Skip to content

[release-4.18] OCPBUGS-70291: fix: update qs vulnerable dependency #739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Jan 30, 2026
Merged

[release-4.18] OCPBUGS-70291: fix: update qs vulnerable dependency #739

openshift-merge-bot merged 1 commit into from
Jan 30, 2026

Conversation

@jgbernalp
Copy link
Contributor

@jgbernalp jgbernalp commented Jan 21, 2026

manual cherry pick of #737

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 21, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 21, 2026

@jgbernalp: This pull request references Jira Issue OCPBUGS-70291, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
  • expected dependent Jira Issue OCPBUGS-70292 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is Closed (Duplicate) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

manual cherry pick of #737

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from kyoto January 21, 2026 08:19
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 21, 2026
@jgbernalp
Copy link
Contributor Author

jgbernalp commented Jan 21, 2026

/jira refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 21, 2026

@jgbernalp: This pull request references Jira Issue OCPBUGS-70291, which is invalid:

  • expected dependent Jira Issue OCPBUGS-74166 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead
  • expected dependent Jira Issue OCPBUGS-74166 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@PeterYurkovich
Copy link
Contributor

PeterYurkovich commented Jan 21, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 21, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 21, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jgbernalp, PeterYurkovich

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [PeterYurkovich,jgbernalp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 21, 2026

@jgbernalp: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jgbernalp
Copy link
Contributor Author

jgbernalp commented Jan 23, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 23, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 23, 2026

@jgbernalp: This pull request references Jira Issue OCPBUGS-70291, which is valid.

9 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.z) matches configured target version for branch (4.18.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-74166 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent bug Jira Issue OCPBUGS-74166 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-74166 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
  • dependent Jira Issue OCPBUGS-74166 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
  • bug has dependents

Requesting review from QA contact:
/cc @juzhao

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from juzhao January 23, 2026 12:31
@Tai-RedHat
Copy link
Contributor

Tai-RedHat commented Jan 30, 2026

PR tested with cluster-bot, no regression issue
/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Jan 30, 2026
@openshift-ci-robot openshift-ci-robot added jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. and removed jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jan 30, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 30, 2026

@jgbernalp: This pull request references Jira Issue OCPBUGS-70291, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

manual cherry pick of #737

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jgbernalp
Copy link
Contributor Author

jgbernalp commented Jan 30, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jan 30, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 30, 2026

@jgbernalp: This pull request references Jira Issue OCPBUGS-70291, which is valid.

9 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.z) matches configured target version for branch (4.18.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-74166 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent bug Jira Issue OCPBUGS-74166 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-74166 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
  • dependent Jira Issue OCPBUGS-74166 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
  • bug has dependents

Requesting review from QA contact:
/cc @Tai-RedHat

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 30, 2026
@openshift-ci openshift-ci bot requested a review from Tai-RedHat January 30, 2026 08:15
@openshift-merge-bot openshift-merge-bot bot merged commit d1626c2 into openshift:release-4.18 Jan 30, 2026
7 checks passed
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 30, 2026

@jgbernalp: Jira Issue OCPBUGS-70291: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-70291 has been moved to the MODIFIED state.

Details

In response to this:

manual cherry pick of #737

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jgbernalp
Copy link
Contributor Author

jgbernalp commented Jan 30, 2026

/cherry-pick release-4.17

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Jan 30, 2026

@jgbernalp: #739 failed to apply on top of branch "release-4.17":

Applying: fix: update qs vulnerable dependency
Using index info to reconstruct a base tree...
A	web/package-lock.json
M	web/package.json
Falling back to patching base and 3-way merge...
Auto-merging web/package.json
CONFLICT (content): Merge conflict in web/package.json
CONFLICT (modify/delete): web/package-lock.json deleted in HEAD and modified in fix: update qs vulnerable dependency. Version fix: update qs vulnerable dependency of web/package-lock.json left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 fix: update qs vulnerable dependency
Details

In response to this:

/cherry-pick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jgbernalp jgbernalp mentioned this pull request Jan 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PeterYurkovich PeterYurkovich Awaiting requested review from PeterYurkovich

@zhuje zhuje Awaiting requested review from zhuje

@kyoto kyoto Awaiting requested review from kyoto

@juzhao juzhao Awaiting requested review from juzhao

@Tai-RedHat Tai-RedHat Awaiting requested review from Tai-RedHat

Assignees

@juzhao juzhao

@PeterYurkovich PeterYurkovich

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jgbernalp @openshift-ci-robot @PeterYurkovich @Tai-RedHat @openshift-cherrypick-robot @juzhao