From 32f0473a39fbf51516eec53d6a34b7a631ffa556 Mon Sep 17 00:00:00 2001 From: staging-update-bot Date: Tue, 25 Nov 2025 17:38:40 +0000 Subject: [PATCH 1/2] kubeflow-pipelines/2.15.0 package update --- kubeflow-pipelines.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/kubeflow-pipelines.yaml b/kubeflow-pipelines.yaml index 007ac89db4a..70b04f7a7db 100644 --- a/kubeflow-pipelines.yaml +++ b/kubeflow-pipelines.yaml @@ -1,7 +1,7 @@ package: name: kubeflow-pipelines - version: "2.14.4" - epoch: 1 # GHSA-j5w8-q4qc-rx2x + version: "2.15.0" + epoch: 0 # GHSA-j5w8-q4qc-rx2x description: Machine Learning Pipelines for Kubeflow checks: disabled: @@ -40,13 +40,11 @@ pipeline: with: repository: https://github.com/kubeflow/pipelines tag: ${{package.version}} - expected-commit: 417091dceddb1f35f26203f9779cb18ee260d6ad + expected-commit: 8fe8d7bdd88f027bde080f619762a0b3294796db - uses: go/bump with: deps: |- - github.com/go-viper/mapstructure/v2@v2.4.0 - github.com/argoproj/argo-workflows/v3@v3.6.12 golang.org/x/crypto@v0.45.0 - name: Fix Build issue by removing the version constraints from requirements.in From 62355b576c0fed80588c750e3fa01ffa92b4f251 Mon Sep 17 00:00:00 2001 From: Eric Smalling Date: Wed, 26 Nov 2025 19:29:19 +0000 Subject: [PATCH 2/2] Removing patches to fix 2.15.0 upgrade PR Signed-off-by: Eric Smalling --- kubeflow-pipelines.yaml | 20 -------- kubeflow-pipelines/GHSA-4hjh-wcwx-xvwj.patch | 47 ------------------- kubeflow-pipelines/GHSA-952p-6rrq-rcjv.patch | 13 ----- .../fix-CVE-GHSA-9wx4-h78v-vm56.patch | 35 -------------- kubeflow-pipelines/fix-CVE-urllib3.patch | 28 ----------- ...uild-Removing-version-constraint-kfp.patch | 28 ----------- 6 files changed, 171 deletions(-) delete mode 100644 kubeflow-pipelines/GHSA-4hjh-wcwx-xvwj.patch delete mode 100644 kubeflow-pipelines/GHSA-952p-6rrq-rcjv.patch delete mode 100644 kubeflow-pipelines/fix-CVE-GHSA-9wx4-h78v-vm56.patch delete mode 100644 kubeflow-pipelines/fix-CVE-urllib3.patch delete mode 100644 kubeflow-pipelines/fix-build-Removing-version-constraint-kfp.patch diff --git a/kubeflow-pipelines.yaml b/kubeflow-pipelines.yaml index 70b04f7a7db..8b520a82c91 100644 --- a/kubeflow-pipelines.yaml +++ b/kubeflow-pipelines.yaml @@ -47,21 +47,6 @@ pipeline: deps: |- golang.org/x/crypto@v0.45.0 - - name: Fix Build issue by removing the version constraints from requirements.in - uses: patch - with: - patches: fix-build-Removing-version-constraint-kfp.patch - - - name: Fix CVE releted to urllib3 - uses: patch - with: - patches: fix-CVE-urllib3.patch - - - name: Fix CVE in backend by updating - uses: patch - with: - patches: fix-CVE-GHSA-9wx4-h78v-vm56.patch - - uses: patch with: patches: add-samples.patch @@ -194,11 +179,6 @@ subpackages: - nodejs - wget pipeline: - - uses: patch - with: - patches: | - GHSA-952p-6rrq-rcjv.patch - GHSA-4hjh-wcwx-xvwj.patch - runs: | mkdir -p ${{targets.subpkgdir}}/server mkdir -p ${{targets.subpkgdir}}/client diff --git a/kubeflow-pipelines/GHSA-4hjh-wcwx-xvwj.patch b/kubeflow-pipelines/GHSA-4hjh-wcwx-xvwj.patch deleted file mode 100644 index 7b1d7926ccc..00000000000 --- a/kubeflow-pipelines/GHSA-4hjh-wcwx-xvwj.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff --git a/frontend/server/package-lock.json b/frontend/server/package-lock.json -index 612cf0669..fe841dfa3 100644 ---- a/frontend/server/package-lock.json -+++ b/frontend/server/package-lock.json -@@ -8,7 +8,7 @@ - "@aws-sdk/credential-providers": "^3.621.0", - "@google-cloud/storage": "^2.5.0", - "@kubernetes/client-node": "^0.12.1", -- "axios": ">=1.8.2", -+ "axios": ">=1.12.0", - "crypto-js": "^3.1.8", - "express": "^4.21.0", - "gunzip-maybe": "^1.4.1", -diff --git a/frontend/server/package.json b/frontend/server/package.json -index 282d0c401..86c1cd737 100644 ---- a/frontend/server/package.json -+++ b/frontend/server/package.json -@@ -5,8 +5,8 @@ - "@aws-sdk/credential-providers": "^3.621.0", - "@google-cloud/storage": "^2.5.0", - "@kubernetes/client-node": "^0.12.1", -- "axios": ">=1.8.2", -- "crypto-js": "^3.1.8", -+ "axios": ">=1.12.0", -+ "crypto-js": "^4.2.0", - "express": "^4.21.0", - "gunzip-maybe": "^1.4.1", - "http-proxy-middleware": "^0.18.0", -@@ -38,7 +38,17 @@ - "overrides": { - "express": { - "path-to-regexp": "0.1.12" -- } -+ }, -+ "retry-request": { -+ "debug": "^4.3.1" -+ }, -+ "xml2js": "^0.5.0", -+ "json-bigint": "^1.0.0", -+ "tough-cookie": "^4.1.3", -+ "date-and-time": "^0.14.2", -+ "node-fetch": "^2.6.7", -+ "node-forge": "^1.3.0", -+ "debug": "^3.2.7" - }, - "scripts": { - "build": "tsc --project .", diff --git a/kubeflow-pipelines/GHSA-952p-6rrq-rcjv.patch b/kubeflow-pipelines/GHSA-952p-6rrq-rcjv.patch deleted file mode 100644 index 79e3c29accd..00000000000 --- a/kubeflow-pipelines/GHSA-952p-6rrq-rcjv.