Cherry-pick 'Update vulnerable lib versions' into release/0.19
Original MR: !378 (merged)
This MR is a Cherry Pick into a Release Branch.
After the release branch is first created, any subsequent changes use this process to update the release (often resulting in a new patch tag) without incorporating all changes in the default branch. These MRs must be approved by the PMC before they are merged, since they alter the scope of the release. To see more details about the change itself, look at the Original MR listed above.
Skipped Pipeline
Normally, pipelines are not executed on the cherry pick branch/MR prior to merging. This optimization is accepted because the code was tested when it merged into the default branch, and will be tested again in the release branch prior to tagging. However, if anybody feels that the MR requires further scrutiny -- whether because it had conflicts in the cherry-picking, it interfaces with some drastically altered logic between the branches, or any other reason -- we can run the pipeline here prior to merging.
If There's Reason to Run a Pipeline
If you want to see a pipeline result before this merges, first add a comment explaining why you'd like to see the pipeline results so the PMC and others know your thinking.
Then, mark the MR as a Draft MR (using the vertical ellipsis above, choose 'Mark as Draft').
This prevents the MR from being approved & merged accidentally by a busy release coordinator who didn't see your comment.
Finally, if you are a maintainer on the project, launch a pipeline on this branch.
Since this branch is a protected branch and the MR has no-detached-pipeline set, all integration tests will run and there's no need for any trusted-*
branches.