Skip to content

chore: resolve open dependabot security alerts#165

Closed
jonathannorris wants to merge 5 commits into
mainfrom
fix/dependabot-alerts
Closed

chore: resolve open dependabot security alerts#165
jonathannorris wants to merge 5 commits into
mainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 28, 2026

Summary

  • Resolved all open Dependabot security alerts by bumping addressable to 2.9.0 and json to 2.19.4 across openfeature-flagsmith-provider, openfeature-go-feature-flag-provider, and openfeature-meta_provider

@jonathannorris jonathannorris requested a review from a team as a code owner April 28, 2026 20:44
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates dependency versions in several Gemfile.lock files across different providers. The reviewer identified multiple critical issues: the specified Bundler version (4.0.10) is invalid as it has not been released, and the versions for the 'public_suffix' (7.0.5) and 'json' (2.19.4) gems do not exist on RubyGems, which will lead to build failures.

Comment thread providers/openfeature-flagsmith-provider/Gemfile.lock Outdated
Comment thread providers/openfeature-go-feature-flag-provider/Gemfile.lock Outdated
Comment thread providers/openfeature-go-feature-flag-provider/Gemfile.lock Outdated
Comment thread providers/openfeature-meta_provider/Gemfile.lock
Comment thread providers/openfeature-meta_provider/Gemfile.lock Outdated
@jonathannorris
Copy link
Copy Markdown
Member Author

jonathannorris commented Apr 28, 2026

The test_flagd_provider failures are pre-existing and unrelated to this PR — the flagd provider lockfile is unchanged. The failing test checks fractional targeting output for the color-palette-experiment flag, and targeting key "1234" now resolves to #4b5563 (grey) instead of the expected #b91c1c (red). The last passing run was April 1st, so this breakage predates this PR. Looks like it's related to the fractional evaluation hashing change tracked in #73.

@jonathannorris jonathannorris mentioned this pull request Apr 28, 2026
Merged
@jonathannorris jonathannorris force-pushed the fix/dependabot-alerts branch from 3727b1e to 921cc67 Compare May 4, 2026 20:35
@jonathannorris jonathannorris marked this pull request as draft May 8, 2026 20:02
@jonathannorris jonathannorris force-pushed the fix/dependabot-alerts branch 2 times, most recently from 3e882df to d97ccc0 Compare May 12, 2026 19:18
@github-actions github-actions Bot requested review from josecolella and toddbaert May 12, 2026 19:45
@jonathannorris
chore: resolve open dependabot security alerts
d91329a 
- addressable 2.8.7/2.8.9 -> 2.9.0 (high, Dependabot alert 34, 35)
- json 2.19.0 -> 2.19.4 (high, Dependabot alert 29)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: resolve open dependabot security alerts
01005e7 
- addressable 2.8.7/2.8.9 -> 2.9.0 (high, Dependabot alert 34, 35)
- json 2.19.0 -> 2.19.4 (high, Dependabot alert 29)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: bump faraday to 2.14.2 to resolve dependabot alerts
084fe56 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris force-pushed the fix/dependabot-alerts branch from d97ccc0 to 084fe56 Compare May 19, 2026 15:13
@jonathannorris
Merge remote-tracking branch 'origin/main' into fix/dependabot-alerts
7d2a8c3 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: fix addressable public_suffix constraint in go-feature-flag lo…
bd34d66 
…ckfile

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
jonathannorris added a commit that referenced this pull request Jun 2, 2026
@jonathannorris
fix(flagd-provider): update fractional targeting test expectations fo…
f3ea5cb 
…r flagd v0.15.4 (#166)

## Summary

- Updates `color-palette-experiment` fractional targeting test
expectations to match bucketing behavior in flagd `v0.15.4`
- The fractional evaluator changed to high-precision integer arithmetic
(`(hash * totalWeight) >> 32`), which rebucketed all users — tracked in
#73
- Expected values verified by running the exact `twmb/murmur3` +
`distributeValue` algorithm from flagd's source at `core/v0.15.4`
- Replaced targeting keys with ones that resolve to all four distinct
variants (red, blue, green, grey), so the test validates fractional
bucketing rather than falling through to the default
- Originally identified as a pre-existing failure in #165

Also bumps `BUNDLED WITH` in the otel-hook `Gemfile.lock` from 2.7.1 to
4.0.11. A Ruby 4.1dev commit (between May 4–12) made
`Pathname::SEPARATOR_PAT` private, breaking bundler 2.7.1's vendored
thor. Bundler 4.0.0+ includes the fix (ruby/rubygems#9056).

---------

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josecolella josecolella josecolella approved these changes

@dabeeeenster dabeeeenster Awaiting requested review from dabeeeenster

@matthewelwell matthewelwell Awaiting requested review from matthewelwell

@maxveldink maxveldink Awaiting requested review from maxveldink

@thomaspoignant thomaspoignant Awaiting requested review from thomaspoignant

@Zaimwa9 Zaimwa9 Awaiting requested review from Zaimwa9

@toddbaert toddbaert Awaiting requested review from toddbaert

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@dabeeeenster dabeeeenster

@josecolella josecolella

@maxveldink maxveldink

@matthewelwell matthewelwell

@thomaspoignant thomaspoignant

@Zaimwa9 Zaimwa9

@toddbaert toddbaert

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@jonathannorris @josecolella @dabeeeenster @maxveldink @matthewelwell @thomaspoignant @Zaimwa9 @toddbaert