Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update kubernetes-client version to fix a CVE #2356

Merged
merged 4 commits into from
Oct 23, 2024
Merged

fix(deps): update kubernetes-client version to fix a CVE #2356

merged 4 commits into from
Oct 23, 2024

Conversation

karthikjeeyar
Copy link
Contributor

@karthikjeeyar karthikjeeyar commented Oct 15, 2024
edited by kim-tsao
Loading

Fixes:
https://issues.redhat.com/browse/RHIDP-4440

This upgrades the following packages

  • ocm-backend
  • shared-react
  • kubernetes-action
  • topology
  • tekton

Note: 1.3.x fix for Argocd will be contributed from backstage/community-plugin.

Fix CVE

CVE-2024-21534

@karthikjeeyar
Copy link
Contributor Author

/assign @kim-tsao @nickboldt

@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch from 3d2179c to c2a2500 Compare October 15, 2024 10:12
@karthikjeeyar
Copy link
Contributor Author

karthikjeeyar commented Oct 15, 2024
edited
Loading

we are using plugin-kubernetes-common dependancy in 4 out of 5 plugins changed in this PR, and that plugin is pinned to v0.20.0 https://github.com/backstage/backstage/blob/master/plugins/kubernetes-common/package.json#L58 causing issues in CI checks.

Error: The version of a dependency ('@kubernetes/client-node') of an embedded module conflicts with main module dependencies: '0.20.0', '^0.22.1': cannot proceed!

nickboldt
nickboldt previously approved these changes Oct 15, 2024
View reviewed changes
@openshift-ci openshift-ci bot added lgtm and removed lgtm labels Oct 15, 2024
@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch 2 times, most recently from 31f509b to 3bb0a84 Compare October 15, 2024 13:24
@kim-tsao kim-tsao requested a review from PatAKnight October 15, 2024 13:48
@kim-tsao
Copy link
Member

@PatAKnight can you or your team please review the ocm-backend plugin? Can you consider the QE and docs impact this change may have?

@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch from 3bb0a84 to e1fda56 Compare October 16, 2024 02:17
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Oct 16, 2024
edited
Loading

🦋 Changeset detected

Latest commit: d4529c5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@janus-idp/backstage-scaffolder-backend-module-kubernetes Patch
@janus-idp/shared-react Patch
@janus-idp/backstage-plugin-ocm-backend Patch
@janus-idp/backstage-plugin-topology Patch
@janus-idp/backstage-plugin-tekton Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@karthikjeeyar karthikjeeyar requested a review from a team as a code owner October 16, 2024 02:44
@karthikjeeyar
Copy link
Contributor Author

/retest

@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch from 9296bda to b32a068 Compare October 18, 2024 04:41
@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch 2 times, most recently from b0558c4 to 2492cb9 Compare October 18, 2024 16:17
@PatAKnight
Copy link
Member

Plugin still works from my side of things.

But I was unable to test the ocm backend plugin dynamically. It might have to do with the plugins repo being on backstage 1.30 vs showcase repo being on backstage 1.29 and the various deprecations in @backstage/backend-dynamic-feature-service. @gashcrumb is that something that you can verify?

@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch from 2492cb9 to b3a4db6 Compare October 21, 2024 05:27
@PatAKnight
Copy link
Member

I ended up figuring out how to get the ocm backend dynamic plugin tested. It ended up being the version mismatch after some hacking of backstage-showcase. Looks good to me. @invincibleJai, does anyone from the frontend team want to take a look at this?

@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch from b3a4db6 to 5c7b784 Compare October 22, 2024 06:41
@karthikjeeyar karthikjeeyar force-pushed the update-kubernetes-client branch from 5c7b784 to d4529c5 Compare October 23, 2024 11:49
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@kim-tsao
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 23, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit ffe2546 into janus-idp:main Oct 23, 2024
8 checks passed
04kash pushed a commit to 04kash/backstage-plugins that referenced this pull request Oct 23, 2024
@karthikjeeyar @04kash
fix(deps): update kubernetes-client version to fix a CVE (janus-idp#2356
510c7ff 
)

* fix(deps): update kubernetes-client dependancy

* fix(deps): do not embed plugin-kubernetes-common package in export-dynamic script

* add changeset

* remove kubernetes-common dependancy from ocm-bacckend
@kim-tsao
Copy link
Member

/cherry-pick release-1.3

@openshift-cherrypick-robot
Copy link

@kim-tsao: #2356 failed to apply on top of branch "release-1.3":

Applying: fix(deps): update kubernetes-client dependancy
Using index info to reconstruct a base tree...
M	plugins/kubernetes-actions/package.json
M	plugins/ocm-backend/package.json
M	plugins/shared-react/package.json
M	plugins/tekton/package.json
M	plugins/topology/package.json
Falling back to patching base and 3-way merge...
Auto-merging plugins/topology/package.json
CONFLICT (content): Merge conflict in plugins/topology/package.json
Auto-merging plugins/tekton/package.json
CONFLICT (content): Merge conflict in plugins/tekton/package.json
Auto-merging plugins/shared-react/package.json
CONFLICT (content): Merge conflict in plugins/shared-react/package.json
Auto-merging plugins/ocm-backend/package.json
CONFLICT (content): Merge conflict in plugins/ocm-backend/package.json
Auto-merging plugins/kubernetes-actions/package.json
CONFLICT (content): Merge conflict in plugins/kubernetes-actions/package.json
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 fix(deps): update kubernetes-client dependancy

In response to this:

/cherry-pick release-1.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kim-tsao kim-tsao mentioned this pull request Oct 30, 2024
Merged
@kim-tsao kim-tsao mentioned this pull request Nov 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kim-tsao kim-tsao kim-tsao approved these changes

@nickboldt nickboldt nickboldt left review comments

@debsmita1 debsmita1 Awaiting requested review from debsmita1 debsmita1 is a code owner

@divyanshiGupta divyanshiGupta Awaiting requested review from divyanshiGupta divyanshiGupta is a code owner

@dzemanov dzemanov Awaiting requested review from dzemanov

@its-mitesh-kumar its-mitesh-kumar Awaiting requested review from its-mitesh-kumar

@PatAKnight PatAKnight Awaiting requested review from PatAKnight

@gashcrumb gashcrumb Awaiting requested review from gashcrumb

Assignees

@nickboldt nickboldt

@kim-tsao kim-tsao

Labels
lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@karthikjeeyar @kim-tsao @PatAKnight @openshift-cherrypick-robot @nickboldt @gashcrumb @openshift-merge-robot