New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: bump yaml version for security finding #1193
Conversation
Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>
e1fdf71
to
ad73c90
Compare
.projenrc.js
Outdated
@@ -12,7 +12,7 @@ const project = new Cdk8sTeamJsiiProject({ | |||
], | |||
|
|||
bundledDeps: [ | |||
'yaml@2.0.0-7', | |||
'yaml@2.2.2', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets just remove the version number from here? This will allow us to also remove the exclusion from:
Lines 45 to 47 in 190ea12
depsUpgradeOptions: { | |
exclude: ['yaml'], | |
}, |
And then yaml
will be upgraded automatically going forward.
Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>
💔 All backports failed
Manual backportTo create the backport manually run:
Questions ?Please refer to the Backport tool documentation |
We currently have a dependabot security finding not resolving due to a fixed yaml version in cdk8s. Finding: cdk8s-team/cdk8s-plus#1977 ``` cdk8s@2.7.56 requires yaml@2.0.0-7 cdk8s-cli@1.3.20 requires yaml@2.0.0-7 via a transitive dependency on cdk8s@1.10.54 ``` NOTE: * Looks like there are some more changes added when I run `npx projen`. * Yaml `defaultOptions` for schema was removed in an update. Recommendation is to explicitly mention the version in `parse and document`. Related PR: eemeli/yaml#346 (cherry picked from commit 3801c95) Signed-off-by: Vinayak Kukreja <78971045+vinayak-kukreja@users.noreply.github.com> # Conflicts: # .projen/tasks.json # .projenrc.js
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
# Backport This will backport the following commits from `2.x` to `1.x`: - [chore: bump yaml version for security finding (#1193)](#1193) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport)
We currently have a dependabot security finding not resolving due to a fixed yaml version in cdk8s.
NOTE:
npx projen
.defaultOptions
for schema was removed in an update. Recommendation is to explicitly mention the version inparse and document
. Related PR: Remove YAML.defaultOptions eemeli/yaml#346Fixes #1190