Skip to content

fix release-2.45.3-gmp vulnerabilities; remove vendor #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bwplotka wants to merge 4 commits into from
Closed

fix release-2.45.3-gmp vulnerabilities; remove vendor #271

bwplotka wants to merge 4 commits into from

Conversation

@bwplotka
Copy link
Collaborator

@bwplotka bwplotka commented Dec 15, 2025
edited
Loading

This fixes vulnerabilities.

Unfortunately, on the way our old way of building UI also started to fail (new image upgraded node?): https://github.com/GoogleCloudPlatform/prometheus/actions/runs/20249220559/job/58137089941

As a result, it will be simpler to port 2.53.5 Prometheus fork artifacts.

@bwplotka
google patch[deps]: fix release-2.45.3-gmp vulnerabilities
bc0e4df 
Signed-off-by: bwplotka <bwplotka@gmail.com>
@bwplotka
chore: remove vendor
296dcd2 
Signed-off-by: bwplotka <bwplotka@gmail.com>
@bwplotka bwplotka changed the title google patch[deps]: fix release-2.45.3-gmp vulnerabilities fix release-2.45.3-gmp vulnerabilities; remove vendor Dec 15, 2025
@bwplotka bwplotka force-pushed the bwplotka/release-2.45.3-gmp-gmpctl-vulnfix branch 2 times, most recently from b03a3b4 to 7dda7cc Compare December 15, 2025 22:38
@bwplotka
chore: rm unused Dockerfile, ported Dockerfile.google and vendor scri…
125d523 
…pt from 2.53.5

Signed-off-by: bwplotka <bwplotka@gmail.com>
@bwplotka
chore: port presubmit
d364277 
Signed-off-by: bwplotka <bwplotka@gmail.com>
@bwplotka bwplotka force-pushed the bwplotka/release-2.45.3-gmp-gmpctl-vulnfix branch from 7dda7cc to d364277 Compare December 15, 2025 22:40
pintohutch
pintohutch reviewed Dec 16, 2025
View reviewed changes
Dockerfile.google
@@ -1,29 +1,72 @@
ARG IMAGE_BUILD_NODEJS=launcher.gcr.io/google/nodejs
Copy link
Collaborator

@pintohutch pintohutch Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we get away with just:
ARG IMAGE_BUILD_NODEJS=node:17.9.0-buster?

and removing the install_node command on line 12?

And leave everything else alone except for the go bump to address the vulnz?

Copy link
Collaborator Author

@bwplotka bwplotka Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can try, but I thought it will be easier and more consistent to 2.53.5 way of thins.

Copy link
Collaborator Author

@bwplotka bwplotka Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trying on another PR: #272

error so far https://github.com/GoogleCloudPlatform/prometheus/actions/runs/20275550076/job/58223081923?pr=272

image

@bwplotka bwplotka mentioned this pull request Dec 16, 2025
Merged
@bwplotka
Copy link
Collaborator Author

bwplotka commented Dec 16, 2025

Simpler fix: #272

@bwplotka bwplotka closed this Dec 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pintohutch pintohutch pintohutch left review comments

@bernot-dev bernot-dev Awaiting requested review from bernot-dev

@hsmatulis hsmatulis Awaiting requested review from hsmatulis

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bwplotka @pintohutch