diff --git a/CHANGELOG.md b/CHANGELOG.md index 238bd3fc5909..7fd354a55297 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2021-35065] Bump glob-parent from `6.0.0` to `6.0.2` ([#3742](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3742)) - [CVE-2022-25851] Bump jpeg-js from `0.4.1` to `0.4.4` ([#3741](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3741)) - [CVE-2022-48285] Bump jszip from `3.7.1` to `3.10.1` ([#3740](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3740)) +- Bump `joi` to v14 to avoid the possibility of prototype poisoning in a nested dependency ([#3952](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3952)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index 47bc2036f8cd..90aeb7562326 100644 --- a/package.json +++ b/package.json @@ -206,7 +206,7 @@ "inert": "^5.1.0", "inline-style": "^2.0.0", "ip-cidr": "^2.1.0", - "joi": "^13.5.2", + "joi": "^14.3.1", "js-yaml": "^3.14.0", "json-stable-stringify": "^1.0.1", "json-stringify-safe": "5.0.1", diff --git a/packages/osd-config-schema/package.json b/packages/osd-config-schema/package.json index e6e6aed20d8a..88e52b36f984 100644 --- a/packages/osd-config-schema/package.json +++ b/packages/osd-config-schema/package.json @@ -16,7 +16,7 @@ }, "peerDependencies": { "lodash": "^4.17.21", - "joi": "^13.5.2", + "joi": "^14.3.1", "moment": "^2.24.0", "type-detect": "^4.0.8" } diff --git a/packages/osd-test/package.json b/packages/osd-test/package.json index 3d36be8507f4..8efbba85bd63 100644 --- a/packages/osd-test/package.json +++ b/packages/osd-test/package.json @@ -31,7 +31,7 @@ "exit-hook": "^2.2.0", "getopts": "^2.2.5", "glob": "^7.1.7", - "joi": "^13.5.2", + "joi": "^14.3.1", "lodash": "^4.17.21", "parse-link-header": "^2.0.0", "rxjs": "^6.5.5", diff --git a/yarn.lock b/yarn.lock index 9c0865096ee0..dcabc450cf50 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11130,9 +11130,9 @@ hoek@5.x.x, hoek@^5.0.4: integrity sha512-Alr4ZQgoMlnere5FZJsIyfIjORBqZll5POhDsF4q64dPuJR6rNxXdDxtHSQq8OXRurhmx+PWYEE8bXRROY8h0w== hoek@6.x.x: - version "6.0.3" - resolved "https://registry.yarnpkg.com/hoek/-/hoek-6.0.3.tgz#7884360426d927865a0a1251fc9c59313af5b798" - integrity sha512-TU6RyZ/XaQCTWRLrdqZZtZqwxUVr6PDMfi6MlWNURZ7A6czanQqX4pFE1mdOUQR9FdPCsZ0UzL8jI/izZ+eBSQ== + version "6.1.3" + resolved "https://registry.yarnpkg.com/hoek/-/hoek-6.1.3.tgz#73b7d33952e01fe27a38b0457294b79dd8da242c" + integrity sha512-YXXAAhmF9zpQbC7LEcREFtXfGq5K1fmd+4PHkBq8NUqmzW3G+Dq10bI/i0KucLRwss3YYFQ0fSfoxBZYiGUqtQ== hoist-non-react-statics@^2.5.5, hoist-non-react-statics@^3.0.0, hoist-non-react-statics@^3.1.0, hoist-non-react-statics@^3.3.0, hoist-non-react-statics@^3.3.2: version "3.3.2" @@ -13248,7 +13248,7 @@ jju@~1.4.0: resolved "https://registry.yarnpkg.com/jju/-/jju-1.4.0.tgz#a3abe2718af241a2b2904f84a625970f389ae32a" integrity sha1-o6vicYryQaKykE+EpiWXDzia4yo= -joi@13.x.x, joi@^13.5.2: +joi@13.x.x: version "13.7.0" resolved "https://registry.yarnpkg.com/joi/-/joi-13.7.0.tgz#cfd85ebfe67e8a1900432400b4d03bbd93fb879f" integrity sha512-xuY5VkHfeOYK3Hdi91ulocfuFopwgbSORmIwzcwHKESQhC7w1kD5jaVSPnqDxS2I8t3RZ9omCKAxNwXN5zG1/Q== @@ -13257,6 +13257,15 @@ joi@13.x.x, joi@^13.5.2: isemail "3.x.x" topo "3.x.x" +joi@^14.3.1: + version "14.3.1" + resolved "https://registry.yarnpkg.com/joi/-/joi-14.3.1.tgz#164a262ec0b855466e0c35eea2a885ae8b6c703c" + integrity sha512-LQDdM+pkOrpAn4Lp+neNIFV3axv1Vna3j38bisbQhETPMANYRbFJFUyOZcOClYvM/hppMhGWuKSFEK9vjrB+bQ== + dependencies: + hoek "6.x.x" + isemail "3.x.x" + topo "3.x.x" + jpeg-js@^0.4.0: version "0.4.4" resolved "https://registry.yarnpkg.com/jpeg-js/-/jpeg-js-0.4.4.tgz#a9f1c6f1f9f0fa80cdb3484ed9635054d28936aa"