"OCPBUGS-79460: immutable bump" by prabhapa · Pull Request #893 · openshift/monitoring-plugin

prabhapa · 2026-04-24T08:09:37Z

Bump immutable from 3.8.2 to 3.8.3 to address prototype pollution vulnerability via mergeDeep, merge, toJS, toObject (CVE-2026-29063).

openshift-ci-robot · 2026-04-24T08:09:44Z

@prabhapa: This pull request references Jira Issue OCPBUGS-79460, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected Jira Issue OCPBUGS-79460 to depend on a bug targeting a version in 4.22.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bump immutable from 3.8.2 to 3.8.3 to address prototype pollution vulnerability via mergeDeep, merge, toJS, toObject (CVE-2026-29063).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-04-24T08:09:45Z

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f368635f-7deb-4f09-9723-db44edc47619

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

jgbernalp · 2026-04-24T09:29:45Z

/lgtm

jgbernalp · 2026-04-24T09:29:52Z

/label qe-approved

openshift-ci · 2026-04-24T09:30:43Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jgbernalp, prabhapa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [jgbernalp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

zhuje · 2026-04-27T15:02:14Z

/retest

zhuje · 2026-04-28T13:20:48Z

/test e2e-aws-ovn

rhdmalone · 2026-05-05T16:04:50Z

/test e2e-aws-ovn

rhdmalone · 2026-05-05T16:12:12Z

https://github.com/openshift/monitoring-plugin/blob/release-4.22/web/package.json does not contain
"immutable":
in web/package.json
So there is no real dependency on 4.22

openshift-ci-robot · 2026-05-05T16:17:38Z

@rhdmalone: This pull request references Jira Issue OCPBUGS-79460, which is invalid:

expected the bug to be open, but it isn't
expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Not a Bug) instead
expected dependent Jira Issue OCPBUGS-83304 to target a version in 4.22.0, but it targets "4.21.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-05-05T16:26:29Z

@prabhapa: This pull request explicitly references no jira issue.

Details

In response to this:

Bump immutable from 3.8.2 to 3.8.3 to address prototype pollution vulnerability via mergeDeep, merge, toJS, toObject (CVE-2026-29063).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-05-05T16:31:11Z

@prabhapa: This pull request references Jira Issue OCPBUGS-79460, which is invalid:

expected the bug to be open, but it isn't
expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Not a Bug) instead
expected Jira Issue OCPBUGS-79460 to depend on a bug targeting a version in 4.22.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bump immutable from 3.8.2 to 3.8.3 to address prototype pollution vulnerability via mergeDeep, merge, toJS, toObject (CVE-2026-29063).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

rhdmalone · 2026-05-05T16:37:15Z

@prabhapa
I have just noticed a comment on the Jira https://redhat.atlassian.net/browse/OCPBUGS-79460

Hi @prabhakar Palepu , @tony Davidson mentioned that the vulnerability is not exploitable, so the PRs to the monitoring-plugin may not be necessary. Can you close out all the PRs related to this CVE?

So it looks as if you should be able to close this PR and the associated Jira
cc: @tonyxrmdavidson , @zhuje

openshift-ci · 2026-05-05T19:04:31Z

@prabhapa: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	`665a94d`	link	true	`/test e2e-aws-ovn`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

OCPBUGS-79460: immutable bump

665a94d

Bump immutable from 3.8.2 to 3.8.3 to address prototype pollution vulnerability via mergeDeep, merge, toJS, toObject (CVE-2026-29063).

openshift-ci Bot requested review from PeterYurkovich and jgbernalp April 24, 2026 08:14

openshift-ci Bot added the qe-approved Signifies that QE has signed off on this PR label Apr 24, 2026

openshift-ci Bot assigned jgbernalp Apr 24, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Apr 24, 2026

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 24, 2026

zhuje mentioned this pull request Apr 27, 2026

OCPBUGS-79456: immutable bump #894

Open

openshift-ci Bot changed the title ~~OCPBUGS-79460: immutable bump~~ "NO-JIRA: immutable bump" May 5, 2026

openshift-ci-robot removed the jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. label May 5, 2026

openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label May 5, 2026

openshift-ci Bot changed the title ~~"NO-JIRA: immutable bump"~~ "OCPBUGS-79460: immutable bump" May 5, 2026

openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 5, 2026

Conversation

prabhapa commented Apr 24, 2026

Uh oh!

openshift-ci-robot commented Apr 24, 2026

Uh oh!

coderabbitai Bot commented Apr 24, 2026

Review skipped

Uh oh!

jgbernalp commented Apr 24, 2026

Uh oh!

jgbernalp commented Apr 24, 2026

Uh oh!

openshift-ci Bot commented Apr 24, 2026

Uh oh!

zhuje commented Apr 27, 2026

Uh oh!

zhuje commented Apr 28, 2026

Uh oh!

rhdmalone commented May 5, 2026

Uh oh!

rhdmalone commented May 5, 2026

Uh oh!

openshift-ci-robot commented May 5, 2026

Uh oh!

openshift-ci-robot commented May 5, 2026

Uh oh!

openshift-ci-robot commented May 5, 2026

Uh oh!

rhdmalone commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci Bot commented May 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

rhdmalone commented May 5, 2026 •

edited

Loading