Update components and remove PDK and client tools runtimes #35
Conversation
nmburgan
force-pushed
the
nmburgan/dep_updates
branch
2 times, most recently
from
20f152d to
7e702e2
Compare
|
thanks for the awesome work! should we maybe wait a bit with merging until the new testing pipeline from @jpartlow can cover this, or maybe wait until we fixed openvoxdb/server with the broken JAVA_BIN option? |
|
Yeah, we most definitely want to do some more testing than usual on the agent after this goes in. |
|
Also, we have already fixed the CVEs Perforce fixed in their last release (a bunch of them aren't even relevant to Puppet/OpenVox anyway), so no rush here I think. |
|
Tested that it at least builds fine on el-9-aarch64 |
|
Also probably need to take a pass to ensure that all of the gems here haven't introduced new dependencies that need to be added to the repo. |
|
https://github.com/OpenVoxProject/acceptance-pipelines/actions/workflows/openvox_acceptance_pipeline.yml is up now. You just need to get an openvox-agent package into artifacts with this puppet-runtime in it. |
nmburgan
force-pushed
the
nmburgan/dep_updates
branch
from
7e702e2 to
fc4f7bb
Compare
nmburgan
force-pushed
the
nmburgan/dep_updates
branch
11 times, most recently
from
447fecb to
51563c4
Compare
This removes the PDK runtime project and components that were only used for it, since we intend to replace the PDK.
Many of these component updates aren't strictly required, but doing so to stay as up to date as possible. Ones with CVE fixes are noted.
Also, removed some versioning logic where the old version is no longer used, or in some cases added logic to ensure
the most up-to-date components are used for OpenVox 8 when those version don't support Ruby 2.7 in OpenVox 7.
For OpenVox (and some for Bolt):
* Ruby 3.2.9
- This was actually done in a previous PR. Noting here that it
addresses CVE-2025-24294 and CVE-2025-43857.
* curl 8.15.0
* libffi 3.5.2
* libxml2 2.14.5
* openssl 3.0.17
* ruby-shadown 2.5.1
* rubygem-concurrent-ruby 1.3.5
* rubygem-fast_gettext 4.1.0 for OpenVox 8, 2.4.0 for OpenVox 7
* rubygem-gettext 3.5.1
* rubygem-hiera-eyaml 4.3.0
* rubygem-highline 3.1.2
* rubygem-mini_portile2 2.8.9
* rubygem-multi_json 1.17.0 for OpenVox 8
* rubygem-net-ssh 7.3.0
* rubygem-nokogiri 1.18.9
- Default libxml2 embedded in the gem contained CVE-2025-32414, CVE-2025-32415, CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796
- However, we compile nokogiri against our own version of libxml2 which did not have these issues. Still, updating to avoid popping scanners.
* rubygem-openfact 5.1.0
* rubygem-prime 0.1.4
* rubygem-rexml 3.4.2
* rubygem-sys-filesystem 1.5.3 (except for Solaris, which we are not building right now, but has to stay at 1.4.5)
* rubygem-thor 1.4.0
* virt-what 1.27
For Bolt:
* rubygem-aws-eventstream 1.4.0
* rubygem-aws-partitions 1.1154.0
* rubygem-aws-sdk-core 3.232.0
* rubygem-aws-sdk-ec2 1.555.0
* rubygem-aws-sigv4 1.12.1
* rubygem-bindata 2.5.1
* rubygem-colored2 4.0.3
* rubygem-ed25519 1.4.0
* rubygem-faraday-em_http 2.0.1
* rubygem-faraday-em_synchrony 1.0.1
* rubygem-faraday-excon 2.3.0
* rubygem-faraday-httpclient 2.0.2
* rubygem-faraday-multipart 1.1.1
* rubygem-faraday-net_http_persistent 2.3.1
* rubygem-faraday-net_http 3.4.1
* rubygem-faraday-patron 2.0.2
* rubygem-faraday-rack 2.1.3
* rubygem-faraday-retry 2.3.2
* rubygem-faraday 2.13.4
* rubygem-gettext-setup 1.1.0
* rubygem-httpclient 2.9.0
* rubygem-net-http-persistent 4.0.6
* rubygem-net-scp 4.1.0
* rubygem-public_suffix 6.0.2
* rubygem-puppet-resource_api 2.0.0
* rubygem-puppet-strings 5.0.0
* rubygem-puppet 8.10.0 (to be replaced with the OpenVox gem soon)
* rubygem-r10k 5.0.2
* rubygem-rgen 0.10.2
* rubygem-rubyzip 3.0.2
* rubygem-terminal-table 4.0.0
* rubygem-unicode-display_width 3.1.5
* rubygem-webrick 1.9.1
* rubygem-yard 0.9.37
nmburgan
force-pushed
the
nmburgan/dep_updates
branch
from
51563c4 to
2e051ca
Compare
nmburgan
force-pushed
the
nmburgan/dep_updates
branch
from
c44fa2e to
ff54460
Compare
Needed by OpenFact since it supports Ruby 3.4, and will be needed by the agent and OpenBolt once we have Ruby 3.4+ support for them.
|
Built this and a test agent. Below are links to green acceptance tests with that agent. |
This is used for pe-client-tools, which we will never build, and already have openvoxdb-cli that doesn't rely on this.
nmburgan
changed the title
This removes the PDK and client-tools runtime projects and components that were only used for it, since we intend to replace the PDK and will never (and can't) build pe-client-tools.
Many of these component updates aren't strictly required, but doing so to stay as up to date as possible. Ones with CVE fixes are noted. Also, removed some versioning logic where the old version is no longer used, or in some cases added logic to ensure the most up-to-date components are used for OpenVox 8 when those version don't support Ruby 2.7 in OpenVox 7.
For OpenVox (and some for Bolt):
addresses GHSA-xh69-987w-hrp8 and GHSA-j3g3-5qv5-52mj.
For Bolt: