Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update minimum PNPM to 8.6.8 #33114

Merged
merged 1 commit into from
Sep 15, 2023
Merged

Update minimum PNPM to 8.6.8 #33114

merged 1 commit into from
Sep 15, 2023

Conversation

kraftbj
Copy link
Contributor

@kraftbj kraftbj commented Sep 15, 2023

Pretty minor, but there's a fixed CVE associated with the version we're calling in for CI and the Docker build. We can bump to 8.7.* too, but scoped this to just resolving the CVE.

Stumbled upon it during a quick security audit.

https://nvd.nist.gov/vuln/detail/CVE-2023-37478

Proposed changes:

  • PNPM from 8.6.2 to 8.6.8 6.8.

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

n/a

Does this pull request change what data or activity we track or use?

n/a

Testing instructions:

  • Is CI happy?

@kraftbj kraftbj added [Type] Bug When a feature is broken and / or not performing as intended [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. [Pri] Normal [Tools] Monorepo Setup Reviewer Can Merge PR author indicates the reviewer is free to merge/deploy if they want to own the change. labels Sep 15, 2023
@kraftbj kraftbj self-assigned this Sep 15, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Sep 15, 2023

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta > Jetpack and enable the update/pnpm-version branch.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack update/pnpm-version
    
    bin/jetpack-downloader test jetpack-mu-wpcom-plugin update/pnpm-version
    

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions
Copy link
Contributor

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖


The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.


Once your PR is ready for review, check one last time that all required checks (other than "Required review") appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

@kraftbj kraftbj changed the title Update minimum PNPM to 8.6.8 - https://nvd.nist.gov/vuln/detail/CVE-2023-37478 Update minimum PNPM to 8.6.8 Sep 15, 2023
Copy link
Contributor

@anomiex anomiex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for me. I've been using versions up to 8.7.5 locally (as they've been released and I've noticed new versions available) and haven't seen any issues.

@anomiex anomiex merged commit 52aeb9a into trunk Sep 15, 2023
69 of 70 checks passed
@anomiex anomiex deleted the update/pnpm-version branch September 15, 2023 21:23
@github-actions github-actions bot removed the [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. label Sep 15, 2023
@kraftbj
Copy link
Contributor Author

kraftbj commented Sep 17, 2023

I've been using versions up to 8.7.5 locally (as they've been released and I've noticed new versions available) and haven't seen any issues.

Same. I figure we could bump it up, but I didn't want to conflate the security impact (however small) with an unrelated set of updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
[Pri] Normal Reviewer Can Merge PR author indicates the reviewer is free to merge/deploy if they want to own the change. [Tools] Monorepo Setup [Type] Bug When a feature is broken and / or not performing as intended
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants