Pact Foundation #pact-broker

Jörgen Andersson

02/02/2023, 1:12 PM

With regards to security issues with mariadb-dev package in AlpineLinux (issue #94), a solution that would remove many of the problems would be to upgrade to Alpine-3.17. However, there seem to be no Ruby-2.7.6-Alpine-image available after ruby:2.7.6-alpine3.16, Further upgrades would require migrating Pact-Broker to Ruby 3.0 or 3.1. I can't find any written information (issue or technical roadmap) describing such plans. According to this page Ruby 2.7 is to be EOL at the end of March 2023. Is there a planned way forward for Pact-Broker that you can share?

Slackbot

02/02/2023, 1:12 PM

https://docs.pact.io/docker/#alpine-linux

GitHub

02/03/2023, 6:50 AM

#101 chore(deps): bump nokogiri from 1.13.9 to 1.14.1 in /pact_broker Pull request opened by dependabot[bot] Bumps nokogiri from 1.13.9 to 1.14.1. Release notes Sourced from nokogiri's releases.

1.14.1 / 2023-01-30

Fixed

• Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's
Zip::OutputStream
). This was a regression in v1.14.0 due to the fix for #752 in #2434, and was not completely fixed by #2753. [#2773]

• [CRuby] Address compiler warnings about
void*
casting and old-style C function definitions.

* * *

sha256 checksums:

```

99594e8b94f576644ac640a223d74c79e840218948e963aa635f0254927bff10 nokogiri-1.14.1-aarch64-linux.gem

1dc9b7821e1fa1f3fda40659662e51a4b3692acc4ee6342ee34a6a537fc1d5d8 nokogiri-1.14.1-arm-linux.gem

1a693df86da8c4c97b01d614470f9c3e10b9c755de8803fbfcfffe0f9dff522a nokogiri-1.14.1-arm64-darwin.gem

c1f87a8f7bc56028deb2aecbb29e9b318405f7c468b29047aede78b41bc735a2 nokogiri-1.14.1-java.gem

2463a1ae0be5f06a10f3f3b374c2b743bff6280db993d488511a19bb7bc7cb7c nokogiri-1.14.1-x64-mingw-ucrt.gem

f3a2b0ceedf51d776b39dc759ce191a4df842d7d4f5900c64f33d4753db39877 nokogiri-1.14.1-x64-mingw32.gem

f395d6c28c822b0877cfb0c71781f05243c034b4823359ab25b3288a73b9fc82 nokogiri-1.14.1-x86-linux.gem

be34b32fe74e82bffca5b1f3df8727c8fdc828762b6dddab53a11cd8f8515785 nokogiri-1.14.1-x86-mingw32.gem

9b14091f77086c4f0f09451ba3acd1b5f7e0076fb34fc536682170fa9f1a5074 nokogiri-1.14.1-x86_64-darwin.gem

21d234c51582b292e2e1e02e6c30eea9188894348985d6910aa8e993749c0aff nokogiri-1.14.1-x86_64-linux.gem

b2db3af7769c29cd77d5f39cd3d0b65ab10975bdecf04be71d683f9c9abe2663 nokogiri-1.14.1.gem

```

1.14.0 / 2023-01-12

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.)

This release ends support for:

• Ruby 2.6, for which upstream support ended 2022-04-12.

• JRuby 9.3, which is not fully compatible with Ruby 2.7+

Faster, more reliable installation: Native Gem for
aarch64-linux
(aka
linux/arm64/v8
)

This version of Nokogiri ships official native gem support for the
aarch64-linux
platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see Supported Platforms for more information.

Faster, more reliable installation: Native Gem for
arm-linux
(aka
linux/arm/v7
)

This version of Nokogiri ships experimental native gem support for the
arm-linux
platform. Please note that glibc >= 2.29 is required for arm-linux systems, see Supported Platforms for more information.

... (truncated) Changelog Sourced from nokogiri's changelog.

