chore: bump yaml version for security finding #1193
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>
vinayak-kukreja
force-pushed
the
vkukreja/dependabot-finding
branch
from
e1fdf71
to
ad73c90
Compare
iliapolo
reviewed
May 15, 2023
.projenrc.js
Outdated
| @@ -12,7 +12,7 @@ const project = new Cdk8sTeamJsiiProject({ | |||
| ], | |||
|
|
|||
| bundledDeps: [ | |||
| 'yaml@2.0.0-7', | |||
| 'yaml@2.2.2', | |||
There was a problem hiding this comment.
Lets just remove the version number from here? This will allow us to also remove the exclusion from:
Lines 45 to 47 in 190ea12
And then yaml will be upgraded automatically going forward.
Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>
iliapolo
approved these changes
May 15, 2023
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
iliapolo
pushed a commit
that referenced
this pull request
May 15, 2023
We currently have a dependabot security finding not resolving due to a fixed yaml version in cdk8s. Finding: cdk8s-team/cdk8s-plus#1977 ``` cdk8s@2.7.56 requires yaml@2.0.0-7 cdk8s-cli@1.3.20 requires yaml@2.0.0-7 via a transitive dependency on cdk8s@1.10.54 ``` NOTE: * Looks like there are some more changes added when I run `npx projen`. * Yaml `defaultOptions` for schema was removed in an update. Recommendation is to explicitly mention the version in `parse and document`. Related PR: eemeli/yaml#346 (cherry picked from commit 3801c95) Signed-off-by: Vinayak Kukreja <78971045+vinayak-kukreja@users.noreply.github.com> # Conflicts: # .projen/tasks.json # .projenrc.js
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
mergify bot
pushed a commit
that referenced
this pull request
May 15, 2023
# Backport This will backport the following commits from `2.x` to `1.x`: - [chore: bump yaml version for security finding (#1193)](#1193) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport)
cdk8s-automation
pushed a commit
that referenced
this pull request
May 24, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We currently have a dependabot security finding not resolving due to a fixed yaml version in cdk8s.
NOTE:
npx projen.defaultOptionsfor schema was removed in an update. Recommendation is to explicitly mention the version inparse and document. Related PR: Remove YAML.defaultOptions eemeli/yaml#346Fixes #1190