chore(deps): upgrade ACSA Arc extension from 2.6.0 to 2.12.0#664
chore(deps): upgrade ACSA Arc extension from 2.6.0 to 2.12.0#664Mersim-bit wants to merge 4 commits into
Conversation
katriendg
left a comment
There was a problem hiding this comment.
Thank you @Mersim-bit for picking this one up!
A few things before we can finalize review:
- Please approve the Contributor License Agreement(CLA)
- The Bicep docs should also be updated, run
npm run bicep-docs - Use the repo's pull request template https://github.com/microsoft/edge-ai/blob/main/.github/PULL_REQUEST_TEMPLATE.md to format the PR and validate the CI steps
Thanks!
|
@microsoft-github-policy-service agree |
|
Hi @katriendg , Thank you for the review. I have completed the following:
Current blocker: I am currently in a location with very limited/unstable internet connectivity for the next 1-2 months. This prevents me from installing Azure CLI locally to run The functional code changes are complete and ready for review. Would a maintainer be able to help regenerate the docs, or would you prefer I mark this PR as draft and return once I have stable internet to complete the final documentation step? Please let me know the preferred approach. Happy to adjust as needed. |
📚 Documentation Health ReportGenerated on: 2026-07-09 09:27:33 UTC 📈 Documentation Statistics
🏗️ Three-Tree Architecture Status
🔍 Quality Metrics
This report is automatically generated by the Documentation Automation workflow. |
|
Thanks @Mersim-bit - that's OK, we have done the updates to regenerate the docs. All good now we'll have another approver review my changes. |
…across npm, python, rust, and go (#668) ## Description This PR remediates the dependency advisories surfaced by *grype*/*syft* and *cargo-audit* for the tracking issue, touching only dependency **manifests** and their compiled **lockfiles** across four ecosystems. No application logic changed. Each ecosystem uses its idiomatic pinning mechanism — npm **overrides**, pip-compile *.in*/*.txt* pairs, and Cargo manifest plus *Cargo.lock* — and every version change carries regenerated hashes or integrity values. ### Python - Pinned **aiohttp** to `>=3.14.1` in *.github/requirements/checkov.in* (compiled *checkov.txt* moved 3.13.5 → 3.14.1) to resolve **GHSA-h44m-gjqg-c33q**, regenerating the hash block and refreshing source comments. - In the *510-onvif-connector* **camera-dashboard**, relaxed `lxml==6.1.0` to `lxml>=6.1.1` and added the split-out `lxml-html-clean>=0.4.5` sanitization package. - In the *506-ros2-connector* base requirements, bumped **numpy** 2.5.0 → 2.5.1 and removed the unused `opencv-python==4.13.0.92` (clears a 4→5 dependabot conflict). ### Rust - Upgraded the OpenTelemetry stack in *507-ai-inference* **ai-edge-inference**: `tracing-opentelemetry` constraint raised to `"0.33"`, with the lockfile moving **opentelemetry** 0.26.0 → 0.32.0 and **tracing-opentelemetry** 0.27.0 → 0.33.0. This flattened the separate `opentelemetry_sdk` 0.26.0 crate and an orphaned `glob` 0.3.3 dependency out of the tree. - Bumped **crossbeam-epoch** 0.9.18 → 0.9.20 across every Rust lockfile in the tree — the three *ai-edge-inference* crate lockfiles and the *511-rust-embedded-wasm-provider* map operator — to clear **RUSTSEC-2026-0204**. ### npm - Added **overrides** in *docs/docusaurus* for `http-proxy-middleware ^2.0.10` (lockfile 2.0.9 → 2.0.10) and the transitive `js-yaml@^3 ^3.15.0` (lockfile 3.14.2 → 3.15.0). - Added an **overrides** entry in *516-chat-with-your-factory* pinning the transitive `uuid@^11` to `^11.1.1` (lockfile 11.1.0 → 11.1.1 under the `@microsoft/agents-*` scopes). ### Go - No file changes. **GO-2026-5932** was verified unreachable, so no suppression was required. ## Related Issue Fixes #667 Related to #664 ## Type of Change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Blueprint modification or addition - [ ] Component modification or addition - [ ] Documentation update - [ ] CI/CD pipeline change - [x] Other (please describe): Security dependency remediation (grype/syft/cargo-audit) across npm, Python, and Rust manifests and lockfiles ## Implementation Details Version changes were introduced at the manifest level and the compiled lockfiles regenerated so that hashes and integrity values match. Transitive advisories were addressed with the least-invasive mechanism per ecosystem: npm `overrides` blocks for indirect JavaScript packages, explicit pins in pip-compile `.in` files re-locked into `.txt`, and Cargo manifest constraint bumps re-resolved into `Cargo.lock`. Two opportunistic cleanups accompanied the remediation — the unused `opencv-python` dependency was dropped from *506-ros2-connector*, and the OpenTelemetry upgrade removed the now-redundant `opentelemetry_sdk` and `glob` crates. Root *requirements.in*/*requirements.txt* were intentionally left unchanged; aiohttp stays at 3.13.5 there because of the `checkov~=3.3.6` cap, so the pin was scoped to *.github/requirements/checkov*. ## Testing Performed <!-- For bug fixes: A regression test verifies the fix and prevents the issue from recurring --> - [ ] Terraform plan/apply - [ ] Blueprint deployment test - [x] Unit tests - [ ] Integration tests - [ ] Bug fix includes regression test (see [Test Policy](docs/contributing/testing-validation.md)) - [ ] Manual validation - [ ] Other: ## Validation Steps 1. Confirm the lockfiles resolve cleanly: `pip-compile` for the affected `.in` files (checkov, camera-dashboard, ros2-connector), `npm install` in *docs/docusaurus* and *516-chat-with-your-factory*, and `cargo check`/`cargo build` for the *507-ai-inference* and *511-rust-embedded-wasm-provider* crates. 2. Re-run the vulnerability scanner (grype/cargo-audit) and confirm GHSA-h44m-gjqg-c33q and RUSTSEC-2026-0204 no longer report. 3. Verify no unrelated manifest or root requirements files changed. ## Checklist - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] All new and existing tests passed - [ ] I have run `terraform fmt` on all Terraform code - [ ] I have run `terraform validate` on all Terraform code - [ ] I have run `az bicep format` on all Bicep code - [ ] I have run `az bicep build` to validate all Bicep code - [x] I have checked for any sensitive data/tokens that should not be committed - [ ] Lint checks pass (run applicable linters for changed file types) ## Security Review - [x] No credentials, secrets, or tokens are hardcoded or logged - [ ] RBAC and identity changes follow least-privilege principles - [x] No new network exposure or public endpoints introduced without justification - [x] Dependency additions or updates have been reviewed for known vulnerabilities - [ ] Container image changes use pinned digests or SHA references ## Additional Notes - This PR does **not** touch the security-sensitive paths listed above (*SECURITY.md*, *src/000-cloud/010-security-identity/*, *deploy/*), so the `security-reviewed` label gate does not apply. - The **RUSTSEC-2026-0204** and **GO-2026-5932** advisory identifiers are sourced from the commit message rather than the diff; the diff itself shows the corresponding version bumps and the absence of Go file changes. - Terraform and Bicep checklist items are not applicable — no *.tf* or *.bicep* files were modified. ## Screenshots (if applicable)
📚 Documentation Health ReportGenerated on: 2026-07-09 14:04:23 UTC 📈 Documentation Statistics
🏗️ Three-Tree Architecture Status
🔍 Quality Metrics
This report is automatically generated by the Documentation Automation workflow. |
📚 Documentation Health ReportGenerated on: 2026-07-09 15:06:29 UTC 📈 Documentation Statistics
🏗️ Three-Tree Architecture Status
🔍 Quality Metrics
This report is automatically generated by the Documentation Automation workflow. |
tapheret2
left a comment
There was a problem hiding this comment.
Review pass
Static review of the open diff:
- Looks focused enough for a community review pass
- Please ensure tests/docs match any behavior change
- Call out breaking changes in the PR body if any
Thanks — re-submitted after rate-limit cooldown.
Description
Upgrades the Azure Container Storage enabled by Azure Arc (ACSA) extension from version 2.6.0 to 2.12.0 (latest preview) in the
109-arc-extensionscomponent.Changes made:
containerStorageExtensionDefaults.release.versioninsrc/100-edge/109-arc-extensions/bicep/types.biceparc_extensions.container_storage_extension.versioninsrc/100-edge/109-arc-extensions/terraform/variables.tfnpm run bicep-docsandnpm run tf-docs)npm run tflint-fix-all,npm run tf-validate, andaz bicep buildvalidation2.6.0references remain in docs or examplesRelated Issue
Fixes #662
Type of Change
Implementation Details
2.12.0version-checkertooling references remain intact (only the version value was changed, variable names were not renamed)Testing Performed
npm run bicep-docs,npm run tf-docs,npm run tflint-fix-all,npm run tf-validate,az bicep buildValidation Steps
src/100-edge/109-arc-extensions/bicep/types.bicepand confirmcontainerStorageExtensionDefaults.release.versionis2.12.0src/100-edge/109-arc-extensions/terraform/variables.tfand confirm the container storage extension version is2.12.0npm run bicep-docsand verify generated docs reflect the new versionaz bicep buildon the modified Bicep files — build should succeed with no errorsnpm run tf-validate— validation should passChecklist
terraform fmton all Terraform codeterraform validateon all Terraform codeaz bicep formaton all Bicep codeaz bicep buildto validate all Bicep codeSecurity Review
Additional Notes
version-checkertooling references the Bicep default variable names (containerStorageExtensionDefaults); only the version value was updated, no variables were renamed.mainmay be required.Screenshots (if applicable)
N/A