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/frontend-integration-test/package-lock.json b/test/frontend-integration-test/package-lock.json -index 9e4fcd166..01d5d4eff 100644 ---- a/test/frontend-integration-test/package-lock.json -+++ b/test/frontend-integration-test/package-lock.json -@@ -3053,7 +3053,7 @@ - "@types/stack-utils": "^2.0.0", - "chalk": "^4.0.0", - "graceful-fs": "^4.2.9", -- "micromatch": "^4.0.4", -+ "micromatch": "^4.0.8", - "pretty-format": "^29.4.1", - "slash": "^3.0.0", - "stack-utils": "^2.0.3" diff --git a/kubeflow-pipelines/fix-CVE-GHSA-9wx4-h78v-vm56.patch b/kubeflow-pipelines/fix-CVE-GHSA-9wx4-h78v-vm56.patch deleted file mode 100644 index 188637429e4..00000000000 --- a/kubeflow-pipelines/fix-CVE-GHSA-9wx4-h78v-vm56.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5f28143539fa5a5b1996d08d56cb468763646525 Mon Sep 17 00:00:00 2001 -From: Debasish Biswas -Date: Fri, 17 Jan 2025 18:54:41 +0530 -Subject: [PATCH 1/5] Remedieate(CVE): GHSA-9wx4-h78v-vm56 - -Signed-off-by: Debasish Biswas ---- - backend/requirements.txt | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/backend/requirements.txt b/backend/requirements.txt -index 68cfc0f33..889feb4c4 100644 ---- a/backend/requirements.txt -+++ b/backend/requirements.txt -@@ -39,7 +39,7 @@ google-resumable-media==2.6.0 - # via google-cloud-storage - googleapis-common-protos==1.60.0 - # via google-api-core --idna==3.4 -+idna==3.7 - # via requests - importlib-metadata==6.7.0 - # via click -@@ -73,7 +73,7 @@ pyyaml==6.0.1 - # via - # kfp - # kubernetes --requests==2.31.0 -+requests==2.32.0 - # via - # google-api-core - # google-cloud-storage --- -2.39.5 (Apple Git-154) - diff --git a/kubeflow-pipelines/fix-CVE-urllib3.patch b/kubeflow-pipelines/fix-CVE-urllib3.patch deleted file mode 100644 index f1b8e0a2598..00000000000 --- a/kubeflow-pipelines/fix-CVE-urllib3.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2850fa4031ff3adfa8af50eb6d22d16557a7e09e Mon Sep 17 00:00:00 2001 -From: Debasish Biswas -Date: Fri, 17 Jan 2025 19:11:47 +0530 -Subject: [PATCH 3/5] fix(CVE): update urllib3 to fix CVE-2025-50181/50182 - -Updated urllib3 to 2.5.0 to fix urllib3 CVEs GHSA-48p4-8xcf-vxj5 and GHSA-pq67-6m6q-mj2v. - -Signed-off-by: Debasish Biswas ---- - backend/requirements.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/backend/requirements.txt b/backend/requirements.txt -index ba27bcb21..85f7f8cbe 100644 ---- a/backend/requirements.txt -+++ b/backend/requirements.txt -@@ -97,7 +97,7 @@ typing-extensions==4.7.1 - # via - # importlib-metadata - # kfp --urllib3==1.26.16 -+urllib3==2.5.0 - # via - # google-auth - # kfp --- -2.39.5 (Apple Git-154) - diff --git a/kubeflow-pipelines/fix-build-Removing-version-constraint-kfp.patch b/kubeflow-pipelines/fix-build-Removing-version-constraint-kfp.patch deleted file mode 100644 index fecb553bdb9..00000000000 --- a/kubeflow-pipelines/fix-build-Removing-version-constraint-kfp.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 50b2c1570573823e3d8f7d6b0bbb3259010b2710 Mon Sep 17 00:00:00 2001 -From: Debasish Biswas -Date: Fri, 17 Jan 2025 18:59:39 +0530 -Subject: [PATCH 2/5] Fix(build): Removing the version constraint from kfp to resolve - build issue - -ERROR: No matching distribution found for kfp==2.0.1, this is persisted from the start of the package -Signed-off-by: Debasish Biswas ---- - backend/requirements.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/backend/requirements.txt b/backend/requirements.txt -index 889feb4c4..ba27bcb21 100644 ---- a/backend/requirements.txt -+++ b/backend/requirements.txt -@@ -43,7 +43,7 @@ idna==3.7 - # via requests - importlib-metadata==6.7.0 - # via click --kfp==2.0.1 -+kfp - # via -r - - kfp-pipeline-spec==0.2.2 - # via kfp --- -2.39.5 (Apple Git-154) -