OCPBUGS-79460: immutable bump: fix for CVE-2026-29063 [4.21]#947
OCPBUGS-79460: immutable bump: fix for CVE-2026-29063 [4.21]#947rhdmalone wants to merge 1 commit into
Conversation
Signed-off-by: Deirdre Malone <dmalone@redhat.com>
openshift-ci-robot
added
jira/severity-important
|
@rhdmalone: This pull request references Jira Issue OCPBUGS-79460, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/label jira/skip-dependent-bug-check The immutable package is not present in 4.22 so a 4.22 tracker is not required. |
openshift-ci
Bot
added
the
jira/skip-dependent-bug-check
openshift-ci-robot
added
jira/valid-bug
|
@rhdmalone: This pull request references Jira Issue OCPBUGS-79460, which is valid. The bug has been moved to the POST state. 4 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test images |
|
/test e2e-aws-ovn |
|
@rhdmalone: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: PeterYurkovich, rhdmalone The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
4 participants
Fix CVE-2026-29063 (Prototype Pollution in the immutable npm package) by updating the dependency to patched versions.
Changes:
Bumped immutable in dependencies from 3.x to ^3.8.3 (the minimum patched version for the 3.x range)
Added overrides.sass.immutable: ^5.1.5 to force sass's transitive dependency on immutable to the patched 5.x version
Updated package-lock.json accordingly — both immutable@3.8.3 (direct) and immutable@5.1.5 (scoped under node_modules/sass) are now at their respective patched versions
CVE details:
CVE-2026-29063 — Prototype Pollution via mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), Map.toObject()
Affected: < 3.8.3, >= 4.0.0-rc.1 < 4.3.8, >= 5.0.0-beta.1 < 5.1.5
Fixed: 3.8.3, 4.3.8, 5.1.5