Project

General

Profile

Actions
Copy link

Support #22974

closed

Upgrade dependencies to address security issues

Added by Lucas Di Pentima 9 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Lucas Di Pentima
Category:
API
Target version:
Development 2025-06-25
Due date:
Story points:
-
Release:
Arvados 3.2.0
Release relationship:
Auto

Related issues 1 (0 open1 closed)

Related to Arvados - Bug #22998: build-packages-debian12 (and others) failing after nokogiri dependency updateResolvedBrett SmithActions
Actions
Copy link
 #1

Updated by Lucas Di Pentima 9 months ago

Updates at commit f8519459f - branch 22974-go-dependency-upgrades
Test run: developer-run-tests: #4817  

  • Upgrades golang.org/x/crypto to address CVE-2025-22869
  • Upgrades github.com/golang-jwt/jwt/v4 to address CVE-2025-30204
  • Upgrades golang.org/x/net to address CVE-2025-22872
  • Upgrades github.com/go-jose/go-jose/v4 to address CVE-2025-27144
Actions
Copy link
 #2

Updated by Lucas Di Pentima 9 months ago

Updates at e6601abbf - branch 22974-rails-dependency-upgrades
Failed test run: developer-run-tests: #4820

  • Updates rack to address CVE-2025-46727
  • Updates nokogiri to address CVE-2025-24855 & CVE-2024-55549
  • Updates net-imap to address CVE-2025-43857

sdk/go/arvadosclient test failure

15:26:00 FAIL: arvadosclient_test.go:193: ServerRequiredSuite.TestCreateLarge
15:26:00 
15:26:00 arvadosclient_test.go:214:
15:26:00     c.Check(err, IsNil)
15:26:00 ... value arvadosclient.APIServerError = arvadosclient.APIServerError{ServerAddress:"0.0.0.0:51285", HttpStatusCode:502, HttpStatusMessage:"502 Bad Gateway", ErrorDetails:[]string{"//railsapi.internal/arvados/v1/collections: 502 Bad Gateway"}} ("arvados API server error: //railsapi.internal/arvados/v1/collections: 502 Bad Gateway (502: 502 Bad Gateway) returned by 0.0.0.0:51285")

services/api test failures (This seems to be related to the rack update addressing CVE-2025-46727)

5:25:55   1) Error:
15:25:55 CollectionsApiPerformanceTest#test_crud_cycle_for_a_collection_with_a_big_manifest:
15:25:55 Rack::QueryParser::QueryLimitError: total query size (20181637) exceeds limit (4194304)
15:25:55     app/middlewares/arvados_api_token.rb:19:in `call'
15:25:55     test/integration/collections_performance_test.rb:25:in `block (2 levels) in <class:CollectionsApiPerformanceTest>'
15:25:55     test/helpers/time_block.rb:9:in `time_block'
15:25:55     test/integration/collections_performance_test.rb:24:in `block in <class:CollectionsApiPerformanceTest>'
15:25:55 
15:25:55   2) Error:
15:25:55 CollectionsApiPerformanceTest#test_memory_usage:
15:25:55 Rack::QueryParser::QueryLimitError: total query size (39686114) exceeds limit (4194304)
15:25:55     app/middlewares/arvados_api_token.rb:19:in `call'
15:25:55     test/integration/collections_performance_test.rb:62:in `block (2 levels) in <class:CollectionsApiPerformanceTest>'
15:25:55     test/helpers/time_block.rb:20:in `vmpeak'
15:25:55     test/integration/collections_performance_test.rb:61:in `block in <class:CollectionsApiPerformanceTest>'
Actions
Copy link
 #3

Updated by Tom Clegg 9 months ago

Actions
Copy link
 #4

Updated by Lucas Di Pentima 9 months ago

Tom Clegg wrote in #note-3:

22974-rails-dependency-upgrades @ 9b594d9f8624e903eb3fd841801df0250c9d47f5 -- developer-run-tests: #4821

Thanks for the fix, I'll merge to main.

Actions
Copy link
 #5

Updated by Lucas Di Pentima 9 months ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #6

Updated by Brett Smith 9 months ago

  • Related to Bug #22998: build-packages-debian12 (and others) failing after nokogiri dependency update added
Actions
Copy link

Also available in: Atom PDF