Flagr is an open source Go service that delivers the right experience to the right entity and monitors the impact.

Overview

Introduction

openflagr/flagr is a community-driven OSS effort of advancing the development of Flagr.

Flagr is an open source Go service that delivers the right experience to the right entity and monitors the impact. It provides feature flags, experimentation (A/B testing), and dynamic configuration. It has clear swagger REST APIs for flags management and flag evaluation.

Documentation

Quick demo

Try it with Docker.

# Start the docker container
docker pull ghcr.io/openflagr/flagr
docker run -it -p 18000:18000 ghcr.io/openflagr/flagr

# Open the Flagr UI
open localhost:18000

Or try it on https://try-openflagr.herokuapp.com, it may take a while for a cold start.

curl --request POST \
     --url https://try-openflagr.herokuapp.com/api/v1/evaluation \
     --header 'content-type: application/json' \
     --data '{
       "entityID": "127",
       "entityType": "user",
       "entityContext": {
         "state": "NY"
       },
       "flagID": 1,
       "enableDebug": true
     }'

Flagr Evaluation Performance

Tested with vegeta. For more details, see benchmarks.

Requests      [total, rate]            56521, 2000.04
Duration      [total, attack, wait]    28.2603654s, 28.259999871s, 365.529µs
Latencies     [mean, 50, 95, 99, max]  371.632µs, 327.991µs, 614.918µs, 1.385568ms, 12.50012ms
Bytes In      [total, mean]            23250552, 411.36
Bytes Out     [total, mean]            8308587, 147.00
Success       [ratio]                  100.00%
Status Codes  [code:count]             200:56521
Error Set:

Flagr UI

Client Libraries

Language Clients
Go goflagr
Javascript jsflagr
Python pyflagr
Ruby rbflagr

License and Credits

  • openflagr/flagr Apache 2.0
  • checkr/flagr Apache 2.0
Issues
  • Expose Kafka Idempotency Config

    Expose Kafka Idempotency Config

    Resolving Issue #21

    Description

    • Upgraded Sarama Version
    • Exposed Sarama's new Idempotency config
    • Fixed issue with acks not being set properly (prerequisite for Idemptoncy)
    • Added config for Kafka MaxOpenRequests (prerequisite for Idemptoncy)

    Motivation and Context

    See Issue #21

    How Has This Been Tested?

    Manually regression and stress tested in our OpenShift environment, both with default Kafka configs and Idempotency enabled.

    Types of changes

    • [x] Bug fix (non-breaking change which fixes an issue)
    • [x] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)

    Checklist:

    • [x] My code follows the code style of this project.
    • [ ] My change requires a change to the documentation.
    • [ ] I have updated the documentation accordingly.
    • [ ] I have added tests to cover my changes.
    • [x] All new and existing tests passed.
    opened by fenriskiba 6
  • Adding support for Webhooks

    Adding support for Webhooks

    Description

    Adding a webhook for notifying other services when a change happens in flagr.

    Pretty much a copy of #410 which seems to be stale. Simplified it a bit and removed the slack portion of it, since there seems to be some discussions on how to implement that in a sane way.

    After this is merged we can rebase #410 and get the slack notification going

    Motivation and Context

    Useful for keeping an audit style log in another system

    How Has This Been Tested?

    By running the test suite, and done manual testing locally

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [x] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)

    Checklist:

    • [x] My code follows the code style of this project.
    • [x] My change requires a change to the documentation.
    • [ ] I have updated the documentation accordingly.
    • [x] I have added tests to cover my changes.
    • [x] All new and existing tests passed.
    no-pr-activity 
    opened by sorenmat 5
  • Return 400 when flag.key is not unique

    Return 400 when flag.key is not unique

    The uniqueness constraint of flag.key is a known part of flag. Validation errors that rely on client-logic (uniqueness of a field) is responsibility of the client to implement, thus the server should return a 400-ish (e.g.: 400 Bad Request, 406 Not Acceptable, ...) and not a 500 Internal Server Error, since that is not the case.

    More info: #41

    Description

    Capture flag uniqueness errors to respond with 400 and not 500 since it is a client-side problem

    Motivation and Context

    #41

    How Has This Been Tested?

    Added a test in the controller, but probably not need an integration one...

    Types of changes

    • [x] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [x] Breaking change (fix or feature that would cause existing functionality to change)

    Checklist:

    • [x] My code follows the code style of this project.
    • [ ] My change requires a change to the documentation.
    • [ ] I have updated the documentation accordingly.
    • [x] I have added tests to cover my changes.
    • [x] All new and existing tests passed.

    Updates

    This can also happen on PUT /api/v1/flag/:id Key=AlreadyExistent.

    TODO

    • [x] Add integration tests for invalid POST
    • [x] Add integration tests for invalid PUT
    • [x] Add unit tests for invalid POST
    • [x] Add uni tests for invalid PUT
    • [x] Fix POST
    • [x] Fix PUT
    no-pr-activity 
    opened by marceloboeira 4
  • Flag Key Unique Constraint validation should not return 500

    Flag Key Unique Constraint validation should not return 500

    The uniqueness constraint of flag.key is a known part of flag. Validation errors that rely on client-logic (uniqueness of a field) is responsibility of the client to implement, thus the server should return a 400-ish (e.g.: 400 Bad Request, 406 Not Acceptable, ...) and not a 500 Internal Server Error, since that is not the case.

    Using httpie to exemplify:

    http POST :18000/api/v1/flags Description=Sweden key=SE
    
    HTTP/1.1 200 OK
    Content-Type: application/json
    
    {
        "dataRecordsEnabled": false,
        "description": "Sweden",
        "enabled": false,
        "id": 4,
        "key": "SE",
        "segments": [],
        "tags": [],
        "updatedAt": "2021-10-02T16:41:28.191Z",
        "variants": []
    }
    

    If you try that again, you should get something like...

    Expected Behavior

    http POST :18000/api/v1/flags Description=Sweden key=SE
    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    
    {
        "message": "cannot create flag. a flag with key=SE already exists"
    }
    

    But you end up getting a 500:

    Current Behavior

    http POST :18000/api/v1/flags Description=Sweden key=SE
    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    
    {
        "message": "cannot create flag. UNIQUE constraint failed: flags.key"
    }
    

    Possible Solution

    Intercept this uniqueness constraint error and fail gracefully

    Steps to Reproduce (for bugs)

    See above...

    Context

    Semantically, validations errors should be client errors, 400-ish, since the server doesn't fail, yet the client fails on trying to bypass the uniqueness of the field.

    Your Environment

    • Version used (flagr version): 1.1.13
    • Server type and version: docker/macOS Big Sur 11.6 (20G165)
    • Operating System and version (uname -a): Helsinki.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21 PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64 x86_64
    bug good first issue no-issue-activity 
    opened by marceloboeira 4
  • Bump minimist from 1.2.5 to 1.2.6 in /browser/flagr-ui

    Bump minimist from 1.2.5 to 1.2.6 in /browser/flagr-ui

    Bumps minimist from 1.2.5 to 1.2.6.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript no-pr-activity 
    opened by dependabot[bot] 3
  • no root user + docker ignore dockerfile

    no root user + docker ignore dockerfile

    Description

    security recommendations are to avoid root in containers

    Motivation and Context

    How Has This Been Tested?

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)

    Checklist:

    • [ ] My code follows the code style of this project.
    • [ ] My change requires a change to the documentation.
    • [ ] I have updated the documentation accordingly.
    • [ ] I have added tests to cover my changes.
    • [ ] All new and existing tests passed.
    opened by glutamatt 3
  • Bump axios from 0.21.1 to 0.21.2 in /browser/flagr-ui

    Bump axios from 0.21.1 to 0.21.2 in /browser/flagr-ui

    Bumps axios from 0.21.1 to 0.21.2.

    Release notes

    Sourced from axios's releases.

    v0.21.2

    0.21.2 (September 4, 2021)

    Fixes and Functionality:

    • Updating axios requests to be delayed by pre-emptive promise creation (#2702)
    • Adding "synchronous" and "runWhen" options to interceptors api (#2702)
    • Updating of transformResponse (#3377)
    • Adding ability to omit User-Agent header (#3703)
    • Adding multiple JSON improvements (#3688, #3763)
    • Fixing quadratic runtime and extra memory usage when setting a maxContentLength (#3738)
    • Adding parseInt to config.timeout (#3781)
    • Adding custom return type support to interceptor (#3783)
    • Adding security fix for ReDoS vulnerability (#3980)

    Internal and Tests:

