Skip to content

[Snyk] Security upgrade @kubernetes/client-node from 0.12.3 to 1.0.0 #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade @kubernetes/client-node from 0.12.3 to 1.0.0 #97

wants to merge 7 commits into from

Conversation

@HumairAK
Copy link
Owner

@HumairAK HumairAK commented Jul 19, 2025

snyk-top-banner

Snyk has created this PR to fix 5 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • frontend/server/package.json
  • frontend/server/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue
medium severity Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116
critical severity Remote Code Execution (RCE)
SNYK-JS-JSONPATHPLUS-7945884
critical severity Remote Code Execution (RCE)
SNYK-JS-JSONPATHPLUS-8719585
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
medium severity Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution

HumairAK and others added 7 commits July 18, 2025 17:07
@HumairAK
update proto packages
181e36d 
This commit upgrades various protobuf packages in KFP.

To support this change various code changes had to be made to account
for breaking api changes. The changes were:

Python:
* all python packages now supports protobuf 5 & 6
* proto files for pipeline spec, kfp-kubernetes, and backend/api have
  been re-compiled with the latest protoc (31.1)
* project go.mod runtime proto and grpc packages have been updated to
  match the latest packages for generated code, i.e. protoc-gen-go,
  protobuf, grpc-gateway, etc.
* backend code has been updated to support new api changes
* python packages have new make commands to allow developers to build
  the python packages using the same project dependencies used for
  releases
* workflow ci has been updated to trigger tests on changes to
  pipeline-spec
* kfp-generate image has been updated to reflect the lates dependencies
  & the same image was used to generate the compiled code everywhere
* there are inline comments added in various places to help future
  maintainers keep packages in sync, but more work is needed here in
  terms of documentation.

Some additional future work warrants CI changes to ensure dependencies
are in sync. Runtime Protobuf packages need to stay aligned with
packages used to generate code.

Signed-off-by: Humair Khan <[email protected]>
@HumairAK
add support for protobuf 4 back in
487f599 
Signed-off-by: Humair Khan <[email protected]>
@HumairAK
allow makefile for kfp-k8s to write to dist
0a65136 
Signed-off-by: Humair Khan <[email protected]>
@HumairAK
correct linting - this commit exposes some of the api breaking change…
0c44abd 
…s from the go client side, nameply the changes to the "Body" parameter, which now requires you to specify the actual name of the object type (Run, Experiment, Pipeline, Version, etc.)

Signed-off-by: Humair Khan <[email protected]>
@HumairAK
upgrade proto versions in ci
90676f3 
Signed-off-by: Humair Khan <[email protected]>
@HumairAK
add backwards compatibility support for filter values
cb00342 
Signed-off-by: Humair Khan <[email protected]>
@snyk-bot
fix: frontend/server/package.json & frontend/server/package-lock.json…
ad6b54b 
… to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
- https://snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884
- https://snyk.io/vuln/SNYK-JS-JSONPATHPLUS-8719585
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
@dsp-developers
Copy link

dsp-developers commented Jul 19, 2025

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@HumairAK HumairAK force-pushed the master branch 9 times, most recently from aa17af9 to 87e54d1 Compare July 27, 2025 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@HumairAK @dsp-developers @snyk-bot