Apply minor and patch updates for dependencies

zendesk / samson

Web interface for deployments, with plugin architecture and kubernetes support

Other

1.45k stars 234 forks source link

Apply minor and patch updates for dependencies #4088

Closed orien closed 4 months ago

orien commented 4 months ago

Apply some minor and patch level dependency updates.

[!note] The bundle_audit build step is failing. It correctly identifies a security issue with version 1.15.5 of the nokogiri gem being used. Unfortunately, the patched version 1.16.2 is only available on Ruby 3.0 and above. We'll need to upgrade Ruby for this service to apply the patch.

grosser commented 4 months ago

this PR does not bump the ruby version though, so this is prep ?
did you deploy this to staging/had it running locally ?
FYI instead of comments please use something like lock-diff so we have a single comment and the github diff view is still readable

orien commented 4 months ago

this PR does not bump the ruby version though, so this is prep ?

Regarding the note in the PR description, I'm explaining why the build is not passing. There's more work required to get the project working on Ruby 3, and resolve the CVE.

To keep the CI workflow passing, perhaps we should add an exception for the CVE until the project is migrated to Ruby 3. https://github.com/zendesk/samson/blob/97a9c1c63b2bbcc45b760aea26d5ceaec4343450/Rakefile#L66

did you deploy this to staging/had it running locally ?

Yes, this branch has been deployed to a staging environment and looks to be working fine.

FYI instead of comments please use something like lock-diff so we have a single comment and the github diff view is still readable

I'll try that next time. Thanks.

grosser commented 4 months ago

the audit step has an ignore flag that can be used to ignore selcted cves, that should get the PR green

orien commented 4 months ago

Thanks. The build is passing now.

orien commented 4 months ago

@grosser, is there anything else I can do to get this pull request accepted? I don't have merge permissions, so I'll need help.

grosser commented 4 months ago

tried that locally and ran into:

Ruby (< 3.4.dev, >= 3.0), which is required by gem 'sqlite3 (= 1.7.2)', is not available in the local ruby installation

https://rubygems.org/gems/sqlite3/versions/1.7.2-arm-linux so needs to be 1.6.9, can you downgrade it ?

... otherwise worked fine 👍 / I can merge

I assumed you work for zendesk since we just talked about ruby 3 upgrades so I though you'd DIY merge :D

orien commented 4 months ago

tried that locally and ran into:

Ruby (< 3.4.dev, >= 3.0), which is required by gem 'sqlite3 (= 1.7.2)', is not available in the local ruby installation

It's strange that that wasn't picked up in the CI build, or in my test run. I've downgraded the gem to version 1.6.9.

grosser commented 4 months ago

thx., it's a bug in sqlite on arm, which CI does not run