1.14.1 / 2023-01-30

Fixed

• Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's
Zip::OutputStream
). This was a regression in v1.14.0 due to the fix for #752 in #2434, and was not completely fixed by #2753. [#2773]

• [CRuby] Address compiler warnings about
void*
casting and old-style C function definitions.

1.14.0 / 2023-01-12

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.)

This release ends support for:

• Ruby 2.6, for which upstream support ended 2022-04-12.

• JRuby 9.3, which is not fully compatible with Ruby 2.7+

Faster, more reliable installation: Native Gem for
aarch64-linux
(aka
linux/arm64/v8
)

This version of Nokogiri ships official native gem support for the
aarch64-linux
platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see Supported Platforms for more information.

Faster, more reliable installation: Native Gem for
arm-linux
(aka
linux/arm/v7
)

This version of Nokogiri ships experimental native gem support for the
arm-linux
platform. Please note that glibc >= 2.29 is required for arm-linux systems, see Supported Platforms for more information.

Pattern matching

This version introduces an experimental pattern matching API for
XML::Attr
,
XML::Document
,
XML::DocumentFragment
,
XML::Namespace
,
XML::Node
, and
XML::NodeSet
(and their subclasses).

Some documentation on what can be matched:

• `XML::Attr#deconstruct_keys`

• `XML::Document#deconstruct_keys`

• `XML::Namespace#deconstruct_keys`

• `XML::Node#deconstruct_keys`

• `XML::DocumentFragment#deconstruct`

• `XML::NodeSet#deconstruct`

We welcome feedback on this API at #2360.

Dependencies

... (truncated) Commits • `f6cecec` version bump to v1.14.1 • `56e6118` Merge pull request #2782 from sparklemotion/dependabot/bundler/rubocop-1.44.1 • `a8eb958` build(deps-dev): update rubocop requirement from 1.43.0 to 1.44.1 • `87b94c5` Merge pull request #2781 from sparklemotion/dependabot/bundler/rubocop-minite... • `c14cf6a` build(deps-dev): update rubocop-minitest requirement • `c748078` Merge pull request #2775 from sparklemotion/2773-pseudo-io-serialization • `1605431` Merge pull request <https://github-redire… pact-foundation/pact-broker-docker GitHub Actions: test GitHub Actions: test ✅ 1 other check has passed 1/3 successful checks

GitHub

02/03/2023, 6:50 AM

#91 chore(deps): bump nokogiri from 1.13.9 to 1.13.10 in /pact_broker Pull request opened by dependabot[bot] Bumps nokogiri from 1.13.9 to 1.13.10. Release notes Sourced from nokogiri's releases.

1.13.10 / 2022-12-07

Security

• [CRuby] Address CVE-2022-23476, unchecked return value from
xmlTextReaderExpand
. See GHSA-qv4q-mr5r-qprj for more information.

Improvements

• [CRuby]
XML::Reader#attribute_hash
now returns
nil
on parse errors. This restores the behavior of
#attributes
from v1.13.7 and earlier. [#2715]

* * *

sha256 checksums:

```

777ce2e80f64772e91459b943e531dfef387e768f2255f9bc7a1655f254bbaa1 nokogiri-1.13.10-aarch64-linux.gem

b432ff47c51386e07f7e275374fe031c1349e37eaef2216759063bc5fa5624aa nokogiri-1.13.10-arm64-darwin.gem

73ac581ddcb680a912e92da928ffdbac7b36afd3368418f2cee861b96e8c830b nokogiri-1.13.10-java.gem

916aa17e624611dddbf2976ecce1b4a80633c6378f8465cff0efab022ebc2900 nokogiri-1.13.10-x64-mingw-ucrt.gem

0f85a1ad8c2b02c166a6637237133505b71a05f1bb41b91447005449769bced0 nokogiri-1.13.10-x64-mingw32.gem

91fa3a8724a1ce20fccbd718dafd9acbde099258183ac486992a61b00bb17020 nokogiri-1.13.10-x86-linux.gem

d6663f5900ccd8f72d43660d7f082565b7ffcaade0b9a59a74b3ef8791034168 nokogiri-1.13.10-x86-mingw32.gem

81755fc4b8130ef9678c76a2e5af3db7a0a6664b3cba7d9fe8ef75e7d979e91b nokogiri-1.13.10-x86_64-darwin.gem

51d5246705dedad0a09b374d09cc193e7383a5dd32136a690a3cd56e95adf0a3 nokogiri-1.13.10-x86_64-linux.gem

d3ee00f26c151763da1691c7fc6871ddd03e532f74f85101f5acedc2d099e958 nokogiri-1.13.10.gem

```

Changelog Sourced from nokogiri's changelog.

