Page Comparison

🩹 Apply a security patch to a Python or NPM package

Background

Per OEP-60, security patches need to be applied to main branches and then immediately backported to the most recent named release.

...

When the security patch is applied to a package that gets installed into another repo (specifically: Python packages and NPM packages), then it is more complex.

Playbook

1. Merge the fix to the package’s main branch.

2. Release a new package version from the main branch.

3. Apply that package upgrade to the main branch of the top-level repository/ies that use it.

4. Determine the version of the package that was installed into the most recent release. Does this version seem compatible to the new package version you just released?

   1. No →

      1. Create a branch off of the package version that is used in the most recent release.

      2. Backport the fix to that branch.

      3. Release another version of the package, using a lower version number so that it’s not considered the “latest” release.

      4. Apply that package upgrade to the release branch of the top-level repository/ies that use it.

   2. Yes →

      1. Just apply that package upgrade to the release branch of the top-level repository/ies that use it.

Example

Scenario: The openedx-animals package is installed into the edx-platform and credentials services. On main it is installed at version 3.1.0; in the most recent named release (Zebrawood) it is installed at version 2.5.0.

...