    • Updating build dev dependancies (#3401)
    • Fixing builds running on Travis CI (#3538)
    • Updating follow rediect version (#3694, #3771)
    • Updating karma sauce launcher to fix failing sauce tests (#3712, #3717)
    • Updating content-type header for application/json to not contain charset field, according do RFC 8259 (#2154)
    • Fixing tests by bumping karma-sauce-launcher version (#3813)
    • Changing testing process from Travis CI to GitHub Actions (#3938)

    Documentation:

    • Updating documentation around the use of AUTH_TOKEN with multiple domain endpoints (#3539)
    • Remove duplication of item in changelog (#3523)
    • Fixing gramatical errors (#2642)
    • Fixing spelling error (#3567)
    • Moving gitpod metion (#2637)
    • Adding new axios documentation website link (#3681, #3707)
    • Updating documentation around dispatching requests (#3772)
    • Adding documentation for the type guard isAxiosError (#3767)
    • Adding explanation of cancel token (#3803)
    • Updating CI status badge (#3953)
    • Fixing errors with JSON documentation (#3936)
    • Fixing README typo under Request Config (#3825)
    • Adding axios-multi-api to the ecosystem file (#3817)
    • Adding SECURITY.md to properly disclose security vulnerabilities (#3981)

    Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

    ... (truncated)

    Changelog

    Sourced from axios's changelog.

    0.21.2 (September 4, 2021)

    Fixes and Functionality:

    • Updating axios requests to be delayed by pre-emptive promise creation (#2702)
    • Adding "synchronous" and "runWhen" options to interceptors api (#2702)
    • Updating of transformResponse (#3377)
    • Adding ability to omit User-Agent header (#3703)
    • Adding multiple JSON improvements (#3688, #3763)
    • Fixing quadratic runtime and extra memory usage when setting a maxContentLength (#3738)
    • Adding parseInt to config.timeout (#3781)
    • Adding custom return type support to interceptor (#3783)
    • Adding security fix for ReDoS vulnerability (#3980)

    Internal and Tests:

    • Updating build dev dependancies (#3401)
    • Fixing builds running on Travis CI (#3538)
    • Updating follow rediect version (#3694, #3771)
    • Updating karma sauce launcher to fix failing sauce tests (#3712, #3717)
    • Updating content-type header for application/json to not contain charset field, according do RFC 8259 (#2154)
    • Fixing tests by bumping karma-sauce-launcher version (#3813)
    • Changing testing process from Travis CI to GitHub Actions (#3938)

    Documentation:

    • Updating documentation around the use of AUTH_TOKEN with multiple domain endpoints (#3539)
    • Remove duplication of item in changelog (#3523)
    • Fixing gramatical errors (#2642)
    • Fixing spelling error (#3567)
    • Moving gitpod metion (#2637)
    • Adding new axios documentation website link (#3681, #3707)
    • Updating documentation around dispatching requests (#3772)
    • Adding documentation for the type guard isAxiosError (#3767)
    • Adding explanation of cancel token (#3803)
    • Updating CI status badge (#3953)
    • Fixing errors with JSON documentation (#3936)
    • Fixing README typo under Request Config (#3825)
    • Adding axios-multi-api to the ecosystem file (#3817)
    • Adding SECURITY.md to properly disclose security vulnerabilities (#3981)

    Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

    ... (truncated)

    Commits
    Maintainer changes

    This version was pushed to npm by jasonsaayman, a new releaser for axios since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript no-pr-activity 
    opened by dependabot[bot] 3
  • Bump path-parse from 1.0.6 to 1.0.7 in /browser/flagr-ui

    Bump path-parse from 1.0.6 to 1.0.7 in /browser/flagr-ui

    Bumps path-parse from 1.0.6 to 1.0.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript no-pr-activity 
    opened by dependabot[bot] 3
  • Bump url-parse from 1.5.1 to 1.5.3 in /browser/flagr-ui

    Bump url-parse from 1.5.1 to 1.5.3 in /browser/flagr-ui

    Bumps url-parse from 1.5.1 to 1.5.3.

    Commits
    • ad44493 [dist] 1.5.3
    • c798461 [fix] Fix host parsing for file URLs (#210)
    • 201034b [dist] 1.5.2
    • 2d9ac2c [fix] Sanitize only special URLs (#209)
    • fb128af [fix] Use 'null' as origin for non special URLs
    • fed6d9e [fix] Add a leading slash only if the URL is special
    • 94872e7 [fix] Do not incorrectly set the slashes property to true
    • 81ab967 [fix] Ignore slashes after the protocol for special URLs
    • ee22050 [ci] Use GitHub Actions
    • d2979b5 [fix] Special case the file: protocol (#204)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript no-pr-activity 
    opened by dependabot[bot] 3
  • Bump color-string from 1.5.4 to 1.6.0 in /browser/flagr-ui

    Bump color-string from 1.5.4 to 1.6.0 in /browser/flagr-ui

    Bumps color-string from 1.5.4 to 1.6.0.

    Release notes

    Sourced from color-string's releases.

    1.6.0

    Minor release 1.6.0

    • #55 - Add support for space-separated HSL

    Thanks @​htunnicliff for the contribution :)

    1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

    Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

    Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
    

    A ReDos (Regular Expression Denial of Service) vulnerability was responsibly disclosed to me via email by Colin on Mar 5 2021 regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

    Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

    The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

    This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

    Thank you Yeting Li and Colin Ife for bringing this to my attention in a secure, responsible and professional manner.

    A CVE will not be assigned for this vulnerability.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript no-pr-activity 
    opened by dependabot[bot] 3
  • Fix id is readonly when update distrib

    Fix id is readonly when update distrib

    Description

    a quick and dirty patch to respect flagr api when updating distributions

    Motivation and Context

    image

    How Has This Been Tested?

    i tried the ui, by hand, checked the http request with chrome dev tool, in a dev env in my company

    Types of changes

    • [x] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)

    Checklist:

    • [ ] My code follows the code style of this project.
    • [ ] My change requires a change to the documentation.
    • [ ] I have updated the documentation accordingly.
    • [ ] I have added tests to cover my changes.
    • [x] All new and existing tests passed.
    no-pr-activity 
    opened by glutamatt 3
  • Turn on dependabot vulnerability scanning

    Turn on dependabot vulnerability scanning

    There is a bunch of vulnerabilities in many of the node modules in browser/flagr-ui/package-lock.json

    Expected Behavior

    Dependabot vulnerability scanning is turned on, making it easier to manage

    Current Behavior

    Currently vulnerabilities in node and go package dependencies are not fixed.

    Possible Solutions

    1. We could open PR's for all of them, but i think its easier if dependabot does that.
    2. Diverge our fork (which is not preferable)

    Steps to Reproduce (for bugs)

    1. Fork this repository
    2. Enable dependabot vulnerability scanning
    3. See the PR's created and the dependabot alerts

    Context

    1. Some of those vulnerbilities might be subject to real security concerns.
    2. For enterprises that are under security compliance, its a benefit to have as many vulnerabilities fixed as possible.
    opened by JesperTerkelsen 0
  • Bump eventsource from 1.0.7 to 1.1.1 in /browser/flagr-ui

    Bump eventsource from 1.0.7 to 1.1.1 in /browser/flagr-ui

    Bumps eventsource from 1.0.7 to 1.1.1.

    Changelog

    Sourced from eventsource's changelog.

    1.1.1

    • Do not include authorization and cookie headers on redirect to different origin (#273 Espen Hovlandsdal)

    1.1.0

    • Improve performance for large messages across many chunks (#130 Trent Willis)
    • Add createConnection option for http or https requests (#120 Vasily Lavrov)
    • Support HTTP 302 redirects (#116 Ryan Bonte)
    • Prevent sequential errors from attempting multiple reconnections (#125 David Patty)
    • Add new to correct test (#111 Stéphane Alnet)
    • Fix reconnections attempts now happen more than once (#136 Icy Fish)
    Commits
    • aa7a408 1.1.1
    • 56d489e chore: rebuild polyfill
    • 4a951e5 docs: update history for 1.1.1
    • f9f6416 fix: strip sensitive headers on redirect to different origin
    • 9dd0687 1.1.0
    • 49497ba Update history for 1.1.0 (#146)
    • 3a38537 Update history for #136
    • 46fe04e Merge pull request #136 from icy-fish/master
    • 9a4190f Fix issue: reconnection only happends for 1 time after connection drops
    • 61e1b19 test: destroy both proxied request and response on close
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • Support for Arm64 image?

    Support for Arm64 image?

    Any plans to support an image for arm? I tried building it myself but frolvlad/alpine-glibc doesn't have support for arm images.

    I tried replacing to similar images: pingcap/alpine-glibc:alpine-3.14.3 zjingjie/alpine-glibc:alpine-3.10-arm64

    The build works but there is a dependency missing:

    /go/src/github.com/openflagr/flagr # ldd ./flagr
    	/lib/ld-linux-aarch64.so.1 (0xffffb0e95000)
    	libpthread.so.0 => /lib/ld-linux-aarch64.so.1 (0xffffb0e95000)
    	libdl.so.2 => /lib/ld-linux-aarch64.so.1 (0xffffb0e95000)
    	libc.so.6 => /lib/ld-linux-aarch64.so.1 (0xffffb0e95000)
    Error relocating ./flagr: fcntl64: symbol not found
    

    Any help would be much appreciated

    opened by NadavkOptimalQ 0
  • Adding support for Webhooks (rebase of #38)

    Adding support for Webhooks (rebase of #38)

    This is a rebase of #38 with gorm2 change. We rely on the webhooks for internal auditing, and would like to avoid running off our fork if possible.

    Description

    Adding a webhook for notifying other services when a change happens in flagr.

    Pretty much a copy of #410 which seems to be stale. Simplified it a bit and removed the slack portion of it, since there seems to be some discussions on how to implement that in a sane way.

    After this is merged we can rebase #410 and get the slack notification going

    Motivation and Context

    Useful for keeping an audit style log in another system

    How Has This Been Tested?

    By running the test suite, and done manual testing locally

    Currently investigating why the rebased image fails to start in the demo state. panic: no such table: flags_tags; no such table: flags_tags update: I see the same issue from the current main branch.

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [x] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)

    Checklist:

    • [x] My code follows the code style of this project.
    • [x] My change requires a change to the documentation.
    • [ ] I have updated the documentation accordingly.
    • [x] I have added tests to cover my changes.
    • [x] All new and existing tests passed.
    opened by wejendorp 1
  • Bump async from 2.6.3 to 2.6.4 in /browser/flagr-ui

    Bump async from 2.6.3 to 2.6.4 in /browser/flagr-ui

    Bumps async from 2.6.3 to 2.6.4.

    Changelog

    Sourced from async's changelog.

    v2.6.4

    • Fix potential prototype pollution exploit (#1828)
    Commits
    Maintainer changes

    This version was pushed to npm by hargasinski, a new releaser for async since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
Releases(1.1.13)
  • 1.1.13(Aug 7, 2021)

    1.1.13

    Merged

    • Prepare for 1.1.13 release #13
    • Remove github.com/dgrijalva/jwt-go #10
    • [skip ci] Add try-openflagr website #6
    • Add codecov and fix docs #5
    • Add github CI #1
    • Upgrade to 1.16 #460
    • Fix markdown-it xss and sqlite3 build issue #451
    • Bump y18n from 4.0.0 to 4.0.3 in /browser/flagr-ui #444
    • Bump ssri from 6.0.1 to 6.0.2 in /browser/flagr-ui #441
    • Fix integration tests #443
    • Bump elliptic from 6.5.3 to 6.5.4 in /browser/flagr-ui #435
    • Add dropdown by state to filter flags #433
    • Bump swagger cli / golangci-lint / UI related package.json #432
    • Fix typo in home.md #415
    • Add support for kafka auth using SASL with PLAIN mechanism #412
    • Evaluation with FlagTagsOperator to match any or all tags #408
    • Allow /api/v1/health bypass auth default #407

    Commits

    Migration Guide

    All the integration tests are the same, which guarantees the

    • API backward compatibility with checkr/flagr:1.1.12
    • Environment variables are the same and don't need any changes

    Docker users:

    docker pull checkr/flagr:1.1.12
    =>
    docker pull ghcr.io/openflagr/flagr:1.1.13
    

    Golang users:

    go get github.com/checkr/flagr
    =>
    go get github.com/openflagr/flagr
    
    Source code(tar.gz)
    Source code(zip)
The Zuri Core is an open-source API that serves as the backend and backbone of Zuri Chat

The Zuri Core is an open-source API that serves as the backend and backbone of Zuri Chat

Zuri Chat 123 Jun 3, 2022
RoadRunner: an open-source high-performance PHP application server, load balancer, and process manager

RoadRunner is an open-source (MIT licensed) high-performance PHP application server, load balancer, and process manager. It supports running as a serv

Spiral Scout 0 Jan 13, 2022
An open-source, on-prem feature flag solution

An open-source, on-prem feature flag solution Documentation | Features | Values | Examples | Enterprise Flipt is an open source, on-prem feature flag

Mark Phelps 1.8k Jun 29, 2022
CasaOS - A simple, easy-to-use, elegant open-source home server system.