1.13.10 / 2022-12-07

Security

• [CRuby] Address CVE-2022-23476, unchecked return value from
xmlTextReaderExpand
. See GHSA-qv4q-mr5r-qprj for more information.

Improvements

• [CRuby]
XML::Reader#attribute_hash
now returns
nil
on parse errors. This restores the behavior of
#attributes
from v1.13.7 and earlier. [#2715]

Commits • `4c80121` version bump to v1.13.10 • `85410e3` Merge pull request #2715 from sparklemotion/flavorjones-fix-reader-error-hand... • `9fe0761` fix(cruby): XML::Reader#attribute_hash returns nil on error • `3b9c736` Merge pull request #2717 from sparklemotion/flavorjones-lock-psych-to-fix-bui... • `2efa87b` test: skip large cdata test on system libxml2 • `3187d67` dep(dev): pin psych to v4 until v5 builds in CI • `a16b4bf` style(rubocop): disable Minitest/EmptyLineBeforeAssertionMethods • See full diff in compare view Dependabot compatibility score Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. * * * Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) •

@dependabot use these labels

will set the current labels as the default for future PRs for this repo and language •

@dependabot use these reviewers

will set the current reviewers as the default for future PRs for this repo and language •

@dependabot use these assignees

will set the current assignees as the default for future PRs for this repo and language •

@dependabot use this milestone

will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the Security Alerts page. pact-foundation/pact-broker-docker GitHub Actions: build GitHub Actions: test GitHub Actions: test ✅ 1 other check has passed 1/4 successful checks

GitHub

02/03/2023, 6:58 AM

#89 [Snyk] Security upgrade pact_broker from 2.105.0 to 2.105.0 Pull request opened by mefellows This PR was automatically created by Snyk using the credentials of a real user. Snyk has created this PR to fix one or more vulnerable packages in the
rubygems
dependencies of this project. Changes included in this PR • Changes to the following files to upgrade the vulnerable dependencies to a fixed version: • pact_broker/Gemfile.lock Vulnerabilities that will be fixed With an upgrade: (*) Note that the real score may have changed since the PR was raised. Check the changes in this PR to ensure they won't cause issues with your project. * * * Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs. For more information: https://camo.githubusercontent.com/487d2a54b1680be672a25f78e1f55d60f430ca35e57efb4e6eba15dd361c87f2/68747470733a2f2f6170692e7365676d656e742e696f2f76312f706978656c2f747261636b3f646174613d65794a33636d6c305a55746c65534936496e4a79576d785a634564485932527954485a7362306c596430645563566734576b4652546e4e434f5545774969776959573576626e6c746233567a535751694f694a6d4d5755344e5755795a6930774e6a41304c54526d4f445974596d566d5a4331694d474d794d6a4d305a5455324e5755694c434a6c646d567564434936496c425349485a705a58646c5a434973496e42796233426c636e52705a584d694f6e736963484a4a5a434936496d59785a5467315a544a6d4c5441324d4451744e4759344e6931695a575a6b4c574977597a49794d7a526c4e5459315a534a3966513d3d 🧐 View latest project report 🛠️ Adjust project settings 📚 Read more about Snyk's upgrade and patch logic * * * Learn how to fix vulnerabilities with free interactive lessons: 🦉 Learn about vulnerability in an interactive lesson of Snyk Learn. pact-foundation/pact-broker-docker ✅ All checks have passed 4/4 successful checks

GitHub

02/03/2023, 7:00 AM

#87 [Snyk] Fix for 1 vulnerabilities Pull request opened by mefellows This PR was automatically created by Snyk using the credentials of a real user. Snyk has created this PR to fix one or more vulnerable packages in the
rubygems
dependencies of this project. Changes included in this PR • Changes to the following files to upgrade the vulnerable dependencies to a fixed version: • Gemfile ⚠️ Warning

Copy code

Failed to update the Gemfile.lock, please update manually before merging.

Vulnerabilities that will be fixed With an upgrade: (*) Note that the real score may have changed since the PR was raised. Check the changes in this PR to ensure they won't cause issues with your project. * * * Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs. For more information: https://camo.githubusercontent.com/4edc03c0f9b6bb153901607935ec58f6b01c064d6136a79e699b2036bf207764/68747470733a2f2f6170692e7365676d656e742e696f2f76312f706978656c2f747261636b3f646174613d65794a33636d6c305a55746c65534936496e4a79576d785a634564485932527954485a7362306c596430645563566734576b4652546e4e434f5545774969776959573576626e6c746233567a535751694f6949774e444e6c4e6a59334d6930344d446c6a4c5452684f574d744f474d314e5330345a6a6778597a55354e6a4977596a59694c434a6c646d567564434936496c425349485a705a58646c5a434973496e42796233426c636e52705a584d694f6e736963484a4a5a434936496a41304d3255324e6a63794c5467774f574d744e47453559793034597a55314c54686d4f44466a4e546b324d6a42694e694a3966513d3d 🧐 View latest project report 🛠️ Adjust project settings 📚 Read more about Snyk's upgrade and patch logic * * * Learn how to fix vulnerabilities with free interactive lessons: 🦉 Learn about vulnerability in an interactive lesson of Snyk Learn. pact-foundation/pact-broker-docker ✅ All checks have passed 4/4 successful checks

GitHub

02/03/2023, 7:00 AM

#86 [Snyk] Security upgrade pact_broker from 2.105.0 to 2.105.0 Pull request opened by mefellows This PR was automatically created by Snyk using the credentials of a real user. Snyk has created this PR to fix one or more vulnerable packages in the
rubygems
dependencies of this project. Changes included in this PR • Changes to the following files to upgrade the vulnerable dependencies to a fixed version: • pact_broker/Gemfile.lock Vulnerabilities that will be fixed With an upgrade: (*) Note that the real score may have changed since the PR was raised. Check the changes in this PR to ensure they won't cause issues with your project. * * * Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs. For more information: https://camo.githubusercontent.com/6de389d768a21eeec22a4321e68f5904932a86e28e0242ed7c852fa7a77f0c74/68747470733a2f2f6170692e7365676d656e742e696f2f76312f706978656c2f747261636b3f646174613d65794a33636d6c305a55746c65534936496e4a79576d785a634564485932527954485a7362306c596430645563566734576b4652546e4e434f5545774969776959573576626e6c746233567a535751694f694934596a51344f47466b4e7930304d44526b4c5451774e4445744f574a695a53316d596a6379596a4934597a67304d4463694c434a6c646d567564434936496c425349485a705a58646c5a434973496e42796233426c636e52705a584d694f6e736963484a4a5a434936496a68694e446734595751334c5451774e4751744e4441304d533035596d4a6c4c575a694e7a4a694d6a686a4f4451774e794a3966513d3d 🧐 View latest project report 🛠️ Adjust project settings 📚 Read more about Snyk's upgrade and patch logic * * * Learn how to fix vulnerabilities with free interactive lessons: 🦉 Learn about vulnerability in an interactive lesson of Snyk Learn. pact-foundation/pact-broker-docker ✅ All checks have passed 4/4 successful checks

GitHub

02/03/2023, 7:10 AM

#85 out of sync readme for published docker image, compared to website? Issue created by YOU54F We have two docker images for PB 1.

dius/pact-broker

https://hub.docker.com/r/dius/pact-broker/ 2.

pactfoundation/pact-broker

https://hub.docker.com/r/pactfoundation/pact-broker/ The readme on Docker for the DiUS image lines up with the website The readme on Docker for the pactfoundation image doesn't line up with the website. • It instead appears to be a copy of the dius image, with the image name changed, and is missing information compared to the website. pact-foundation/pact-broker-docker

GitHub

02/03/2023, 7:10 AM

#54 Request to have Pact-Broker Docker Image added to Iron Bank Issue created by jhawthor Request to have Pact-Broker Docker Image added to DoD Iron Bank. After an email exchange with Matt Fellows, he recommended I make this request to the community on this forum: I work as a contractor for the Air Force in Cyber Testing. I’m interested in getting the Pact-Broker Docker in Iron Bank so that it can be used in Department of Defense (DoD) software projects from unclassified to classified. However after attending the Iron Bank onboarding, held every Wednesday, I would have to maintain it which is not in my contract. I would like to know if you would be interested in getting the Pact-Broker Docker image into Iron Bank? Iron Bank is a public container hardening process that allows vendors and open source projects to provide hardened software. The link to Iron Bank is listed below. Basic Information. You will need to register for an account and you do not have to be military or a DoD employee. https://ironbank.dso.mil/about Getting Started: Register for an Onboarding Brief. There will be Time to ask questions after the brief. It's 1 hr (30 min brief/30 min questions) https://p1.dso.mil/#/products/iron-bank/getting-started Thanks pact-foundation/pact-broker-docker

GitHub

02/03/2023, 7:11 AM

#71 twist lock security issue Issue created by linl2 Pre issue-raising checklist I have already (please mark the applicable with an

): ☑︎ Confirmed this is the right place to raise the issue - only issues related to the Dockerization of the Pact Broker should be raised here. Issues related to the Pact Broker application itself should be raised in the Pact Broker project. ☑︎ Upgraded to the latest Pact Broker Docker image OR ☑︎ Checked the </CHANGELOG.md|CHANGELOG> to see if the issue I am about to raise has been fixed ☑︎ Read the Troubleshooting page Software versions • pact-broker docker version: 2.89.1.0 Expected behaviour no high Vulnerability issue Actual behaviour 4 high Vulnerability issues Steps to reproduce twistlock scan Relevent log files 1. Private keys stored in image 2. An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "severity": "high", "packageName": "ncurses", "packageVersion": "6.2_p20210109-r0", "link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39537" 3. In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.", "severity": "high", "packageName": "rdoc", "packageVersion": "6.1.2.1", "link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31799" 4. The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", "severity": "high", "packageName": "underscore", "packageVersion": "1.4.4", "link": "https://github.com/advisories", Please ensure you set logging to

DEBUG

and attach any relevant log files here (or link from a gist). pact-foundation/pact-broker-docker

GitHub

02/03/2023, 7:11 AM

#76 Upgrade base image to alpine3.14 Issue created by bethesque alpine3.13 has too many vulnerabilities. I'd prefer to go to alpine3.15, however, there does not seem to be a postgresql-dev package available for alpine3.15 yet. However, going to alpine3.14 will mean dropping support for Docker 19.03, which is now EOL. pact-foundation/pact-broker-docker

