Skip to main content Link Menu Expand (external link) Document Search Copy Copied

cacti GitHub

PR #2353 fix(interopcc): build failing after golang.org/x/crypto bump to v0.1.0
Upgraded all go modules to go v1.20 Closes #2348
Created At 2023-03-28 18:21:33 +0000 UTC
PR #2351 fix(relay): rust build fails after tokio bump from 0.2.25 to 1.18.5
Additionally: - upgrade other dependencies for relay - added tls based unit test in relay Closes #2349
Created At 2023-03-28 16:46:17 +0000 UTC
PR #2350 chore(release): publish v1.2.0
Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Created At 2023-03-28 05:52:37 +0000 UTC
PR #2347 refactor: package name for weaver cordapps
Update package name for weaver cordapps to prefix with `org.hyperledger.cacti.weaver`
Created At 2023-03-27 07:17:29 +0000 UTC
PR #2346 fix(security): upgrade express-jwt to v8.4.1
Fixes/changes that needed to be done in order to make the upgrade work: 1. The HTTP verbs for exempted endpoints are now specified both as lowercase and uppercase meaning that if a specific endpoint is configured to be exempt from JWT authorization then it's method will be specified twice, once as 'POST' and once as 'post' because the underlying library (which is called express-unless) does not have the ability to handle verbs in a case insensitive way. 2. In the registerWebServiceEndpoint function, the configuration of the express-jwt-authz library had to be changed because the scope enforcement was broken due to express-jwt changing the default request property where it places the decoded JWT payload from `"user"` to `"auth"` and this made it incompatible by default with the behavior of express-jwt-authz Luckily there is a parameter to set the request property name and that is now being specified explicitly as `"auth"` so that they are playing nice with each other once again and the authorization's scope based access control works just fine. Fixes #2231
Created At 2023-03-25 03:57:57 +0000 UTC
PR #2345 build(deps): bump openssl from 0.10.41 to 0.10.48 in /weaver/core/relay
dependenciesrust Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.41 to 0.10.48.
Release notes

Sourced from openssl's releases.

openssl v0.10.48

What's Changed

New Contributors

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48

openssl v0.10.47

No release notes provided.

openssl v0.10.46

No release notes provided.

openssl v0.10.45

No release notes provided.

openssl v0.10.44

No release notes provided.

openssl v0.10.43

No release notes provided.

openssl v0.10.42

No release notes provided.

Commits
  • 4ff734f Release openssl v0.10.48 and openssl-sys v0.9.83 (#1855)
  • 5efceaa Merge pull request #1854 from alex/davids-openssl-of-horrors
  • 6ced4f3 Fix race condition with X509Name creation
  • a752805 Document the horror show
  • 78aa9aa Always provide an X509V3Context in X509Extension::new because OpenSSL require...
  • 332311b Resolve an injection vulnerability in EKU creation
  • 482575b Resolve an injection vulnerability in SAN creation
  • 690eeb2 Merge pull request #1852 from smoelius/master
  • e5b6d97 Improve reliability of some tests
  • 319200a Merge pull request #1851 from alex/libressl-versions
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=openssl&package-manager=cargo&previous-version=0.10.41&new-version=0.10.48)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger/cacti/network/alerts).
Created At 2023-03-25 00:57:11 +0000 UTC
PR #2344 build(deps): bump openssl from 0.10.32 to 0.10.48 in /packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/rust/gen
dependenciesrust Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.32 to 0.10.48.
Release notes

Sourced from openssl's releases.

openssl v0.10.48

What's Changed

New Contributors

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.47...openssl-v0.10.48

openssl v0.10.47

No release notes provided.

openssl v0.10.46

No release notes provided.

openssl v0.10.45

No release notes provided.

openssl v0.10.44

No release notes provided.

openssl v0.10.43

No release notes provided.

openssl v0.10.42

No release notes provided.

openssl v0.10.41

No release notes provided.

openssl v0.10.40

No release notes provided.

openssl v0.10.39

No release notes provided.

openssl v0.10.38

No release notes provided.

openssl v0.10.37

No release notes provided.

openssl v0.10.36

No release notes provided.

openssl v0.10.35

... (truncated)

Commits
  • 4ff734f Release openssl v0.10.48 and openssl-sys v0.9.83 (#1855)
  • 5efceaa Merge pull request #1854 from alex/davids-openssl-of-horrors
  • 6ced4f3 Fix race condition with X509Name creation
  • a752805 Document the horror show
  • 78aa9aa Always provide an X509V3Context in X509Extension::new because OpenSSL require...
  • 332311b Resolve an injection vulnerability in EKU creation
  • 482575b Resolve an injection vulnerability in SAN creation
  • 690eeb2 Merge pull request #1852 from smoelius/master
  • e5b6d97 Improve reliability of some tests
  • 319200a Merge pull request #1851 from alex/libressl-versions
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=openssl&package-manager=cargo&previous-version=0.10.32&new-version=0.10.48)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperledger/cacti/network/alerts).
Created At 2023-03-25 00:11:59 +0000 UTC
PR #2342 test(connector-fabric): fix v2-2-x/deploy-lock-asset.test.ts
Telling the typescript compiler to skip the library code check so that auto-updating dependencies don't break the test fixture chain code compilation. The root cause and the fix are equivalent as they were for: https://github.com/hyperledger/cacti/issues/2322 https://github.com/hyperledger/cacti/pull/2323 Commit SHA: dfb727861b5e26a15dbef0729a2a14dd26b4655f Fixes #2341 Also sneaking in a .gitignore change with this: there is a VSCode extension that stores local editing history of files in a .history/ sub-folder and that needs to be ignored in git otherwise it just keeps popping up in the git index which is annoying sometimes. Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Created At 2023-03-24 16:42:38 +0000 UTC
PR #2340 chore(tools): script to bump openapi spec dependency versions
Fixes #2206
Created At 2023-03-24 07:20:33 +0000 UTC
PR #2339 build(plugin-keychain-vault): fix CVE-2021-32810 - upgrade vault crate
Verified that these changes are okay by recompiling the rust code and executing the manual steps from the readme that launch the containers and then uses cURL to send a couple of requests in. Fixes #2338 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Created At 2023-03-23 23:54:42 +0000 UTC
PR #2337 docs(release): add RELEASE_MANAGEMENT.md file
Fixes #2336 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Created At 2023-03-23 03:01:01 +0000 UTC