Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release v3.5 patch releases discussion #11997

Open
terrytangyuan opened this issue Oct 14, 2023 · 96 comments
Open

Release v3.5 patch releases discussion #11997

terrytangyuan opened this issue Oct 14, 2023 · 96 comments
Labels
type/feature Feature request

Comments

@terrytangyuan
Copy link
Member

terrytangyuan commented Oct 14, 2023

This issue tracks commits for 3.5 patch releases.

@terrytangyuan
Copy link
Member Author

#12025 needs to be fixed for this

@terrytangyuan terrytangyuan changed the title Release v3.5.1 cherry-pick candidates Release v3.5 patch releases discussion Oct 23, 2023
@terrytangyuan
Copy link
Member Author

I am thinking about releasing v3.5.1 next week. The most important fix would be #12068 since it blocks people from upgrading to v3.5.

@terrytangyuan
Copy link
Member Author

Security fix: #12111

@terrytangyuan
Copy link
Member Author

#12130

@terrytangyuan
Copy link
Member Author

terrytangyuan commented Nov 3, 2023

Released: https://github.com/argoproj/argo-workflows/releases/tag/v3.5.1

@agilgur5
Copy link
Contributor

agilgur5 commented Nov 5, 2023

Would be good to get my UI code-splitting / bundle reductions changes into the next patch release once they're all merged in (#12061, #12097, #12150). They are primarily refactors in content, but their overall intent is to fix long wait times for the UI on slow networks or slow devices as described in #11970

@terrytangyuan
Copy link
Member Author

#12133

@terrytangyuan
Copy link
Member Author

#12203

@terrytangyuan
Copy link
Member Author

TODO: @terrytangyuan to post a list of commits to cherry-pick here

@terrytangyuan
Copy link
Member Author

terrytangyuan commented Nov 22, 2023

The plan is to cherry-pick the following commits (unless there's conflict) for v3.5.2 release

Fixes:

Tests:

Chore(deps):

Others:

@Joibel
Copy link
Member

Joibel commented Nov 22, 2023

Could you add #12215 and #12214 to 3.5.2 please @terrytangyuan, just to ensure those tests are happening.

@agilgur5
Copy link
Contributor

agilgur5 commented Nov 23, 2023

Could we add the UI code-splitting PRs as I mentioned above? I don't think they have a big impact to that many users, so I'm fine with it going in 3.5.3 instead if you'd prefer to keep 3.5.2 smaller/more stable.

Otherwise commit list LGTM ✅

@terrytangyuan
Copy link
Member Author

@Joibel Good idea.

@agilgur5 I'd like to focus on fixes and chore(deps) in patch releases.

@agilgur5
Copy link
Contributor

agilgur5 commented Nov 23, 2023

As I wrote above:

They are primarily refactors in content, but their overall intent is to fix long wait times for the UI on slow networks or slow devices as described in #11970

I would definitely not call them features at least

@agilgur5
Copy link
Contributor

agilgur5 commented Nov 23, 2023

We probably want #12245 as well since #12225 and #12227 are in the list and may break lint again on the 3.5.x branch

@terrytangyuan
Copy link
Member Author

I would definitely not call them features at least

Sounds good. In the future, let's make sure the PR titles can tell us that.

@agilgur5
Copy link
Contributor

agilgur5 commented Nov 23, 2023

Yea each PR individually is more of a refactor, but as a whole they are a fix -- in other words, a bunch of refactors that enable a fix.
Naming things is a hard problem 😅 ; as always feel free to change the titles if that makes things easier for you to release

@terrytangyuan
Copy link
Member Author

terrytangyuan commented Nov 27, 2023

Working on branch https://github.com/argoproj/argo-workflows/tree/release-3.5.2

Note that I also included some merged dependabot PRs from master branch and some of the dependabot PRs cannot be cherry-picked.