GitHub

02/03/2023, 11:49 PM

Release - Version 2.106.0 New release published by github-actions[bot] Features • add consumer_version_id index to latest_pact_publication_ids_for_consumer_versions (</pact-foundation/pact_broker/commit/b75ca5ee|b75ca5ee>) • improve the performance of the incremental clean queries (</pact-foundation/pact_broker/commit/c3a07c79|c3a07c79>) • add index to provider_version_id column in latest_verification_id_for_pact_version_and_provider_version (</pact-foundation/pact_broker/commit/0e1c43dd|0e1c43dd>) • Pacticipant pagination (#585) (</pact-foundation/pact_broker/commit/f1a9be20|f1a9be20>) • do not allow JSON request bodies that are not Objects or Arrays (</pact-foundation/pact_broker/commit/3d917286|3d917286>) • add index for verification_id in pact_version_provider_tag_successful_verifications table (</pact-foundation/pact_broker/commit/b82a773a|b82a773a>) • monkey patch Webmachine render_error method to support problem+json (#584) (</pact-foundation/pact_broker/commit/508f7ce2|508f7ce2>) • support problem+json for error messages (#583) (</pact-foundation/pact_broker/commit/92957ebb|92957ebb>) • add index to provider_version_id column in verifications table (</pact-foundation/pact_broker/commit/aac33725|aac33725>) • clean • log automatically added selectors (</pact-foundation/pact_broker/commit/135c1c0e|135c1c0e>) Bug Fixes • check that request body does not contain any invalid UTF-8 characters before JSON parsing (</pact-foundation/pact_broker/commit/0a08d644|0a08d644>) • versions • add missing next and previous relations to paginated response (</pact-foundation/pact_broker/commit/3b46847e|3b46847e>) • eager load associations for versions endpoint (</pact-foundation/pact_broker/commit/2a57dc42|2a57dc42>) • ui • no space after

tag:

(#581) (</pact-foundation/pact_broker/commit/1b9ebdfe|1b9ebdfe>) • webhooks • correctly validate HTTP method when the given method is not a valid class name (</pact-foundation/pact_broker/commit/6da5a4f3|6da5a4f3>) pact-foundation/pact_broker

GitHub

02/04/2023, 12:21 AM

#93 Upgrade Bundler to at least 2.2.33 Issue created by jorander Pre issue-raising checklist I have already (please mark the applicable with an

GitHub

02/04/2023, 12:21 AM

#92 Upgrade to at least ruby:2.7.6-alpine3.16 Issue created by jorander Pre issue-raising checklist I have already (please mark the applicable with an

GitHub

02/04/2023, 12:22 AM

#88 Security vulnerabilities introduced by supercronic Issue created by mohammed-ezzedine Pre issue-raising checklist I have already (please mark the applicable with an

): • [ X ] Confirmed this is the right place to raise the issue - only issues related to the Dockerization of the Pact Broker should be raised here. Issues related to the Pact Broker application itself should be raised in the Pact Broker project. • [ X ] Upgraded to the latest Pact Broker Docker image OR • [ X ] Checked the </CHANGELOG.md|CHANGELOG> to see if the issue I am about to raise has been fixed • [ X ] Read the Troubleshooting page Software versions • pact-broker docker version: 2.105.0.0 Expected behaviour No security vulnerabilities in the image Actual behaviour Two security vulnerabilities found: (CVE-2021-38297 and CVE-2022-23806) Steps to reproduce Version 2.105.0.0 of pact-broker uses supercronic with version v0.1.11 which introduces the above security vulnerabilities caused by using an old version of golang (1.14.4). These vulnerabilities are fixed in golang version 1.17.7+ and are addressed in supercronic v0.2.0 so an upgrade for supercronic to v0.2.0+ would solve it. pact-foundation/pact-broker-docker

GitHub

02/04/2023, 12:22 AM

#4 Potentially support SSL out of the box? Issue created by bethesque As per https://gist.github.com/tadast/9932075 pact-foundation/pact-broker-docker

Beth (pactflow.io/Pact Broker/pact-ruby)

02/04/2023, 2:30 AM

Peeps, due to some issues with the versioning scheme we're currently using for the docker image (it's impossible to convey breaking changes semantically for anything other than the pact_broker gem) I'm proposing a change to the way we do the versions. Would love thoughts here if you're someone who cares about that kind of thing 😆 (cc @Timothy Jones) https://github.com/pact-foundation/pact-broker-docker/discussions/102

👍 1

👀 2

GitHub

02/04/2023, 4:23 AM

#597 feat(clean): use postgres advisory locks to ensure only one process can run a clean at a time Pull request opened by bethesque #488 TODO • Consider how it will run with the clean.sh script in docker image • Make it configurable??? pact-foundation/pact_broker ✅ All checks have passed 17/17 successful checks

GitHub

02/04/2023, 11:58 AM

#103 Multiple CVE:s with severity level High due to use of SuperCronic 0.2.1 (that uses Go-lang version 1.18.3). Issue created by jorander Pre issue-raising checklist I have already (please mark the applicable with an

GitHub

02/04/2023, 1:31 PM

#598 chore(deps): Use same versions of AlpineLinux and Bundler… Pull request opened by jorander … in dev Docker-files as in pact-broker-docker. pact-foundation/pact_broker ✅ All checks have passed 1/1 successful checks

GitHub

02/04/2023, 3:54 PM

#104 Upgrade to Alpine Linux ver 3.17 Issue created by jorander Pre issue-raising checklist I have already (please mark the applicable with an

GitHub

02/04/2023, 4:13 PM

#599 Upgrade to at least Ruby 3.1.3 Issue created by jorander Pre issue-raising checklist I have already (please mark the applicable with an

): ☑︎ Upgraded to the latest Pact Broker OR ☑︎ Checked the CHANGELOG to see if the issue I am about to raise has been fixed ☐ Created an executable example that demonstrates the issue using either a: • Dockerfile • Git repository with a Travis or Appveyor (or similar) build Software versions • pact-broker gem version: 2.106.0 Expected behaviour Pact Broker runs on Ruby 3.1.3 or higher. Actual behaviour Pact Broker runs on Ruby 2.7.7 which prevents using an official Ruby docker image based on Alpine Linux 3.17. See pact-broker-docker issue #104. Steps to reproduce N/A Relevant log files N/A pact-foundation/pact_broker

Gustavs

02/06/2023, 4:27 PM

Hello. Would appreciate a bit of a helping hand. We have some verification tests failing due to a 500 response from the broker. The url is: Request to path 'https://pact-broker.url/pacts/provider/provider-name/for-verification' failed with response 500 . There was no error message printed, so just wandering what could cause such a response? This seems to only happen when a new branch is built, but master is always passing the build.

James P

02/08/2023, 9:40 AM

Hi, I’ve got a question around the pact webhooks. Do they only get evaluated for use after a contract has been published? I was wondering what would happen in a scenario where for example there was a period of time where you were not publishing provider verification results and then started and implemented can i deploy, record deployments etc. If you ended rolling back to an older provider version, there might not be a contract verification so my question is, if a rollback doesn’t trigger a publish, is there no way to trigger a custom verification of the provider? Also, does can i deploy (consumer side) ever trigger a webhook? For background, we do not publish contracts post merging into trunk, we use can-i-deploy/record deployment from then on so curious what would happen in this scenario

James P

02/08/2023, 11:24 AM

I have another related question to the above. If Provider Version A is the version in production (and has been ‘deployed’ to that environment using record deployment). If the contract expectation is changed by the consumer and the latest provider version B has validated the contract. How would the consumer find out if it is compatible or not with version A of the provider?

Matt (pactflow.io / pact-js / pact-go)

02/08/2023, 11:41 AM

A can I deploy check from the new consumer version against the production target would yield a negative response

Matt (pactflow.io / pact-js / pact-go)

02/08/2023, 11:43 AM

Which is what you'd expect. B needs to be deployed before the consumer can release

James P

02/08/2023, 11:57 AM

Just to clarify in case I have misunderstood (reading this document - https://docs.pact.io/pact_broker/set_up_checklist). For the provider, when the verification takes place, should it validate all environments at once? so any test and production contracts from the consumer?

Jeroen Lamain

02/08/2023, 12:11 PM

Hi, is installing the pact broker (open source) using a prefix path supported or recommended? I have deployed the broker on aws using a name like blbla.aws.com/pact-broker. I can log in and do api calls. However, i have multiple problems using client libries. (1) the jvm @provider annotation does not support a path (I think) (2) using the pact-js libraries I could publish the consumer contract but could not verify as the native verifier could not download the consumer contract. Has anyone deployed the pact broker using a prefix path?

Jeroen Lamain

02/08/2023, 12:22 PM

Well figured out that for JVM i could fix it by this annotation: @PactBroker( host = "blbla.aws.com/pact-broker", scheme = "https", )