prepare 7.4.1 release #270
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add separate configuration for server-side/client-side SDK base URLs & update the defaults
…hat feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation
…ty-patch update x/text package for vulnerability GO-2021-0113
add daily re-scan with Trivy
# Conflicts: # .circleci/config.yml
…ror-exit always terminate if auto-config stream fails with a fatal error
pass along tags header when proxying events
update to Alpine 3.14.4 for CVE-2022-0778 fix
This pull request was auto generated by the Launchdarkly Github Standards automation platform. * Add default CODEOWNERS file
`consul` has been replaced with `hashicorp/consul`. As part of this migration, HashiCorp stopped publishing a latest tag on `consul`, causing our build to fail. The DynamoDB instance made a change that required keys and secrets to ONLY contain A-Za-z0-9. Our hyphenated examples were considered invalid, causing that test to fail.
Updates a couple of images with our latest branding. I didn't make any manual changes to `.DS_Store` so not sure if I should discard those changes or not. Story details: https://app.shortcut.com/launchdarkly/story/205489
**Related issues** CVE-2023-29405 https://nvd.nist.gov/vuln/detail/CVE-2023-29405 CVE-2023-29404 https://nvd.nist.gov/vuln/detail/CVE-2023-29404 CVE-2023-29402 https://nvd.nist.gov/vuln/detail/CVE-2023-29402 **Describe the solution you've provided** Bump to the latest Go version for 1.19 and 1.20
See ``` ┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libcrypto3 │ CVE-2023-2975 │ MEDIUM │ fixed │ 3.1.1-r1 │ 3.1.1-r2 │ AES-SIV cipher implementation contains a bug that causes it │ │ │ │ │ │ │ │ to ignore empty... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │ │ ├───────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-3446 │ │ │ │ 3.1.1-r3 │ Excessive time spent checking DH keys and parameters │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │ │ ├───────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-3817 │ │ │ │ 3.1.2-r0 │ Excessive time spent checking DH q parameter value │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │ ├────────────┼───────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ │ libssl3 │ CVE-2023-2975 │ │ │ │ 3.1.1-r2 │ AES-SIV cipher implementation contains a bug that causes it │ │ │ │ │ │ │ │ to ignore empty... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │ │ ├───────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-3446 │ │ │ │ 3.1.1-r3 │ Excessive time spent checking DH keys and parameters │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │ │ ├───────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2023-3817 │ │ │ │ 3.1.2-r0 │ Excessive time spent checking DH q parameter value │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │ └────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ ```
…by delete-old-projects IH job
…ld-projects IH job (#457)
… 0.2.4 (#459) Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.3 to 0.2.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cyphar/filepath-securejoin/releases">github.com/cyphar/filepath-securejoin's releases</a>.</em></p> <blockquote> <h2>v0.2.4</h2> <p>This release fixes a potential security issue in filepath-securejoin when used on Windows (GHSA-6xv5-86q9-7xr8, which could be used to generate paths outside of the provided rootfs in certain cases), as well as improving the overall behaviour of filepath-securejoin when dealing with Windows paths that contain volume names. Thanks to Paulo Gomes for discovering and fixing these issues.</p> <p>In addition, we've switched (at long last) to GitHub Actions and have continuous integration testing on Linux, MacOS, and Windows.</p> <p>Thanks to the following contributors for making this release possible:</p> <ul> <li>Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></li> <li>Paulo Gomes <a href="mailto:[email protected]">[email protected]</a></li> </ul> <p>Signed-off-by: Aleksa Sarai <a href="mailto:[email protected]">[email protected]</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cyphar/filepath-securejoin/commit/2710d06c5b4ba3168beffa0689798d2db12e8ac4"><code>2710d06</code></a> VERSION: release v0.2.4</li> <li><a href="https://github.com/cyphar/filepath-securejoin/commit/68943415e950190ee33bddfa205e42186da87802"><code>6894341</code></a> merge <a href="https://redirect.github.com/cyphar/filepath-securejoin/issues/9">#9</a> into main</li> <li><a href="https://github.com/cyphar/filepath-securejoin/commit/c121231e1276e11049547bee5ce68d5a2cfe2d9b"><code>c121231</code></a> Fix support for Windows</li> <li><a href="https://github.com/cyphar/filepath-securejoin/commit/05b64230154f962d518a3a44fcfd7b9b63bab031"><code>05b6423</code></a> ci: switch to GHA</li> <li><a href="https://github.com/cyphar/filepath-securejoin/commit/64536a8a66ae59588c981e2199f1dcf410508e07"><code>64536a8</code></a> VERSION: back to development</li> <li>See full diff in <a href="https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/launchdarkly/ld-relay-private/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.11.0 to 0.17.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd"><code>b225e7c</code></a> http2: limit maximum handler goroutines to MaxConcurrentStreams</li> <li><a href="https://github.com/golang/net/commit/88194ad8ab44a02ea952c169883c3f57db6cf9f4"><code>88194ad</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/2b60a61f1e4cf3a5ecded0bd7e77ea168289e6de"><code>2b60a61</code></a> quic: fix several bugs in flow control accounting</li> <li><a href="https://github.com/golang/net/commit/73d82efb96cacc0c378bc150b56675fc191894b9"><code>73d82ef</code></a> quic: handle DATA_BLOCKED frames</li> <li><a href="https://github.com/golang/net/commit/5d5a036a503f8accd748f7453c0162115187be13"><code>5d5a036</code></a> quic: handle streams moving from the data queue to the meta queue</li> <li><a href="https://github.com/golang/net/commit/350aad2603e57013fafb1a9e2089a382fe67dc80"><code>350aad2</code></a> quic: correctly extend peer's flow control window after MAX_DATA</li> <li><a href="https://github.com/golang/net/commit/21814e71db756f39b69fb1a3e06350fa555a79b1"><code>21814e7</code></a> quic: validate connection id transport parameters</li> <li><a href="https://github.com/golang/net/commit/a600b3518eed7a9a4e24380b4b249cb986d9b64d"><code>a600b35</code></a> quic: avoid redundant MAX_DATA updates</li> <li><a href="https://github.com/golang/net/commit/ea633599b58dc6a50d33c7f5438edfaa8bc313df"><code>ea63359</code></a> http2: check stream body is present on read timeout</li> <li><a href="https://github.com/golang/net/commit/ddd8598e5694aa5e966e44573a53e895f6fa5eb2"><code>ddd8598</code></a> quic: version negotiation</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.11.0...v0.17.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/launchdarkly/ld-relay-private/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
As 1.19 is now EOL, this PR updates our primary CI build to 1.21 and 1.20.
Make it clear that `disableInternalUsageMetrics` is deprecated and removed in v8.
louis-launchdarkly
approved these changes
Oct 19, 2023
cwaldren-ld
approved these changes
Oct 20, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[7.4.1] - 2023-10-19
Fixed: