Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing Snyk vulnerability SNYK-JS-ZOD-5925617 by upgrading zod packages to latest #21800

Merged
merged 3 commits into from
Dec 15, 2023
Merged

Fixing Snyk vulnerability SNYK-JS-ZOD-5925617 by upgrading zod packages to latest #21800

merged 3 commits into from
Dec 15, 2023

Conversation

Thutm
Copy link

@Thutm Thutm commented Dec 8, 2023
edited
Loading

Hey, I just made a Pull Request!

Addressing SNYK-JS-ZOD-5925617 by upgrading zod to latest in packages found with depends. Relied on yarn why for depends list. Will resolve issue #21777

ref:
https://security.snyk.io/vuln/SNYK-JS-ZOD-5925617
#21777

✔️ Checklist

  • A changeset describing the change and affected packages. (more info)
  • Added or updated documentation
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)
  • All your commits have a Signed-off-by line in the message. (more info)

@Thutm Thutm requested review from a team and kuangp as code owners December 8, 2023 23:55
@github-actions github-actions bot added area:catalog Related to the Catalog Project Area search Things related to Search homepage Features for the composable homepage area:scaffolder Everything and all things related to the scaffolder project area area:permission Related to the Permission Project Area area:discoverability Related to the Discoverability Project Area labels Dec 8, 2023
@backstage-goalie
Copy link
Contributor

Changed Packages

Package Name Package Path Changeset Bump Current Version
@backstage/backend-tasks packages/backend-tasks patch v0.5.13-next.2
@backstage/cli-node packages/cli-node patch v0.2.0
@backstage/cli packages/cli patch v0.25.0-next.2
@backstage/core-app-api packages/core-app-api patch v1.11.2-next.1
@backstage/core-components packages/core-components patch v0.13.9-next.2
@backstage/frontend-plugin-api packages/frontend-plugin-api patch v0.4.0-next.2
@backstage/plugin-auth-node plugins/auth-node patch v0.4.2-next.2
@backstage/plugin-catalog-backend plugins/catalog-backend patch v1.16.0-next.2
@backstage/plugin-home plugins/home patch v0.6.0-next.2
@backstage/plugin-permission-backend plugins/permission-backend patch v0.5.31-next.2
@backstage/plugin-permission-common plugins/permission-common patch v0.7.10
@backstage/plugin-permission-node plugins/permission-node patch v0.7.19-next.2
@backstage/plugin-playlist-backend plugins/playlist-backend patch v0.3.12-next.2
@backstage/plugin-scaffolder-backend-module-gitlab plugins/scaffolder-backend-module-gitlab patch v0.2.11-next.2
@backstage/plugin-scaffolder-backend plugins/scaffolder-backend patch v1.19.2-next.2
@backstage/plugin-scaffolder-node plugins/scaffolder-node patch v0.2.9-next.2
@backstage/plugin-scaffolder-react plugins/scaffolder-react patch v1.6.2-next.2
@backstage/plugin-scaffolder plugins/scaffolder patch v1.16.2-next.2
@backstage/plugin-search-backend plugins/search-backend patch v1.4.8-next.2

@backstage-goalie
Copy link
Contributor

Thanks for the contribution!
All commits need to be DCO signed before they are reviewed. Please refer to the the DCO section in CONTRIBUTING.md or the DCO status for more info.

@Thutm
Copy link
Author

Thutm commented Dec 9, 2023

Didn't squash my commits or sign them all. Will fix.

@Thutm Thutm force-pushed the SNYK-JS-ZOD-5925617-fix branch from 2a85c11 to 49c9d7c Compare December 11, 2023 14:55
@Thutm Thutm force-pushed the SNYK-JS-ZOD-5925617-fix branch from 49c9d7c to 0cbb03b Compare December 11, 2023 14:57
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 11, 2023
edited
Loading

Uffizzi Cluster pr-21800 was deleted.

@Thutm
Copy link
Author

Thutm commented Dec 11, 2023

Test case failing on depends. emotion may need to lock/rollback versions on csstype for now? frenic/csstype#189

@secustor secustor mentioned this pull request Dec 12, 2023
Merged
5 tasks
@freben
Copy link
Member

freben commented Dec 15, 2023

This doesn't fix the problem right? The lockfile doesn't remove any vulnerable resolutions.

@freben
Copy link
Member

freben commented Dec 15, 2023

To be clear, I don't mind this fix - but just noting that we already resolved to a fixed version (it was already in-range of the previous range as well), and so could anyone adopting Backstage too. However we also have a transitive dep on zod@npm:~3.18.0 which ultimately gets pulled in by @oriflame/backstage-plugin-score-card@npm:^0.7.0. And THAT does not have a fix in-range, and there's no new release of that plugin that bumps to a newer core-components to circumvent it.

So I'm wondering if the actual fix is to remove the dependency on that plugin, or contact their author to see if they can address it.

freben
freben approved these changes Dec 15, 2023
View reviewed changes
Copy link
Member

@freben freben left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll merge this since it still moves us somewhat forward, but let's also consider the other zod depencency branch that lingers behind as per the above

@freben freben merged commit 8a23b73 into backstage:master Dec 15, 2023
31 of 35 checks passed
@github-actions GitHub Actions
Copy link
Contributor

Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.21.0 release, scheduled for Tue, 19 Dec 2023.

@raphaelbp12
Copy link

Test case failing on depends. emotion may need to lock/rollback versions on csstype for now? frenic/csstype#189

Will this PR fix this issue?

@freben
Copy link
Member

freben commented Dec 18, 2023

No, that's unrelated.

@dstelljes dstelljes mentioned this pull request Jan 2, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freben freben freben approved these changes

@kuangp kuangp Awaiting requested review from kuangp

@tudi2d tudi2d Awaiting requested review from tudi2d tudi2d is a code owner automatically assigned from backstage/reviewers

@acierto acierto Awaiting requested review from acierto acierto is a code owner automatically assigned from backstage/scaffolder-maintainers

@mikeyhc mikeyhc Awaiting requested review from mikeyhc mikeyhc is a code owner automatically assigned from backstage/catalog-maintainers

@backstage-service backstage-service Awaiting requested review from backstage-service backstage-service is a code owner

Assignees
No one assigned
Labels
area:catalog Related to the Catalog Project Area area:discoverability Related to the Discoverability Project Area area:permission Related to the Permission Project Area area:scaffolder Everything and all things related to the scaffolder project area homepage Features for the composable homepage search Things related to Search
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Thutm @freben @raphaelbp12