OCPBUGS-76579: [release-4.19]CVE-2026-25639 openshift4/ose-monitoring-plugin-rhel9: Axios affected by Denial of Service via __proto__ Key in mergeConfig#789
Conversation
…-plugin-rhel9: Axios affected by Denial of Service via __proto__ Key in mergeConfig
openshift-ci-robot
added
jira/severity-important
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/invalid-bug
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
tonyxrmdavidson
changed the title
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test e2e-monitoring |
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
ci/prow/e2e-monitoring The failing Prow jobs are unrelated to my PRs because the errors stem from the Cluster Monitoring Operator not reaching minimum availability (MinimumReplicasUnavailable), which is a Kubernetes deployment readiness issue rather than a frontend or dependency regression. The Cypress UI tests execute successfully, with no axios errors, network failures, or JavaScript runtime exceptions observed in the logs. Since my changes were limited to a dependency bump and did not modify operator manifests, deployment logic, or cluster configuration, there is no technical link between the PR changes and the observed test failures. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jgbernalp, tonyxrmdavidson The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/test e2e-monitoring |
|
previous e2e-monitoring failure was caused by automation speed was faster than components loaded and enabled on screen, even though cypress already handles it automatically. This was the report from the previous execution in this PR and there was only one failure that passed locally. anyway, I will try to stabilize this testing in a future PR. |
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
/override ci/prow/e2e-monitoring |
|
/override e2e-monitoring |
|
@etmurasaki: Overrode contexts on behalf of etmurasaki: ci/prow/e2e-monitoring DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@etmurasaki: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@tonyxrmdavidson: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/jira refresh |
|
@tonyxrmdavidson: This pull request references Jira Issue OCPBUGS-76579, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
4 participants
This PR updates axios from version 1.13.2 to 1.13.5 to remediate GHSA-43fc-jf86-j433. The change is a patch-level update within the same minor release line and introduces only patch-level transitive updates to form-data and follow-redirects. An explicit override has been added to ensure deterministic resolution of the corrected axios version. No other dependency changes were introduced.
During validation, a unit test failure was observed locally in processAlerts.spec.ts (“should mark alert as firing if ended less than 10 minutes ago”). To confirm whether this was related to the CVE bump, the test was reproduced on a clean checkout of the upstream release-4.19 branch using npm ci under both Node 22 and Node 18. The failure occurred identically on the unmodified baseline branch, confirming that it predates and is unrelated to this change.