conductor icon indicating copy to clipboard operation
conductor copied to clipboard
verified publisher icon conductor-oss

Epic: Dependabot PR Cleanup and Security Updates

Open nthmost-orkes opened this issue 1 month ago • 0 comments

Motivation

We have accumulated 11 open dependabot PRs, some dating back to May 2024. Many are outdated or target versions that are no longer current. Maintaining project reputation requires keeping dependencies current, addressing security vulnerabilities promptly, and keeping our PR backlog clean and actionable.

Categorization Process

We've reviewed all open dependabot PRs and categorized them based on:

  1. Current state: What version are we on now?
  2. PR target: What version does the PR want to upgrade to?
  3. Latest available: What's the actual latest version?
  4. Applicability: Does the file/module still exist in the codebase?

This gives us three categories:

  • Truly Stale: Close, no replacement needed (code/module no longer exists)
  • Outdated but Needed: Close, create new PR/commit with latest version
  • Critical Work: Requires careful planning (security issues, breaking changes)

Action Items

Truly Stale (close, no action needed)

  • [x] Close #158 - org.jetbrains:annotations (client module no longer exists)

Outdated but Needed (close, then update)

  • [ ] #641 - Migrate to com.gradle.develocity 4.2.2 (closes #240)
  • [ ] #642 - Upgrade io.spring.dependency-management to 1.1.7 (closes #201)
  • [ ] #643 - Upgrade ws to 8.x [SECURITY: CVE-2024-37890] (closes #188)
  • [ ] Update GitHub Actions: actions/checkout v5, action-junit-report v5 (closes #159, #154) - committed in 5d25d1eae, needs merge to main

Review for Possible Merge

  • [ ] Review #157 - actions/cache v3→v4 (verify targets v4.2.0+)
  • [ ] Review #156 - release-drafter v5→v6 (likely mergeable as-is)
  • [ ] Review #152 - cypress-io/github-action v4→v6 (likely mergeable as-is)

Critical Work (requires planning & testing)

  • [ ] #644 - Upgrade protobuf to 4.33.0 [SECURITY + BREAKING] (closes #232, #231)
    • Current version 3.25.5 has security vulnerability (announced Jan 2025)
    • Upgrading 3.x→4.x requires testing for breaking changes

Security Vulnerabilities to Address

  1. CVE-2024-37890 - ws package 7.5.8 (DoS vulnerability) → #643
  2. Protobuf 3.25.5 - Security issue announced Jan 2025 → #644

Progress

Completed

  • ✅ All stale PRs closed with explanations
  • ✅ Issues created for all upgrade work
  • ✅ GitHub Actions updated (pending merge)

In Progress

  • 🔄 #641, #642, #643, #644 - Tracking upgrade work

Timeline

  • Phase 1: Close stale/outdated PRs ✅
  • Phase 2: Quick wins - GitHub Actions (done, needs merge), Spring plugin, Gradle migration
  • Phase 3: Security updates - ws, protobuf (requires testing)

nthmost-orkes avatar Nov 07 '25 23:11 nthmost-orkes