CasaOS - A simple, easy-to-use, elegant open-source home server system. CasaOS is an open-source home server system based on the Docker ecosystem and

IceWhale 4k Jun 22, 2022
Go package for the BeagleBone open source hardware

go-beaglebone Go package for the BeagleBone open source hardware Also check out https://github.com/SpaceLeap/go-embedded This package builds on top of

Space Leap 15 Jul 6, 2019
Open platform to collect and prioritize product feedback

Fider A platform to collect and organize customer feedback. Let your customers share, vote and discuss on suggestions they have to make your product e

getfider 2k Jun 25, 2022
Files service for golang

files-service Demo: I. Overview Client call request download file, maybe send with token Server generate uuid, save to redis, ttl maybe 3s or 5s Clien

Nguyen Hong Minh 4 Apr 13, 2022
ready-to-use RTSP / RTMP server and proxy that allows to read, publish and proxy video and audio streams

rtsp-simple-server is a simple, ready-to-use and zero-dependency RTSP / RTMP server and proxy, a software that allows users to publish, read and proxy live video and audio streams. RTSP is a specification that describes how to perform these operations with the help of a server, that is contacted by both publishers and readers and relays the publisher's streams to the readers.

Alessandro Ros 3.3k Jun 29, 2022
Fully featured and highly configurable SFTP server with optional FTP/S and WebDAV support - S3, Google Cloud Storage, Azure Blob

SFTPGo Fully featured and highly configurable SFTP server with optional FTP/S and WebDAV support, written in Go. Several storage backends are supporte

Nicola Murino 4.4k Jun 27, 2022
⚡ A fast, lightweight, and secure chat protocol, client and server, written in Go.

⚡ A fast, lightweight, and secure chat protocol, client and server, written in Go.

Bolt 16 Jan 19, 2022
RBTI Golang Server uses PostgreSQL and for its main database and uses Elasticsearch

RBTI Golang Server This server is used for my thesis project, it uses PostgreSQL and for its main database and uses Elasticsearch for faster query spe

Haikal Ikhwan 0 Jan 17, 2022
✨ A lightweight HTTP server based on GO, will try to detect your OS and architecture and return as SHELL script. ✨

✨ A lightweight HTTP server based on GO, will try to detect your OS and architecture and return as SHELL script. ✨

Salvydas Lukosius 6 May 5, 2022
:tophat: Small self-contained pure-Go web server with Lua, Markdown, HTTP/2, QUIC, Redis and PostgreSQL support

Web server with built-in support for QUIC, HTTP/2, Lua, Markdown, Pongo2, HyperApp, Amber, Sass(SCSS), GCSS, JSX, BoltDB (built-in, stores the databas

Alexander F. Rødseth 2k Jun 25, 2022
A registry for resilient mid-tier load balancing and failover.

Discovery Discovery is a based service that is production-ready and primarily used at Bilibili for locating services for the purpose of load balancing

bilibili 1.7k Jun 27, 2022
A feature flag solution, with only a YAML file in the backend (S3, GitHub, HTTP, local file ...), no server to install, just add a file in a central system and refer to it. 🎛️

??️ go-feature-flag A feature flag solution, with YAML file in the backend (S3, GitHub, HTTP, local file ...). No server to install, just add a file i

Thomas Poignant 447 Jun 29, 2022
High-performance PHP application server, load-balancer and process manager written in Golang

[RR2-BETA] RoadRunner is an open-source (MIT licensed) high-performance PHP application server, load balancer, and process manager. It supports runnin

Spiral Scout 6.5k Jun 22, 2022
Simple webhook delivery system powered by Golang and PostgreSQL

postmand Simple webhook delivery system powered by Golang and PostgreSQL. Features Simple rest api with only three endpoints (webhooks/deliveries/deli

Allisson Azevedo 18 Jul 1, 2022
Oogway is a simple web server with dynamic content generation and extendability in mind supporting a Git based workflow.

Oogway Oogway is a simple web server with dynamic content generation and extendability in mind supporting a Git based workflow. It's somewhere in betw

Emvi 5 Mar 9, 2022