Skip to content

Jws CG fix - Part3 #21687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
v-gayatrij wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Jws CG fix - Part3 #21687

v-gayatrij wants to merge 4 commits into from

Conversation

@v-gayatrij
Copy link
Contributor

@v-gayatrij v-gayatrij commented Jan 9, 2026
edited
Loading

Context

Associated WI:
AB#2339771
AB#2339822

Vulnerability reported in below version of jws used by azure-pipelines-tasks-azure-arm-rest package v3.263.1 and docker-common packages:
jws-3.2.2 and jws-4.0.0

Safe versions to fix the vulnerability as mentioned in above alert: jws 3.2.3 or 4.0.1.
Jws v4.0.1 is present in azure-pipelines-tasks-azure-arm-rest v3.267.0 and docker-common v2.268.0 packages

Task Name

Name of the updated pipeline tasks.

AzureFileCopyV2
AzureFileCopyV3
AzureFileCopyV4
AzureFileCopyV5
AzureFileCopyV6
AzurePowerShellV4
AzurePowerShellV5
AzureVmssDeploymentV0
AzureVmssDeploymentV1
DockerV0
DockerV1
DockerV2
HelmDeployV0
HelmDeployV1
KubernetesManifestV1
KubernetesV1

Description

This PR updates:

  • azure-pipelines-tasks-azure-arm-rest package to version 3.267.1 that uses jws v4.0.1(safe version as per attached alert) in above listed tasks
  • docker-common package to version 2.268.0 in below tasks:
    DockerV0
    DockerV1
    DockerV2
    KubernetesV1

Risk Assessment (Low / Medium / High)

Low

Change Behind Feature Flag (Yes / No)

Can this change be behine feature flag, if not why?

Tech Design / Approach

  • Design has been written and reviewed.
  • Any architectural decisions, trade-offs, and alternatives are captured.

Documentation Changes Required (Yes/No)

Indicate whether related documentation needs to be updated.

  • User guides, API specs, system diagrams, or runbooks are updated.

Unit Tests Added or Updated (Yes / No)

Indicate whether unit tests were added or modified to reflect these changes.

Additional Testing Performed

List all other tests performed (manual or automated, including integration, regression, scenario tests, etc.).

Logging Added/Updated (Yes/No)

  • Appropriate log statements are added with meaningful messages.
  • Logging does not expose sensitive data.
  • Log levels are used correctly (e.g., info, warn, error).

Telemetry Added/Updated (Yes/No)

  • Custom telemetry (e.g., counters, timers, error tracking) is added as needed.
  • Events are tagged with proper metadata for filtering and analysis.
  • Telemetry is validated in staging or test environments.

Rollback Scenario and Process (Yes/No)

  • Rollback plan is documented.

Dependency Impact Assessed and Regression Tested (Yes/No)

  • All impacted internal modules, APIs, services, and third-party libraries are analyzed.
  • Results are reviewed and confirmed to not break existing functionality.

Checklist

  • Related issue linked (if applicable)
  • Task version was bumped — see versioning guide
  • Verified the task behaves as expected

@v-gayatrij v-gayatrij marked this pull request as ready for review January 9, 2026 04:59
@v-gayatrij v-gayatrij requested review from a team and manolerazvan as code owners January 9, 2026 04:59
@v-gayatrij
Copy link
Contributor Author

v-gayatrij commented Jan 9, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 9, 2026

Azure Pipelines successfully started running 3 pipeline(s).

@v-gayatrij
Copy link
Contributor Author

v-gayatrij commented Jan 9, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 9, 2026

Azure Pipelines successfully started running 3 pipeline(s).

@v-gayatrij v-gayatrij changed the title update azure-arm-rest package Jws CG fix - Part3 Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manolerazvan manolerazvan Awaiting requested review from manolerazvan manolerazvan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@v-gayatrij