Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial repository instance commit #4

Merged
merged 2 commits into from
Dec 16, 2024
Merged

Initial repository instance commit #4

merged 2 commits into from
Dec 16, 2024

Conversation

J4bbi
Copy link
Collaborator

@J4bbi J4bbi commented Dec 9, 2024

This is the initial InvenioRDM repository instance commit.

This was generated by running the command:

invenio-cli init rdm -c v12.0

The configuration file has placeholder values.

@J4bbi J4bbi force-pushed the feature/initial_repository branch 3 times, most recently from de84366 to 828f65d Compare December 9, 2024 15:50
cutoffthetop
cutoffthetop previously approved these changes Dec 10, 2024
View reviewed changes
@J4bbi J4bbi force-pushed the feature/initial_repository branch from 828f65d to 0f9f858 Compare December 11, 2024 16:52
@J4bbi
Copy link
Collaborator Author

J4bbi commented Dec 13, 2024

@cutoffthetop do you have a preference for how the status checks should be processed?

@cutoffthetop
Copy link
Contributor

@cutoffthetop do you have a preference for how the status checks should be processed?

@J4bbi sorry, our standard branch rule-set was blocking this PR from being merged. i loosened that up for the time being.

in our other repos, we have a few standardized workflows in our template repository. we use pdm for dependency management, pytest for testing, ruff for linting and trivy for cve scans. but since invenio comes with its own setup style and best practices, i would leave that up to you.

maybe you could configure aquasecurity/trivy-action though, so we have a common cve scanner?

@J4bbi J4bbi force-pushed the feature/initial_repository branch 4 times, most recently from 955f1e3 to 160238f Compare December 16, 2024 11:08
@J4bbi J4bbi force-pushed the feature/initial_repository branch from 160238f to ca569c9 Compare December 16, 2024 11:13
@J4bbi
Copy link
Collaborator Author

J4bbi commented Dec 16, 2024
edited
Loading

@cutoffthetop I've set up a basic trivy scan that only fails at critical vulnerabilities.

this is not ideal because there is a vulnerability of high severity to werkzeug: CVE-2023-46136

Version 1.4.0 of the invenio-base package has pinned werkzeug to <2.3.0 because a higher version breaks other packages (this has been fixed in invenio-base v. 2.0.0). This is not sustainable but is the current situation. See issue.

@J4bbi J4bbi requested a review from cutoffthetop December 16, 2024 11:43
@cutoffthetop
Copy link
Contributor

@cutoffthetop I've set up a basic trivy scan that only fails at critical vulnerabilities.

this is not ideal because there is a vulnerability of high severity to werkzeug: CVE-2023-46136

Version 1.4.0 of the invenio-base package has pinned werkzeug to <2.3.0 because a higher version breaks other packages (this has been fixed in invenio-base v. 2.0.0). This is not sustainable but is the current situation. See issue.

@J4bbi thanks for looking into it. let's keep an eye on this and hope it'll get patched upstream. besides, i don't think we will need to expose multipart/form-data endpoints anyway.

@J4bbi J4bbi merged commit 08f24be into main Dec 16, 2024
1 check passed
@J4bbi J4bbi deleted the feature/initial_repository branch December 16, 2024 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cutoffthetop cutoffthetop cutoffthetop approved these changes

Assignees

@cutoffthetop cutoffthetop

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@J4bbi @cutoffthetop