkType: hard
+
 "prr@npm:~1.0.1":
   version: 1.0.1
   resolution: "prr@npm:1.0.1"

Actions

Copy link

#14

Updated by Lucas Di Pentima 11 months ago

Status changed from In Progress to Resolved

Actions

Copy link

#15

Updated by Peter Amstutz 10 months ago

Release set to 70

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Arvados

Custom queries

Bug #21654

Upgrade several dependencies from security reports

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Lucas Di Pentima 11 months ago

Updated by Peter Amstutz 10 months ago