Update components and remove PDK runtime #35
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nmburgan
force-pushed
the
nmburgan/dep_updates
branch
2 times, most recently
from
20f152d to
7e702e2
Compare
|
thanks for the awesome work! should we maybe wait a bit with merging until the new testing pipeline from @jpartlow can cover this, or maybe wait until we fixed openvoxdb/server with the broken JAVA_BIN option? |
|
Yeah, we most definitely want to do some more testing than usual on the agent after this goes in. |
|
Also, we have already fixed the CVEs Perforce fixed in their last release (a bunch of them aren't even relevant to Puppet/OpenVox anyway), so no rush here I think. |
|
Tested that it at least builds fine on el-9-aarch64 |
|
Also probably need to take a pass to ensure that all of the gems here haven't introduced new dependencies that need to be added to the repo. |
|
https://github.com/OpenVoxProject/acceptance-pipelines/actions/workflows/openvox_acceptance_pipeline.yml is up now. You just need to get an openvox-agent package into artifacts with this puppet-runtime in it. |
This removes the PDK runtime project and components that were only used for it, since we intend to replace the PDK. Many of these component updates aren't strictly required, but doing so to stay as up to date as possible. Ones with CVE fixes are noted. Also, removed some versioning logic where the old version is no longer used, or in some cases added logic to ensure the most up-to-date components are used for OpenVox 8 when those version don't support Ruby 2.7 in OpenVox 7. For OpenVox (and some for Bolt): * curl 8.15.0 * libffi 3.5.1 * libxml2 2.14.5 * openssl 3.0.17 * rubygem-concurrent-ruby 1.3.5 * rubygem-fast_gettext 4.1.0 for OpenVox 8, 2.4.0 for OpenVox 7 * rubygem-gettext 3.5.1 * rubygem-hiera-eyaml 4.3.0 * rubygem-highline 3.1.2 * rubygem-mini_portile2 2.8.9 * rubygem-multi_json 1.17.0 for OpenVox 8 * rubygem-net-ssh 7.3.0 * rubygem-nokogiri 1.18.9 - Default libxml2 embedded in the gem contained CVE-2025-32414, CVE-2025-32415, CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796 - However, we compile nokogiri against our own version of libxml2 which did not have these issues. Still, updating to avoid popping scanners. * rubygem-openfact 5.1.0 * rubygem-prime 0.1.4 * rubygem-sys-filesystem 1.5.3 (except for Solaris, which we are not building right now, but has to stay at 1.4.5) * rubygem-thor 1.4.0 * virt-what 1.27 For Bolt: * rubygem-aws-eventstream 1.4.0 * rubygem-aws-partitions 1.1134.0 * rubygem-aws-sdk-core 3.227.0 * rubygem-aws-sdk-ec2 1.541.0 * rubygem-aws-sigv4 1.12.1 * rubygem-bindata 2.5.1 * rubygem-colored2 4.0.3 * rubygem-ed25519 1.4.0 * rubygem-faraday-em_http 2.0.1 * rubygem-faraday-em_synchrony 1.0.1 * rubygem-faraday-excon 2.3.0 * rubygem-faraday-httpclient 2.0.2 * rubygem-faraday-multipart 1.1.1 * rubygem-faraday-net_http_persistent 2.3.1 * rubygem-faraday-net_http 3.4.1 * rubygem-faraday-patron 2.0.2 * rubygem-faraday-rack 2.1.3 * rubygem-faraday-retry 2.3.2 * rubygem-faraday 2.13.3 * rubygem-gettext-setup 1.1.0 * rubygem-httpclient 2.9.0 * rubygem-net-http-persistent 4.0.6 * rubygem-net-scp 4.1.0 * rubygem-public_suffix 6.0.2 * rubygem-puppet-resource_api 2.0.0 * rubygem-puppet-strings 5.0.0 * rubygem-puppet 8.10.0 (to be replaced with the OpenVox gem soon) * rubygem-r10k 5.0.2 * rubygem-rgen 0.10.2 * rubygem-rubyzip 2.4.1 * rubygem-terminal-table 4.0.0 * rubygem-unicode-display_width 3.1.4 * rubygem-webrick 1.9.1 * rubygem-yard 0.9.37
nmburgan
force-pushed
the
nmburgan/dep_updates
branch
from
7e702e2 to
fc4f7bb
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This removes the PDK runtime project and components that were only used for it, since we intend to replace the PDK.
Many of these component updates aren't strictly required, but doing so to stay as up to date as possible. Ones with CVE fixes are noted. Also, removed some versioning logic where the old version is no longer used, or in some cases added logic to ensure the most up-to-date components are used for OpenVox 8 when those version don't support Ruby 2.7 in OpenVox 7.
For OpenVox (and some for Bolt):
For Bolt: