Table of Contents | ||||
---|---|---|---|---|
|
🔍 Identify the owner of a repo
Check the
catalog-info.yaml
file.Search for
CODEOWNER
files in the repo.Ask someone from edx.org/2U to consult the 2U Ownership Spreadsheet.
Ask the PR Triage CCs for help routing to the correct owners.
🩹 Apply a security patch to a Python or NPM package
Background
Per OEP-60, security patches need to be applied to main branches and then immediately backported to the most recent named release.
...
When the security patch is applied to a package that gets installed into another repo (specifically: Python packages and NPM packages), then it is more complex.
Playbook
Merge the fix to the package’s main branch.
Release a new package version from the main branch.
Apply that package upgrade to the main branch of the top-level repository/ies that use it.
Determine the version of the package that was installed into the most recent release. Does this version seem compatible to the new package version you just released?
No →
Create a branch off of the package version that is used in the most recent release.
Backport the fix to that branch.
Release another version of the package, using a lower version number so that it’s not considered the “latest” release.
Apply that package upgrade to the release branch of the top-level repository/ies that use it.
Yes →
Just apply that package upgrade to the release branch of the top-level repository/ies that use it.
Example
Scenario: The openedx-animals package is installed into the edx-platform and credentials services. On main it is installed at version 3.1.0; in the most recent named release (Zebrawood) it is installed at version 2.5.0.
...