Skip to content

Update dependencies to avoid security vulnerabilities #2487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 18, 2022
Merged

Update dependencies to avoid security vulnerabilities #2487

merged 1 commit into from
Feb 18, 2022

Conversation

@lresende
Copy link
Member

@lresende lresende commented Feb 17, 2022

What changes were proposed in this pull request?

Update dependencies to avoid security vulnerabilities

How was this pull request tested?

It wasn't tested on a runtime, so I would like to request help on validating this.

Developer's Certificate of Origin 1.1

   By making a contribution to this project, I certify that:

   (a) The contribution was created in whole or in part by me and I
       have the right to submit it under the Apache License 2.0; or

   (b) The contribution is based upon previous work that, to the best
       of my knowledge, is covered under an appropriate open source
       license and I have the right under that license to submit that
       work with modifications, whether created in whole or in part
       by me, under the same open source license (unless I am
       permitted to submit under a different license), as indicated
       in the file; or

   (c) The contribution was provided directly to me by some other
       person who certified (a), (b) or (c) and I have not modified
       it.

   (d) I understand and agree that this project and the contribution
       are public and that a record of the contribution (including all
       personal information I submit with it, including my sign-off) is
       maintained indefinitely and may be redistributed consistent with
       this project or the open source license(s) involved.

@elyra-bot
Copy link

elyra-bot bot commented Feb 17, 2022

Thanks for making a pull request to Elyra!

To try out this branch on binder, follow this link: Binder

@lresende lresende requested a review from akchinSTC February 17, 2022 20:16
@lresende lresende added this to the 3.7.0 milestone Feb 17, 2022
@lresende lresende added component:build build and build related issues(dependencies and docker) dependencies Pull requests that update a dependency file labels Feb 17, 2022
kevin-bates
kevin-bates approved these changes Feb 17, 2022
View reviewed changes
Copy link
Member

@kevin-bates kevin-bates left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I'm curious how you determined that these particular packages required updates and what versions to update them with? I don't believe these versions are their respective "latest" versions - thus my curiosity. (thanks)

@lresende
Copy link
Member Author

lresende commented Feb 17, 2022

@kevin-bates Not a straight answer, but I started from dependaboot report and was choosing either the latest or the recommended version without issues. There were also some transient dependency issues that influenced... If there is any dependency that you want to move to a higher version, please let me know.

@lresende lresende merged commit 894a3c3 into elyra-ai:master Feb 18, 2022
@lresende lresende deleted the dev-dependencies branch February 18, 2022 16:44
@ptitzler ptitzler mentioned this pull request Feb 18, 2022
Closed
@akchinSTC akchinSTC mentioned this pull request May 12, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akchinSTC akchinSTC akchinSTC approved these changes

@kevin-bates kevin-bates kevin-bates approved these changes

Assignees

No one assigned

Labels

component:build build and build related issues(dependencies and docker) dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

3.7.0

Development

Successfully merging this pull request may close these issues.

3 participants

@lresende @akchinSTC @kevin-bates