fix: update form-data to 4.0.4 across CRUD web apps (Security v1.11) #789
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
google-oss-prow
bot
requested review from
elenzio9,
orfeas-k and
thesuperzapper
google-oss-prow
bot
added
area/ci
Signed-off-by: noa limoy <[email protected]> Signed-off-by: utruong309 <[email protected]>
Signed-off-by: noa limoy <[email protected]> Signed-off-by: utruong309 <[email protected]>
Signed-off-by: Liav Weiss (EXT-Nokia) <[email protected]> Co-authored-by: Liav Weiss (EXT-Nokia) <[email protected]> Signed-off-by: utruong309 <[email protected]>
- Delete common component (OWNERS, go.mod, reconcilehelper/) - Copy reconcilehelper/util.go to both notebook-controller and tensorboard-controller - Update imports in both controllers to use local reconcilehelper - Remove common dependency from go.mod files - Update Dockerfiles to remove common component references Signed-off-by: Yehudit Kerido <[email protected]> Co-authored-by: Yehudit Kerido <[email protected]> Signed-off-by: utruong309 <[email protected]>
* chore: Update Go module paths from kubeflow/kubeflow to kubeflow/notebooks - Updated module declarations in 3 go.mod files (notebook-controller, tensorboard-controller, pvcviewer-controller) - Updated all internal import statements in Go source files to match new module paths - Updated reconcilehelper imports to use local paths (after PR kubeflow#702 moved reconcilehelper into each controller) - Verified all components compile successfully Fixes kubeflow#699 Signed-off-by: Asaad Balum <[email protected]> * chore: Update PROJECT files to use kubeflow/notebooks paths - Updated all repo and API paths in PROJECT files - Changed pvcviewer projectName from 'pvc-viewer' to 'pvcviewer-controller' Addresses feedback from review Signed-off-by: Asaad Balum <[email protected]> * mathew: fix rename of `pvc-viewer` path Signed-off-by: Mathew Wicks <[email protected]> --------- Signed-off-by: Asaad Balum <[email protected]> Signed-off-by: Mathew Wicks <[email protected]> Co-authored-by: Mathew Wicks <[email protected]> Signed-off-by: utruong309 <[email protected]>
* feat: Upgrade Python to 3.12 for CRUD web apps Upgrade Python toolchain from 3.10 to 3.12 for all three CRUD web applications (Jupyter, Volumes, Tensorboards) and their shared common backend. Changes: - Update Dockerfiles to use python:3.12-slim base image - Add setuptools and wheel installation (required in Python 3.12 slim) - Update CI workflows to use Python 3.12 for testing and linting - Upgrade common backend dependencies to address vulnerabilities: * Flask: 1.1.1 → 2.3.2 * Werkzeug: 0.16.0 → 3.0.6 * requests: 2.22.0 → 2.32.4 * urllib3: 1.25.7 → 2.5.0 * kubernetes: ==22.6.0 → >=22.6.0 Testing performed: - All CI workflows passed (backend unit tests, integration tests, multi-arch builds) - Local functional testing in Kind cluster with full Kubeflow deployment - Verified all three web apps running on Python 3.12 - Tested CRUD operations via UI: * Created, viewed, and deleted Volumes * Created, viewed, and deleted Jupyter Notebooks * Created, viewed, and deleted TensorBoards - Verified namespace visibility and RBAC permissions - Confirmed API endpoints responding correctly - Validated container startup and health checks Closes: kubeflow#724, kubeflow#725, kubeflow#726 Signed-off-by: Asaad Balum <[email protected]> * mathew: pin `kubernetes` pypi package to `34.1.0` Signed-off-by: Mathew Wicks <[email protected]> * mathew: remove version requirements for `requests` and `urllib3` Signed-off-by: Mathew Wicks <[email protected]> --------- Signed-off-by: Asaad Balum <[email protected]> Signed-off-by: Mathew Wicks <[email protected]> Co-authored-by: Mathew Wicks <[email protected]> Signed-off-by: utruong309 <[email protected]>
- Update CI workflow pvcviewer_controller_unit_test.yaml to use go-version 1.24 - Update go.mod to go 1.24 - Update Dockerfile GOLANG_VERSION to 1.24 Signed-off-by: Hen Schwartz <[email protected]> Co-authored-by: Hen Schwartz <[email protected]> Signed-off-by: utruong309 <[email protected]>
* feat: Upgrade Go to 1.24 - notebook-controller component. kubeflow#721 Signed-off-by: Abdallah Samara (EXT-Nokia) <[email protected]> * Update nb_controller_integration_test.yaml Signed-off-by: abdallahsamabd <[email protected]> * Update nb_controller_multi_arch_test.yaml Signed-off-by: abdallahsamabd <[email protected]> * Update tb_controller_docker_publish.yaml Signed-off-by: abdallahsamabd <[email protected]> * Update workflow triggers for unit tests Signed-off-by: abdallahsamabd <[email protected]> * Update Dockerfile Signed-off-by: abdallahsamabd <[email protected]> * Update nb_controller_unit_test.yaml Signed-off-by: abdallahsamabd <[email protected]> * mathew: run go mod tidy + make to generate Signed-off-by: Mathew Wicks <[email protected]> --------- Signed-off-by: Abdallah Samara (EXT-Nokia) <[email protected]> Signed-off-by: abdallahsamabd <[email protected]> Signed-off-by: Mathew Wicks <[email protected]> Co-authored-by: Abdallah Samara (EXT-Nokia) <[email protected]> Co-authored-by: Mathew Wicks <[email protected]> Signed-off-by: utruong309 <[email protected]>
