Skip to content

chore: update gopkg.in/yaml.v3 to v3.0.1 in tensorboard-controller #795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
google-oss-prow merged 1 commit into from
Jan 29, 2026
Merged

chore: update gopkg.in/yaml.v3 to v3.0.1 in tensorboard-controller #795

google-oss-prow merged 1 commit into from
Jan 29, 2026
+3 −2

Conversation

@asaadbalum
Copy link

@asaadbalum asaadbalum commented Dec 9, 2025

Description

Update gopkg.in/yaml.v3 from v3.0.0-20210107192922-496545a6307b to v3.0.1 in the tensorboard-controller to fix security vulnerabilities.

CVEs Fixed:

Related Issue: Closes #781 (PR 5)

Changes

Updated dependencies in components/tensorboard-controller/go.mod:

Dependency Old Version New Version
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b v3.0.1

Testing

Local Build & Tests

Test Result
go mod tidy ✅ Pass
go vet ./... ✅ No issues
make build ✅ Builds cleanly
make test ✅ All tests pass

CVE Verification (Trivy Scan)

Acceptance Criteria

  • Run go mod tidy to ensure dependencies are clean
  • Run make build to build the controller
  • Run unit tests to verify functionality
  • Verify CVE is fixed via Trivy scan

Signed-off-by: Asaad Balum asaad.balum@gmail.com

@github-project-automation github-project-automation bot moved this to Needs Triage in Kubeflow Notebooks Dec 9, 2025
@google-oss-prow google-oss-prow bot added the area/controller area - related to controller components label Dec 9, 2025
@google-oss-prow google-oss-prow bot added area/v1 area - version - kubeflow notebooks v1 size/XS labels Dec 9, 2025
andyatmiami
andyatmiami suggested changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@andyatmiami andyatmiami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asaadbalum - thanks for raising this! apologies in delay on turning attention to this - can you do the following before I test/approve?

  • Rebase this PR on the latest of notebooks-v1 branch so I can test it in conjunction with other dependency updates that have been merged
  • Update go.mod to specify 1.24.12 (the latest minor version of 1.24)

⚠️ Please note I am trying to carefully and sequentially review these dependency PRs and as such am making sure to only test one dependency update at a time. If #791 ends up getting a +1 commit pushed that addresses the comments I have made there and I get it merged first - I'll then need to ask for another rebase on this PR (vice versa also applies 😇 ) to ensure when I test a given PR - its being tested against all other dependency updates that have been merged to ensure a realistic test and sure no cross-contamination with dependency interactions (albeit unlikely)

andyatmiami
andyatmiami suggested changes Jan 23, 2026
View reviewed changes
Copy link
Contributor

@andyatmiami andyatmiami left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asaadbalum - thanks for raising this! I realize this is a wildly trivial change - but just to be safe/proper - can you rebase this PR on the latest of notebooks-v1 branch so I can test it in conjunction with other dependency updates that have been merged

ℹ️ Please note you only need to rebase now - as forewarned in this comment - I got another PR merged that updated the go.mod

THANKS!

@asaadbalum
fix: update gopkg.in/yaml.v3 to v3.0.1 in tensorboard-controller
69741d8 
Update gopkg.in/yaml.v3 from v3.0.0-20210107192922-496545a6307b to v3.0.1 to fix:
- CVE-2022-28948

Testing performed:
- go mod tidy - completed successfully
- go vet ./... - no issues found
- make build - controller builds cleanly
- make test - all tests pass

Part of: kubeflow#781

Signed-off-by: Asaad Balum <asaad.balum@gmail.com>
@asaadbalum asaadbalum force-pushed the 781/fix-tensorboard-gopkg-yaml-cve branch from a8dd75a to 69741d8 Compare January 26, 2026 05:08
@asaadbalum
Copy link
Author

asaadbalum commented Jan 26, 2026

@asaadbalum - thanks for raising this! I realize this is a wildly trivial change - but just to be safe/proper - can you rebase this PR on the latest of notebooks-v1 branch so I can test it in conjunction with other dependency updates that have been merged

ℹ️ Please note you only need to rebase now - as forewarned in this comment - I got another PR merged that updated the go.mod

THANKS!

Hi @andyatmiami , done! Rebased on the latest notebooks-v1. Ready for your review when you get a chance. Thanks!

@andyatmiami
Copy link
Contributor

andyatmiami commented Jan 26, 2026

/ok-to-test

andyatmiami
andyatmiami approved these changes Jan 29, 2026
View reviewed changes
Copy link
Contributor

@andyatmiami andyatmiami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

thanks @asaadbalum for this contribution.

i independently confirmed the verification checks performed by the PR author are reproducible and valid.

furthermore, this is only a patch bump - and the only code change included here was a single bug fix for a very specific "bad input". as such - there is essentially no risk to adopting this code.

also worth noting a similar PR for notebook-controller was previously reviewed and merged.

@google-oss-prow google-oss-prow bot added the lgtm label Jan 29, 2026
@thesuperzapper thesuperzapper changed the title fix: update gopkg.in/yaml.v3 to v3.0.1 in tensorboard-controller chore: update gopkg.in/yaml.v3 to v3.0.1 in tensorboard-controller Jan 29, 2026
@thesuperzapper
Copy link
Member

thesuperzapper commented Jan 29, 2026

/approve

@google-oss-prow
Copy link

google-oss-prow bot commented Jan 29, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thesuperzapper

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 0fbc453 into kubeflow:notebooks-v1 Jan 29, 2026
14 checks passed
@github-project-automation github-project-automation bot moved this from Needs Triage to Done in Kubeflow Notebooks Jan 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

@thesuperzapper thesuperzapper Awaiting requested review from thesuperzapper

1 more reviewer

@andyatmiami andyatmiami andyatmiami approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@andyatmiami andyatmiami

Labels

approved area/controller area - related to controller components area/v1 area - version - kubeflow notebooks v1 lgtm ok-to-test size/XS

Projects

Kubeflow Notebooks
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@asaadbalum @andyatmiami @thesuperzapper