Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[server 0.1036.5000] Bump server version and update deps to address CVEs - fix #19959

Merged
merged 15 commits into from
Mar 7, 2024
Merged

[server 0.1036.5000] Bump server version and update deps to address CVEs - fix #19959

merged 15 commits into from
Mar 7, 2024

Conversation

zhenmichael
Copy link
Contributor

Testing changes from @alexvy86 PR: #19772

Reverted changes from cherry pick of 232921a
except for changes to server. Ideally, this will only trigger pipeline build for server which was passing previously.

alexvy86 and others added 9 commits February 23, 2024 12:55
@alexvy86
Bump server packages to version 0.1036.5002
19a5e3b
@alexvy86
Just-hashes update in lockfile
09c80ef
@alexvy86
Bump jsrsasign and axios dependencies to address CVEs
080a9a3
@alexvy86
Revert "Just-hashes update in lockfile"
95aa664 
This reverts commit 09c80ef.
@robertobe-ms @alexvy86
build: Upgrade pipelines to Node18 + upgrade nvm recommendation (micr…
232921a 
…osoft#17389)

(Cherry pick of a0368d6)

Update the recommended versions of Node.js for developers to use, as
well as the version used by CI, from version 14 to 18.

This change made some scenarios in some e2e tests hang, so a fix for
skipping them had to be included.
Details:
0.58.x doesn't have the fix to routerlicious-driver in this PR:
microsoft#8913
(also see related issue for more context on the problem:
microsoft#9163)
This causes this test to hang while loading container2, as the snapshot
is over 16KB.
@Abe27342 @alexvy86
Add permissions block to pr-labeler and pr-validation workflows (micr…
48589eb 
…osoft#19338)

## Description

Updates pr-labeler and pr-validation to include a permissions block.

See github permissions doc
[here](https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/workflow-syntax-for-github-actions#permissions).

Co-authored-by: Abram Sanderson <[email protected]>
@alexvy86
Required fix after Axios upgrade
417340f
@alexvy86
Run build to update packageVersion.ts files
cc4f515
@zhenmichael
Revert "build: Upgrade pipelines to Node18 + upgrade nvm recommendati…
4b47802 
…on (microsoft#17389)" (Keep changes to server)

This reverts commit 232921a.
@zhenmichael zhenmichael requested review from msfluid-bot and a team as code owners March 5, 2024 16:31
@zhenmichael zhenmichael requested review from a team as code owners March 5, 2024 17:03
alexvy86
alexvy86 reviewed Mar 5, 2024
View reviewed changes
lerna-package-lock.json Outdated Show resolved Hide resolved
@zhenmichael
Copy link
Contributor Author

@tylerbutler @alexvy86 It looks like the PR is running into some build issues for
pr-labeler
. I'm not too sure about how the labeler works, so I was wondering if I should update
pr-labeler.yml
to match its state in the main branch. Also, are there any other relevant changes related to the github workflow that I may need to include?

@Abe27342
Copy link
Contributor

Abe27342 commented Mar 6, 2024

@tylerbutler @alexvy86 It looks like the PR is running into some build issues for pr-labeler . I'm not too sure about how the labeler works, so I was wondering if I should update pr-labeler.yml to match its state in the main branch. Also, are there any other relevant changes related to the github workflow that I may need to include?

You probably need this change: #19338

@zhenmichael
Copy link
Contributor Author

@tylerbutler @alexvy86 It looks like the PR is running into some build issues for pr-labeler . I'm not too sure about how the labeler works, so I was wondering if I should update pr-labeler.yml to match its state in the main branch. Also, are there any other relevant changes related to the github workflow that I may need to include?

You probably need this change: #19338

I believe this specific PR has already been cherry picked such that the permissions field is added to pr-labeler.yml and pr-validation.yml. However, it seems like there are still some differences between the pr-labeler.yml in main and the one in this server branch.

@tylerbutler
Copy link
Member

The only thing the labeler does is assign labels to this PR. It should not block merge.

alexvy86
alexvy86 approved these changes Mar 7, 2024
View reviewed changes
Copy link
Contributor

@alexvy86 alexvy86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency updates to address CVEs seem correct to me. The cherry-picked changes to get the pipelines to run also seem fine but if anyone else wants to give extra eyes on those, it'd be great.

Tyler's is right that the merge is not blocked right now by the pr-labeler failing, but because lack of approval :)

@zhenmichael zhenmichael merged commit d94975c into microsoft:release/server/0.1036.5000 Mar 7, 2024
18 of 19 checks passed
@zhenmichael zhenmichael mentioned this pull request Mar 7, 2024
Closed
@zhenmichael zhenmichael mentioned this pull request Mar 25, 2024
Closed
This was referenced Apr 4, 2024
Closed
Merged
zhenmichael added a commit that referenced this pull request Apr 9, 2024
@zhenmichael
[client 1.4.0] Bump client version from LTS and update deps to addres…
e00131f 
…s CVEs - fix (#20544)

## Description

- Update dependencies in server npm packages to address
[CVE-2023-45857](GHSA-wf5p-g6vw-rhxx) and
[CVE-2024-21484](GHSA-rh63-9qcf-83gf).
- Consume new server version 0.1036.5002 from this PR
#19959
- Updated axios and jsrsasign deps versions

Followup: A similar process will be repeated for updating the azure 1.1
release. Azure packages should be updated with:
- server 0.1036.5002
- client 1.4.0
- updated versions for axios and jsrsasign
@zhenmichael zhenmichael mentioned this pull request Apr 9, 2024
Merged
zhenmichael added a commit that referenced this pull request Apr 11, 2024
@zhenmichael
[azure-client] Bump azure version from LTS and update deps to address…
d33a4fe 
… CVEs - fix (#20566)

## Description

- Update dependencies in azure npm packages to address
[CVE-2023-45857](GHSA-wf5p-g6vw-rhxx) and
[CVE-2024-21484](GHSA-rh63-9qcf-83gf).
- Consume new server version 0.1036.5002 from this PR
#19959
- Consume new client version 1.4.0 from this PR
#20544
- Updated axios and jsrsasign deps versions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexvy86 alexvy86 alexvy86 approved these changes

@msfluid-bot msfluid-bot Awaiting requested review from msfluid-bot msfluid-bot is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zhenmichael @Abe27342 @tylerbutler @alexvy86 @robertobe-ms