Skip to content

DRAFT: Kubeflow pipeline 2.15.0 upgrade fix #73276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

DRAFT: Kubeflow pipeline 2.15.0 upgrade fix #73276

wants to merge 2 commits into from

Conversation

@ericsmalling
Copy link
Contributor

@ericsmalling ericsmalling commented Nov 26, 2025

No description provided.

@ericsmalling ericsmalling mentioned this pull request Nov 26, 2025
Merged
@ericsmalling ericsmalling changed the title Smalls kubeflow pipelines DRAFT: Kubeflow pipeline 2.15.0 upgrade fix Nov 26, 2025
@ericsmalling ericsmalling reopened this Nov 26, 2025
@philroche philroche added the approved-to-run A repo member has approved this external contribution label Nov 27, 2025
@philroche philroche force-pushed the smalls-kubeflow-pipelines branch from c7e0611 to 62355b5 Compare November 27, 2025 09:33
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Nov 27, 2025
debasishbsws
debasishbsws requested changes Nov 27, 2025
View reviewed changes
Copy link
Member

@debasishbsws debasishbsws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

otherwise its gonna be a regression of a CVE that has been fixed before, and now reappearng.

kubeflow-pipelines/GHSA-4hjh-wcwx-xvwj.patch
+ },
+ "xml2js": "^0.5.0",
+ "json-bigint": "^1.0.0",
+ "tough-cookie": "^4.1.3",
Copy link
Member

@debasishbsws debasishbsws Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we still gonna need this npm module upgrade for a CVE GHSA-72xf-g2v4-qvf3.

└── 📄 /server/node_modules/tough-cookie/package.json
        📦 tough-cookie 2.5.0 (npm)
            Medium CVE-2023-26136 GHSA-72xf-g2v4-qvf3 fixed in 4.1.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@debasishbsws debasishbsws debasishbsws requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

approved-to-run A repo member has approved this external contribution bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ericsmalling @debasishbsws @philroche