Signed-off-by: Yehudit Kerido <[email protected]> Co-authored-by: Yehudit Kerido <[email protected]> Signed-off-by: utruong309 <[email protected]>
* feat(ws): Upgrade Go to 1.24 - tensorboard-controller component Signed-off-by: Marina Koushnir <[email protected]> Signed-off-by: Mathew Wicks <[email protected]> * mathew: add unit test GHA and fix running tests Signed-off-by: Mathew Wicks <[email protected]> * mathew: run go tidy Signed-off-by: Mathew Wicks <[email protected]> --------- Signed-off-by: Marina Koushnir <[email protected]> Signed-off-by: Mathew Wicks <[email protected]> Co-authored-by: Marina Koushnir <[email protected]> Co-authored-by: Mathew Wicks <[email protected]> Signed-off-by: utruong309 <[email protected]>
* chore: update readme Signed-off-by: Mathew Wicks <[email protected]> * chore: remove issue templates from non-main branch Signed-off-by: Mathew Wicks <[email protected]> * chore: remove contributing guide from non-main branch Signed-off-by: Mathew Wicks <[email protected]> * chore: disallow commit message scopes Signed-off-by: Mathew Wicks <[email protected]> * chore: move `area/v1` label to root OWNERS Signed-off-by: Mathew Wicks <[email protected]> --------- Signed-off-by: Mathew Wicks <[email protected]> Signed-off-by: utruong309 <[email protected]>
….11) Signed-off-by: utruong309 <[email protected]>
Signed-off-by: utruong309 <[email protected]>
* chore: Adding ADOPTERS.md file Signed-off-by: Francisco Javier Arceo <[email protected]> * fix typo from copy/paste Signed-off-by: Francisco Javier Arceo <[email protected]> * including openshift ai Signed-off-by: Francisco Javier Arceo <[email protected]> * Update ADOPTERS.md Co-authored-by: Eder Ignatowicz <[email protected]> Signed-off-by: Francisco Arceo <[email protected]> * Update ADOPTERS.md Signed-off-by: Francisco Arceo <[email protected]> --------- Signed-off-by: Francisco Javier Arceo <[email protected]> Signed-off-by: Francisco Arceo <[email protected]> Co-authored-by: Eder Ignatowicz <[email protected]> Signed-off-by: utruong309 <[email protected]>
* chore: create issue templates for project planning related: kubeflow#327 This commit creates 3 new GitHub issue templates to help with Notebooks 2.0 project planning. As recently agreed upon in community meetings - we want to break down work into 3 hierarchical categories: - Epics - Features - Tasks The templates defined in this pull request mimic the format @ederign used when initially defining work for our first "sprint" of work. :warning: Please note, however, I have introduced the term `Task` to capture the most granular issue type. Happy to change the word to something else - but wanted a `[...]` prefix to identify these issues similar to `[EPIC]` and `[FEATURE]` These issue templates would not be intended to be used by "random" community members - rather they are designed to aid Epic Owners in defining work. For now, I have just added a simple "disclaimer" in the issue template summary to discourage use. In the future we could discuss extending `internal-acls` and leveraging GitHub Actions to ensure these "planning" templates are only used by designated community members. The `Epic` and `Feature` templates **DO NOT** have a section to track child items included in the issue description. The desire to merge kubeflow#325 to leverage GitHub sub-issues to more naturally track these relationships and avoid having to "ping" issue authors to update the description to track children. The `config.yml` `issue_templates` section is used to define a deterministic order within the GitHub Template Chooser modal. As we can control the order through this file along - I also removed the leading numerical prefixes from existing yml template files as they serve no purpose and at worst could actively confuse. Signed-off-by: Andy Stoneberg <[email protected]> * mathew: update epic label Signed-off-by: Mathew Wicks <[email protected]> * Update .github/ISSUE_TEMPLATE/planning_task.yml Signed-off-by: Mathew Wicks <[email protected]> * mathew: update feature label Signed-off-by: Mathew Wicks <[email protected]> * mathew: remove emoji from planning names Signed-off-by: Mathew Wicks <[email protected]> --------- Signed-off-by: Andy Stoneberg <[email protected]> Signed-off-by: Mathew Wicks <[email protected]> Co-authored-by: Mathew Wicks <[email protected]> Signed-off-by: utruong309 <[email protected]>
Signed-off-by: Andrey Velichkevich <[email protected]> Signed-off-by: utruong309 <[email protected]>
related: kubeflow#327 This new GitHub Actions workflow listens for the 'opened' and 'labeled' events on GitHub issues and ensures any issue opened (or labelled) with a `kind/plan-xxx` label meets the following criteria: - only users listed in the `AUTHORIZED_USER` JSON array can label an issue with the `kind/plan-xxx` label - at most one of the `kind/plan-xxx` labels can exist on a given issue The set of supported/expected `kind/plan-xxx` labels are: - `kind/plan-epic` - `kind/plan-feature` - `kind/plan-task` If an issue (with a `kind/plan-xxx` label) is **opened** by a non-authorized user - the issue will be automatically closed when the GitHub action fires. If an issue is labelled with the `kind/plan-xxx` label by an unauthorized user - the `kind/plan-xxx` label is removed. In both cases, a GitHub comment is added to the issue explaining why the issue was updated by the bot. Please note, when opening a GH issue - **BOTH** the `opened` and `labeled` events will fire (if the issue has a label on it). As such, the GitHub action in this PR was deliberately structured to account for multiple instances running in parallel on the same underlying GitHub issue. Also, this work complements kubeflow#361 - which defines GH issue templates that use the labels in a manner appropriate to satisfy the checks of this action. Signed-off-by: Andy Stoneberg <[email protected]> Signed-off-by: utruong309 <[email protected]>
…flow#369) related: kubeflow#325 This new GitHub Actions workflow listens for issue comments and processes commands to add or remove sub-issues using the Javascript client. It includes error handling and posts feedback to the issue for auditability as well as if any errors occur during execution. Acceptable input formats (and multiple space-delimited arguments can be provided): ``` /add-sub-issue kubeflow#1 /add-sub-issue 1 /add-sub-issue kubeflow#1 ``` :information_source: Be mindful of underlying constraints enforced in GH regarding sub-issues: - An issue can only be a sub-issue to 0 or 1 issues - Trying to add an issue as a sub-issue when it is already assigned as a sub-issue results in error Also, in this commit, the ability to assign sub-issues is open to a set of users defined in the workflow yaml as a JSON string array within the job-level `if` conditional. The current collection identifies all epic owners and technical leaders for Notebooks 2.0. Please note the workflow YAML file has been named generically to potentially house other "slash commands" in the future although the current implementation is only focused on `/add-sub-issue` and `/remove-sub-issue`. Signed-off-by: Andy Stoneberg <[email protected]> Signed-off-by: utruong309 <[email protected]>
Quick fix to provide @jenny-s51 with label permissions Signed-off-by: Jenny <[email protected]> Update validate-planning-label.yml Revert newline. Signed-off-by: Jenny <[email protected]> fix(actions) : update slash-commands.yaml Signed-off-by: utruong309 <[email protected]>
@liavweiss has been helping me with a lot of planning discussions and been involved with notebooks-v2 for awhile now. it will be helpful to give him the ability to create epics/features/tasks and start to own them. Signed-off-by: Andy Stoneberg <[email protected]> Signed-off-by: utruong309 <[email protected]>
This commit provides a basic GHA to enable Trivy FS scanning on the notebooks-v1 and notebooks-v2 branches. In order to support `workflow_dispatch` and `cron` triggers - this GHA needs to live on the default branch (`main`). But while the workflow lives on the `main` branch - it will only scan `notebooks-v1` and/or `notebooks-v2` branches depending on how its invoked. It scans from the root of repo and reports on `CRITICAL`, `HIGH` or `MEDIUM` vulnerabilities that have fixes available. It will also scan for secrets. It will always exit with status code 0 and upload its results to the GitHub Security tab. Custom ruleId metadata is injected into the report to help differentiate whether reported findings originated in `notebooks-v1` or `notebooks-v2`. - custom `ruleId` also ensures flagging a false positive in `notebooks-v1` will not auto-apply to `notebooks-v2` branch if similar vulnerabilities exist and vice-versa. The workflow is configured to fire every day at 6:00 AM UTC and also supports manually invoking it. I personally did not see any reason to run this on pull_requests and/or pushes to `notebooks-v1` or `notebooks-v2` branches as vulnerabilities could be disclosed / fixes made available **at any time**. Therefore, having it set on a daily schedule as well as supported ad-hoc runs seems a reasonable way to manage. Addtionally, the build has an `if:` conditional to prevent the `schedule` runs from running on forks in an attempt to be a good/responsible github citizen. Signed-off-by: Andy Stoneberg <[email protected]> Signed-off-by: utruong309 <[email protected]>
utruong309
force-pushed
the
pr2-update-form-data
branch
from
7a4d6d7 to
8a541a5
Compare
google-oss-prow
bot
added
area/controller
Signed-off-by: Uyen Truong <[email protected]>
Closed
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates form-data to version 4.0.4 across all CRUD web app frontends:
common/frontendjupyter/frontendtensorboards/frontendvolumes/frontendThis resolves the following security issue:
Steps performed:
package.jsonand regeneratedpackage-lock.jsonin each frontendnpm installto ensure clean dependency resolutionkubeflow-common-libwhere requiredSigned-off-by: Uyen Truong [email protected]