krisstanton
commented
3 weeks ago Linked Ticket: https://github.com/NASA-IMPACT/csdap-cumulus/issues/396
Closed ShreyNiraula closed 2 weeks ago
krisstanton
commented
3 weeks ago Linked Ticket: https://github.com/NASA-IMPACT/csdap-cumulus/issues/396
krisstanton
commented
2 weeks ago Sandbox Deployment Passed. Smoke Test on Sandbox Passed.
Approving now and following up with UAT smoke test now.
krisstanton
commented
2 weeks ago I am not sure why deployment to UAT did not happen, will go forward with the merge deployment since Sandbox items worked as expected.
chuckwondo
commented
2 weeks ago I am not sure why deployment to UAT did not happen, will go forward with the merge deployment since Sandbox items worked as expected.
It's because the only file that changed was package.json. However, when updating dependencies in that file, you need to run make install in order for yarn.lock to be updated.
NOTE: you may want to remove zip_lambdas as a dependency on your install recipe in Makefile. I attempted to run make install (after pulling the latest code from main) and noticed that it was taking forever to run, so I killed it. I then removed zip_lambdas as a dependency of install (i.e., instead of the line install: docker zip_lambdas it's just install: docker), and reran make install.
This caused yarn.lock to be updated as shown by running git diff afterwards:
-follow-redirects@^1.15.4, follow-redirects@^1.2.4:
- version "1.15.5"
- resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.5.tgz#54d4d6d062c0fa7d9d17feb008461550e3ba8020"
- integrity sha512-vSFWUON1B+yAw1VN4xMfxgn5fTUiaOzAJCKBwIIgT/+7CuGy9+r+5gITvP62j3RmaD5Ph65UaERdOSRGUzZtgw==
+follow-redirects@^1.15.4, follow-redirects@^1.15.6, follow-redirects@^1.2.4:
+ version "1.15.9"
+ resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.9.tgz#a604fa10e443bf98ca94228d9eebcc2e8a2c8ee1"
+ integrity sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==When yarn.lock is updated (and committed/pushed), then UAT will be deployed. Whether or not deployment to UAT, and subsequently Prod, occurs is determined by whether or not a file matching any of the patterns listed in the paths lists within .github/workflows/main.yml is changed. Notice that package.json is not in either paths list, but yarn.lock is.
krisstanton
commented
2 weeks ago Thanks for the info @chuckwondo.
I'll make these changes and make another PR off the just merged branch just to ensure this all works!
krisstanton
commented
2 weeks ago Linked Second Pull Request (Where the actual update to Makefile and yarn.lock happened as per comments above)
https://github.com/NASA-IMPACT/csdap-cumulus/pull/412
I have added the follow-redirects version 1.15.6 in the resolution section of the package.json. This will ensure that this version of follow-redirect will be used and current vulnerability will be resolved.