@terrytangyuan
Copy link
Member Author

terrytangyuan commented Nov 27, 2023

@juliev0
Copy link
Contributor

juliev0 commented Dec 13, 2023

Request to include #12353

@terrytangyuan
Copy link
Member Author

This needs to be included #12470

@agilgur5
Copy link
Contributor

agilgur5 commented Jan 7, 2024

#12421 is also a fix for a 3.5.0 feature

@sarabala1979
Copy link
Member

Hi
I am working on release v3.5.3 which includes below PRs
#12421
#12470
#12353

@agilgur5
Copy link
Contributor

Updating here that 3.5.3 was released

@agilgur5
Copy link
Contributor

#12397 for the next release

@shuangkun
Copy link
Member

could #12936 be added, some user needs it #12936 (comment)

@terrytangyuan
Copy link
Member Author

All added to the list.

@agilgur5
Copy link
Contributor

agilgur5 commented May 17, 2024

I am planning to only cherry-pick important fixes to 3.5.7

@terrytangyuan maybe I should've clarified before, I might've misunderstood the intent your question during this week's Contributor Meeting.
I've already been cherry-picking all fixes and deps security upgrades on an ongoing basis (roughly weekly, sometimes quicker), per the "release manager" approach I suggested in #12592 (comment).
So fixes that landed before your comment are likely already cherry-picked in.

I've also been using the v3.5.x patches milestone I created to track everything

Regarding this one, we should cherry-pick the original PR (#12736), the revert with CI fix (#13018), and the fixed PR (#13021). As that would reduce merge conflicts and have a cleaner and more matching git history (which also helps with our scripts etc). I'll probably do that today

@terrytangyuan
Copy link
Member Author

UI security fix: #13069

@terrytangyuan
Copy link
Member Author

@agilgur5 Can you help make sure all PRs in the list #11997 (comment) are cherry-picked into release branch and then we can push the tag?

@agilgur5
Copy link
Contributor

agilgur5 commented May 26, 2024

UI security fix: #13069

This would require a several other backports to make work as I detailed in #13069 (review).
Argo v3.5 is on swagger-ui-react v4 as #12540 was never backported and then there are several React incompatibilities with that PR itself as well.

@agilgur5 Can you help make sure all PRs in the list #11997 (comment) are cherry-picked into release branch and then we can push the tag?

Other than the above, yes, that was my plan.

@agilgur5
Copy link
Contributor

Released v3.5.7.

Includes all merged fixes and security patches except for two due to #13069 (review) and #13012 (comment).

Also lots of docs backports and a few CI security backports

See the changelog for more details: #13096

@agilgur5
Copy link
Contributor

Released v3.5.8.

Includes all merged fixes and security patches except for the two skipped in 3.5.7 above and #13169 (comment).
Plus a few docs backports.

See the changelog for more details: #13206

@agilgur5
Copy link
Contributor

Released v3.5.9.

Includes all merged fixes and security patches except for the ones skipped in previous releases above.
Plus docs backports.

See the changelog for more details: #13414

@agilgur5
Copy link
Contributor

agilgur5 commented Aug 1, 2024

Released v3.5.10.

Primarily includes a hotfix for #13415.

See the changelog for more details: #13423

@JPZ13
Copy link
Member

JPZ13 commented Sep 16, 2024

Hey @agilgur5 - we've got a customer that needs one of the fixes in v3.5.11. I know you're dealing with some health issues. Would you like us to take the release to help out? We wish you a speedy recovery

@agilgur5
Copy link
Contributor

agilgur5 commented Sep 19, 2024

@JPZ13 Yes please, I would appreciate that. The WorkflowTaskResults and API query performance fixes are P1s so this has been very high on my list to get out as well.

Unfortunately, I was busy reviewing some of those fixes etc that I didn't get to this before my current flare up. Was thinking I'd be feeling good enough over the weekend or this week to knock it out in a few hours, but I've honestly barely touched my desktop in a week 😞

If Alan or Isitha take this over, just make sure to note where I left off in 3.5.x backporting, i.e. things that I didn't merge in 3.5.10 or earlier had complex merge conflicts etc, can leave those unmerged and just backport things after 3.5.10

@Joibel
Copy link
Member

Joibel commented Sep 19, 2024

@agilgur5 sorry that you're still feeling rotten. Get well soon.

Between us @isubasinghe and I will try to cut a 3.5.11 this week.

@terrytangyuan
Copy link
Member Author

Need to patch this high vuln security fix #13626

@agilgur5
Copy link
Contributor

agilgur5 commented Sep 19, 2024

Need to patch this high vuln security fix #13626

@terrytangyuan that one won't make it into 3.5 per #13069 (review), same as I wrote previously in this thread

@Joibel
Copy link
Member

Joibel commented Sep 20, 2024

v3.5.11 cherry picks:

Also included

@Joibel
Copy link
Member

Joibel commented Sep 20, 2024

I've released v.3.5.11 without #13626. I'm happy to do a v.3.5.12 shortly if we can work out a way forward.

@agilgur5 can you suggest or action a plan to allow us to do a release which patches this vulnerability. It the right choice to just leave it as is even though it is of minimal/no impact by our judgement. Security scanners will still be alerting that argo-workflows isn't safe. If that comes down to removing the API page that seems better than doing nothing.

@agilgur5
Copy link
Contributor

agilgur5 commented Sep 20, 2024

@Joibel on Slack I mentioned downgrading it to potentially workaround some of these CVEs since 3.4's version wasn't vulnerable (at least not to the first one, not sure about the most recent one).
Removing it would be a breaking change, so I didn't want to do that till 3.6

Regarding security scanners, actually no one's complained about 3.5 so far so they seem to actually not be detecting it, for better or for worse. (a scanner would have to detect the embedded UI bundles in the CLI/Server binary and then parse out deps from those bundles, one of which contains swagger-ui-react. having PoC'd many scanners for a security department before, I would not be surprised if most were not sophisticated enough to do half of that)

@Joibel
Copy link
Member

Joibel commented Sep 20, 2024

For the latest issue 3.4 is vulnerable as it is using dompurify 2.3.3.

With that in mind I think we need to develop a strategy for 3.4 and 3.5. Any suggestions? Perhaps upgrading that to 2.5.4 would work?

For 3.6 we should remove that API page I guess to reduce our surface area before RC2? Are you feeling up to a PR for that @agilgur5?

@agilgur5
Copy link
Contributor

agilgur5 commented Sep 20, 2024

Yes removing it and replacing it with a link to the versioned docs is on my to-do list. Per the Slack thread, not just for surface area, but also because it's a massive dep (2nd largest, itself being larger than the UI codebase excluding other deps) which increases load time, build time, etc etc.
The page is also not used very frequently and now that the docs have versions (#11390) and have the same Swagger UI (#10923), we can just link to them and otherwise provide the schema files for download/local use/backward-compat.

Perhaps upgrading that to 2.5.4 would work?

Yes, in that vuin's case it would.
The problem that arises is what to do for future vulns where we may not have options? Given that these vulns apply to a transitive dep of a single page and are usually non-impacting (we don't use the vulnerable functionality or are otherwise not susceptible), they are of very low importance in my head

@agilgur5
Copy link
Contributor

I've released v.3.5.11 without #13626.

CHANGELOG PR for reference: #13631

@mweibel
Copy link
Contributor

mweibel commented Oct 10, 2024

is it possible to cherry-pick #13693 to the next patch release? Thank you!

@Joibel
Copy link
Member

Joibel commented Oct 10, 2024

It looks like it will cherry pick nicely. We will try and bring it in.

@isubasinghe
Copy link
Member

These are the chosen candidates for a 3.5.12 release:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type/feature Feature request
Projects
None yet
Development

No branches or pull requests