add vuln check in pipeline and resolve package warnings #2691
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
davidmrdavid
commented
Dec 8, 2023
| @@ -49,7 +49,7 @@ | |||
| <Compile Include="**/*.cs" Exclude="Auth/*.cs;Correlation/*.cs;**/obj/**/*.cs" /> | |||
| <!-- Don't increase below versions without significantly testing on Functions V1! | |||
| Increasing these versions increments some dependencies that have binding redirects in Functions V1. --> | |||
| <PackageReference Include="Azure.Identity" Version="1.1.1" /> | |||
| <PackageReference Include="Azure.Identity" Version="1.10.2" /> | |||
There was a problem hiding this comment.
the comment above about not increasing versions here makes me worry this might not be a safe update ^. However the Functions V1 tests pass and so does a manual local test.
Given this, that Functions V1 is close to EOL, and that DF is not an auto-upgrading component of Functions V1 (not bundles), I'm not too worried about this change.
There was a problem hiding this comment.
Since Functions V1 is not EOL yet, let's make sure we at least smoke test this with Functions V1 to confirm whether or not it's a breaking change.
davidmrdavid
changed the title
jviau
reviewed
Jan 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added a step in our pipeline to scan for actionable vulnerabilities in our dependencies (i.e vulnerabilities fixed in a new release of the package) and block the PR if any are found.
Also updated our
Azure.Identitydependency to respond to one such warning. Also updated one of our sample dependencies onNewtonsoft.JSONfor the same reason.