-
Notifications
You must be signed in to change notification settings - Fork 918
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Backport 1.x] Bumps node-forge from v0.10.0 to v1.3.0 #2457
Conversation
Signed-off-by: Zilong Xia <zilongx@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are breaking changes introduced in version v1.0.0 yet it has been confirmed that none of them apply to Dashboards repository.
Unfortunately, that's not sufficient under our current definition of semantic versioning. Because of the current shared dependency model, plugins are allowed to treat explicit package.json
dependencies as a defacto public API - they can assume that the dependencies defined there (and their methods) can be used directly. (We don't want things to work that way, and are working to change it!)
Because v1.0.0 of node-forge
has breaking changes (of removed and changed APIs), we can't backport it to a minor or patch version branch (1.x
, in this case). There could be community or private plugins targeting 1.3 versions of OSD that directly use deprecated node-forge
methods that would be broken by this change.
So I just did a quick search (https://github.com/search?q=org%3Aopensearch-project+node-forge&type=code) and confirmed that (at least) within current org the Speaking of community or private plugins, do you have any real examples of such cases for |
@ZilongX I dont think the callout is about whether or not someone uses the dependency, but whether we want to stick to the definition of semver or not. Given the tight coupling that exists today between OSD and plugins when it comes to dependencies, we have to treat any direct dependency upgrade that changes its api as a breaking change since we cannot guarantee that a plugin for OSD will not depend on that api. And changing that api is technically a breaking change. Since one of our org tenants is to follow semver we need to apply that bar here too. This should no longer be an issue once we decouple the tight dependency between plugins and OSD for direct dependencies, but as it stands right now, thats not the case unfortunately. |
No, given our extensibility model it's impossible to know or asses all consumers of the package to see how they use it. You're correct that it's nothing specific to this package; rather it's a conservative approach that we've taken to semantic versioning in general, which optimizes for preventing surprising breakages. |
Do we follow semver strictly today? if so, should we bump up major version not minor if any dependencies has break change even we are not impacted? |
@seraphjiang AFAIK yes we do. Thats why we have not backported similar changes and had to wait until 2.0. e.g. node 14 upgrade |
Thanks @ashwin-pc for clarification. I have a question, i'd like to discuss. whether we should treat downstream dependency break change as our own break change. e..g there are breaking change from node 6, node 8, to node 10, however, it doesn't mean it will cause upstream break change. and not necessary to bump up version just because downstream dependencies declare they has break change. @kavilla @AMoo-Miki @mihirsoni @zengyan-amazon @ashwin-pc @joshuarrrr @dblock @seanneumann |
Thanks @seraphjiang - this is a good example of how our versioning approach differs from how Kibana handled versioning. Because of the reasons discussed upstream, each of those node version bumps would only go in a major OpenSearch Dashboards release, not in a minor release.
True, but there's also no way to guarantee that it won't cause a breaking change, which is why we take the conservative approach. |
if there is no break change to customer, there is not necessary to bump up major. Node version bump should not be the reason to bump up OSD version. as far as i know, we run bwc test, if that test works, means there is no break change in OSD itself. I'm OK with what already happened, but in the future we should not bump up major version because dependencies has break change. |
Closing for now as this seems to break semver for developers. Please re-open if any concerns. |
Signed-off-by: Zilong Xia zilongx@amazon.com
Description
Resolves CVE-2022-24771, CVE-2022-24772, CVE-2022-24773, CVE-2022-0122 by bumping package
node-forge
up fromv0.10.0
tov1.3.0
This PR is to backport same fixes applied to branch
2.0.0
back to branch1.x
, which is a combination ofnode-forge
from v0.10.0 to v1.2.1 #1239node-forge
from v1.2.1 to v1.3.0 #1369Based on https://github.com/digitalbazaar/forge/blob/v1.2.1/CHANGELOG.md of package
node-forge
, there are breaking changes introduced in versionv1.0.0
yet it has been confirmed that none of them apply to Dashboards repository.(Upgrades
node-forge
from v0.10.0 to v1.2.1 #1239)Upgrades @elastic/request-crypto from 1.1.4 to 2.0.0 which has a downstream dependency on node-forge.
Issues Resolved
Resolves #1112
Resolves #1134
Resolves #1365
Resolves #1366
Resolves #1367
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr