Upgrade dependencies to latest versions#179
Upgrade dependencies to latest versions#179ashwanthkumar merged 1 commit intoashwanthkumar:masterfrom
Conversation
chadlwilson
commented
May 2, 2024
- Upgrades transitive dependencies to latest versions to clear dependency vulnerabilities from transitive dependencies
- Only packages the necessary dependencies with each plugin variant to reduce plugin size and attack surface area
|
Hiya @ashwanthkumar - would you mind taking a look at this? This plugin seems to be rather popular and it'd be good to get it upgraded past the outdated dependencies which have some reported vulns in them :-) |
|
Ha! Sorry the missed the notification for the PR. Checking now. |
|
Thanks! Do you feel e.g this user seems to have started having issues with somehow ending up with material revisions with no entries in modifications which breaks things. They appeared to upgrade this plugin at the same time as upgrading their GoCD server so it's a bit difficult to untangle whether the issue is something wrong with their upgrade, their database, or an issue caused by the use of the plugin in certain cases. (I can conceptualise all sorts of weird usage of branches and history rewrites which I can imagine confusing many SCM plugins or materials) |
|
I'm not using Github anymore so I'm not sure at the moment. |
|
Well in any case, if you could release a new 1.4.0 RC at the very least it'd be good. build.gocd.org uses the plugin in a very limited fashion against GitHub, but currently does not use RC versions. I could switch it though if there is a new release with these dependencies upgraded. |
|
Thx. Could you change the assets to ones without -SNAPSHOT in their names? It doesn't really look so good to rely on such artifacts and also doesn't match the versions inside the tagged source code? (1.4.1-RC1-SNAPSHOT) |