Update installed successfully. Got a warning that the dev-with-create role has an unsafe permission of "RunScripts" and removed it. Also there is a warning that Jenkins CLI remoting mode is now deprecated.

We can now focus on removing old plugins and applying best practices related to security settings.

Update tested on Staging, patch submitted for review. Will also combine this with OS updates and VM restarting to apply 4.1 cluster level.

Thanks for the feedback Barak. I'll log separate tickets to discuss deprecated plugins that we still use.

I guess we can safely remove Build Flow and Dynamic Parameter. I don't know of any instances where they are used.

WRT PostBuildScript we'll need to examine the jobs we have and see if there is any suitable replacement. Please open a specific ticket so we'll look into that.

WRT Scriptler, it is used for manually invoked utility scripts. We have some of those and some of them are even documented in infra-docs. They are not used very frequently so we may be able to do without them ( WDYT?). We can even convert them to system pipeline jobs if needed.

Also, several plugins got security updates:

• git-client 2.4.5

  • credentials 2.1.13

  • ssh-credentials version:1.13

  • structs version:1.6

• warnings 4.62

• role-strategy 2.4.0

I'm applying these to staging to test before installing the update in production.

Also, there's 4 plugins with vulnerabilities that aren't maintained any more so we need to check if they're used still and remove if not:

do you know if we are actively using the above plugins? Most of them have privilege escalation vulnerabilities for authenticated users with Job/Configure privileges which is not a big deal in our case as such users have other permissions as well, yet if we don't use some of it it's always best to remove it.