Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): always resolve momentjs version 2.29.4 #3182

Merged
merged 1 commit into from
Dec 4, 2023

Conversation

linus345
Copy link
Contributor

@linus345 linus345 commented Nov 21, 2023

Before this change both version 2.29.1 and version 2.29.4 of momentjs were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs: CVE-2022-24785 [1] and CVE-2022-31129 [2].

The most notable change comes with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change to remediate CVE-2022-24785: Forward slash and backward slash is no longer allowed in locale names. Locales containing either of those characters will not be loaded from the filesystem any longer [3].

Other than that it looks like there's only patch fixes which can be seen in the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this is a chore.
  • The title of the PR is (a) conventional with a list of types and scopes found here, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234".
    • Everything except (c) since this does not have a related issue, I can create one if required.
  • I've signed my commits with DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My builds are green. Try syncing with master if they are not.
  • My organization is added to USERS.md.

Copy link

codecov bot commented Nov 22, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (87b7448) 81.85% compared to head (e9e1457) 81.83%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3182      +/-   ##
==========================================
- Coverage   81.85%   81.83%   -0.02%     
==========================================
  Files         134      134              
  Lines       20556    20556              
==========================================
- Hits        16826    16823       -3     
- Misses       2866     2869       +3     
  Partials      864      864              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

github-actions bot commented Nov 22, 2023

Go Published Test Results

2 084 tests   2 084 ✔️  2m 47s ⏱️
   118 suites         0 💤
       1 files           0

Results for commit e9e1457.

♻️ This comment has been updated with latest results.

Copy link
Contributor

github-actions bot commented Nov 22, 2023

E2E Tests Published Test Results

    4 files      4 suites   3h 26m 20s ⏱️
103 tests   94 ✔️   6 💤   3
422 runs  388 ✔️ 24 💤 10

For more details on these failures, see this check.

Results for commit e9e1457.

♻️ This comment has been updated with latest results.

Before this change both version 2.29.1 and version 2.29.4 of momentjs
were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs:
CVE-2022-24785 [1] and CVE-2022-31129 [2]. The most notable change comes
with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change
to remediate CVE-2022-24785: Forward slash and backward slash is no
longer allowed in locale names. Locales containing either of those
characters will not be loaded from the filesystem any longer [3]. Other
than that it looks like there's only patch fixes which can be seen in
the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Signed-off-by: Linus Ekman <linusekman01@gmail.com>
@linus345 linus345 force-pushed the resolve-momentjs-cves branch from 9deda52 to e9e1457 Compare November 22, 2023 08:04
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@zachaller zachaller merged commit 3b60991 into argoproj:master Dec 4, 2023
25 checks passed
zachaller pushed a commit that referenced this pull request Dec 4, 2023
Before this change both version 2.29.1 and version 2.29.4 of momentjs
were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs:
CVE-2022-24785 [1] and CVE-2022-31129 [2]. The most notable change comes
with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change
to remediate CVE-2022-24785: Forward slash and backward slash is no
longer allowed in locale names. Locales containing either of those
characters will not be loaded from the filesystem any longer [3]. Other
than that it looks like there's only patch fixes which can be seen in
the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Signed-off-by: Linus Ekman <linusekman01@gmail.com>
@zachaller zachaller added the cherry-pick-completed Used once we have cherry picked the PR to all requested releases label Dec 4, 2023
ashutosh16 pushed a commit to ashutosh16/argo-rollouts that referenced this pull request Dec 8, 2023
Before this change both version 2.29.1 and version 2.29.4 of momentjs
were brougth in. The bump from v2.29.1 -> v2.29.4 remediates two CVEs:
CVE-2022-24785 [1] and CVE-2022-31129 [2]. The most notable change comes
with the bump from v2.29.1 -> v2.29.2 which introduces a breaking change
to remediate CVE-2022-24785: Forward slash and backward slash is no
longer allowed in locale names. Locales containing either of those
characters will not be loaded from the filesystem any longer [3]. Other
than that it looks like there's only patch fixes which can be seen in
the full changelog [4].

[1] GHSA-8hfj-j24r-96c4
[2] GHSA-wc69-rhjr-hc9g
[3] https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c
[4] https://github.com/moment/moment/blob/536ad0c348f2f99009755698f491080757a48221/CHANGELOG.md

Signed-off-by: Linus Ekman <linusekman01@gmail.com>
Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cherry-pick/release-1.6 cherry-pick-completed Used once we have cherry picked the PR to all requested releases
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants