From 430c93b51f538e7322aeb1ecca3dcee36794836f Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Thu, 30 Mar 2023 11:35:16 -0700 Subject: [PATCH 1/3] [CVE-2021-3803][1.x] Bump nth-check from 1.0.2 to 2.0.1 (#3729) Issue Resolve https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1081 Backport PR https://github.com/opensearch-project/OpenSearch-Dashboards/pull/1422 Signed-off-by: Anan Zhuang --- CHANGELOG.md | 2 ++ package.json | 1 + yarn.lock | 14 +++++++------- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee3e300b611f..6a25afbce40c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### 🛡 Security +- [CVE-2021-3803] Bump nth-check from `1.0.2` to `2.0.1` ([#3729](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3729)) + ### 📈 Features/Enhancements - [Optimizer] Increase timeout waiting for the exiting of an optimizer worker ([#3193](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3193)) diff --git a/package.json b/package.json index 21babf90bf26..f117356ef266 100644 --- a/package.json +++ b/package.json @@ -111,6 +111,7 @@ "**/node-jose": "^2.2.0", "**/node-jose/node-forge": "^0.10.0", "**/normalize-url": "^4.5.1", + "**/nth-check": "^2.0.1", "**/prismjs": "^1.23.0", "**/qs": "^6.11.0", "**/react-syntax-highlighter": "^15.3.1", diff --git a/yarn.lock b/yarn.lock index a7245bc6235d..63fb5894dea0 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5126,10 +5126,10 @@ bonjour@^3.5.0: multicast-dns "^6.0.1" multicast-dns-service-types "^1.1.0" -boolbase@~1.0.0: +boolbase@^1.0.0, boolbase@~1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/boolbase/-/boolbase-1.0.0.tgz#68dff5fbe60c51eb37725ea9e3ed310dcc1e776e" - integrity sha1-aN/1++YMUes3cl6p4+0xDcwed24= + integrity sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww== boom@7.x.x, boom@^7.2.0: version "7.2.2" @@ -15564,12 +15564,12 @@ npmlog@^4.0.0, npmlog@^4.1.2: gauge "~2.7.3" set-blocking "~2.0.0" -nth-check@~1.0.1: - version "1.0.2" - resolved "https://registry.yarnpkg.com/nth-check/-/nth-check-1.0.2.tgz#b2bd295c37e3dd58a3bf0700376663ba4d9cf05c" - integrity sha512-WeBOdju8SnzPN5vTUJYxYUxLeXpCaVP5i5e0LF8fg7WORF2Wd7wFX/pk0tYZk7s8T+J7VLy0Da6J1+wCT0AtHg== +nth-check@^2.0.1, nth-check@~1.0.1: + version "2.1.1" + resolved "https://registry.yarnpkg.com/nth-check/-/nth-check-2.1.1.tgz#c9eab428effce36cd6b92c924bdb000ef1f1ed1d" + integrity sha512-lqjrjmaOoAnWfMmBPL+XNnynZh2+swxiX3WUE0s4yEHI6m+AwrK2UZOimIRl3X/4QctVqS8AiZjFqyOGrMXb/w== dependencies: - boolbase "~1.0.0" + boolbase "^1.0.0" num2fraction@^1.2.2: version "1.2.2" From 53d2d91b930a63dedebae236ffa1703c2e388752 Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Thu, 30 Mar 2023 12:50:15 -0700 Subject: [PATCH 2/3] [CVE-2021-23382][1.x] Bump postcss from 8.2.10 to 8.2.13 (#3739) Issue Resolve https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1094 Signed-off-by: Anan Zhuang Co-authored-by: Josh Romero --- CHANGELOG.md | 1 + package.json | 2 +- packages/osd-optimizer/package.json | 2 +- packages/osd-ui-framework/package.json | 2 +- yarn.lock | 48 +++++++++++++++++--------- 5 files changed, 35 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a25afbce40c..1d280620fa06 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### 🛡 Security +- [CVE-2021-23382] Bump postcss from `8.2.10` to `8.2.13` ([#3739](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3739)) - [CVE-2021-3803] Bump nth-check from `1.0.2` to `2.0.1` ([#3729](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3729)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index f117356ef266..2cbc0a12f073 100644 --- a/package.json +++ b/package.json @@ -459,7 +459,7 @@ "nyc": "^14.1.1", "pixelmatch": "^5.1.0", "pngjs": "^3.4.0", - "postcss": "^8.2.10", + "postcss": "^8.2.13", "prettier": "^2.1.1", "prop-types": "^15.7.2", "react-grid-layout": "^0.16.2", diff --git a/packages/osd-optimizer/package.json b/packages/osd-optimizer/package.json index 8c98a1a01fbd..31e107812151 100644 --- a/packages/osd-optimizer/package.json +++ b/packages/osd-optimizer/package.json @@ -33,7 +33,7 @@ "node-sass": "sass/node-sass#v5", "normalize-path": "^3.0.0", "pirates": "^4.0.1", - "postcss": "^8.2.10", + "postcss": "^8.2.13", "rxjs": "^6.5.5", "source-map-support": "^0.5.19", "terser-webpack-plugin": "^2.1.2", diff --git a/packages/osd-ui-framework/package.json b/packages/osd-ui-framework/package.json index 513e0cd8b75e..f880b5b3dda4 100644 --- a/packages/osd-ui-framework/package.json +++ b/packages/osd-ui-framework/package.json @@ -54,7 +54,7 @@ "keymirror": "0.1.1", "moment": "^2.24.0", "node-sass": "sass/node-sass#v5", - "postcss": "^8.2.10", + "postcss": "^8.2.13", "postcss-loader": "^3.0.0", "raw-loader": "^3.1.0", "react-dom": "^16.12.0", diff --git a/yarn.lock b/yarn.lock index 63fb5894dea0..17f51440e675 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6303,7 +6303,7 @@ color@3.0.x: color-convert "^1.9.1" color-string "^1.5.2" -colorette@^1.2.0, colorette@^1.2.2: +colorette@^1.2.0: version "1.2.2" resolved "https://registry.yarnpkg.com/colorette/-/colorette-1.2.2.tgz#cbcc79d5e99caea2dbf10eb3a26fd8b3e6acfa94" integrity sha512-MKGMzyfeuutC/ZJ1cba9NqcNpfeqMUcYmyF1ZFY6/Cn7CNSAKx6a+s48sqLqyAiZuaP2TcqMhoo+dlwFnVxT9w== @@ -15136,10 +15136,10 @@ nano-css@^5.2.1: stacktrace-js "^2.0.0" stylis "3.5.0" -nanoid@^3.1.22: - version "3.3.3" - resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.3.tgz#fd8e8b7aa761fe807dba2d1b98fb7241bb724a25" - integrity sha512-p1sjXuopFs0xg+fPASzQ28agW1oHD7xDsd9Xkf3T15H3c/cifrFHVwrh74PdoklAPi+i7MdRsE47vm2r6JoB+w== +nanoid@^3.3.4: + version "3.3.6" + resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.6.tgz#443380c856d6e9f9824267d960b4236ad583ea4c" + integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA== nanomatch@^1.2.9: version "1.2.9" @@ -16558,6 +16558,16 @@ phin@^2.9.1: resolved "https://registry.yarnpkg.com/phin/-/phin-2.9.3.tgz#f9b6ac10a035636fb65dfc576aaaa17b8743125c" integrity sha512-CzFr90qM24ju5f88quFC/6qohjC144rehe5n6DH900lgXmUe86+xCKc10ev56gRKC4/BkHUoG4uSiQgBiIXwDA== +picocolors@^0.2.1: + version "0.2.1" + resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-0.2.1.tgz#570670f793646851d1ba135996962abad587859f" + integrity sha512-cMlDqaLEqfSaW8Z7N5Jw+lyIW869EzT73/F5lhtY9cLGoVxSXznfgfXMO0Z5K0o0Q2TkTXq+0KFsdnSe3jDViA== + +picocolors@^1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-1.0.0.tgz#cb5bdc74ff3f51892236eaf79d68bc44564ab81c" + integrity sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ== + picomatch@^2.0.4, picomatch@^2.0.5, picomatch@^2.2.1: version "2.2.2" resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.2.2.tgz#21f333e9b6b8eaff02468f5146ea406d345f4dad" @@ -16766,22 +16776,21 @@ postcss-value-parser@^4.0.0, postcss-value-parser@^4.0.2, postcss-value-parser@^ integrity sha512-97DXOFbQJhk71ne5/Mt6cOu6yxsSfM0QGQyl0L25Gca4yGWEGJaig7l7gbCX623VqTBNGLRLaVUCnNkcedlRSQ== postcss@^7.0.0, postcss@^7.0.14, postcss@^7.0.16, postcss@^7.0.32, postcss@^7.0.5, postcss@^7.0.6: - version "7.0.36" - resolved "https://registry.yarnpkg.com/postcss/-/postcss-7.0.36.tgz#056f8cffa939662a8f5905950c07d5285644dfcb" - integrity sha512-BebJSIUMwJHRH0HAQoxN4u1CN86glsrwsW0q7T+/m44eXOUAxSNdHRkNZPYz5vVUbg17hFgOQDE7fZk7li3pZw== + version "7.0.39" + resolved "https://registry.yarnpkg.com/postcss/-/postcss-7.0.39.tgz#9624375d965630e2e1f2c02a935c82a59cb48309" + integrity sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA== dependencies: - chalk "^2.4.2" + picocolors "^0.2.1" source-map "^0.6.1" - supports-color "^6.1.0" -postcss@^8.2.10: - version "8.2.10" - resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.2.10.tgz#ca7a042aa8aff494b334d0ff3e9e77079f6f702b" - integrity sha512-b/h7CPV7QEdrqIxtAf2j31U5ef05uBDuvoXv6L51Q4rcS1jdlXAVKJv+atCFdUXYl9dyTHGyoMzIepwowRJjFw== +postcss@^8.2.13: + version "8.4.21" + resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.21.tgz#c639b719a57efc3187b13a1d765675485f4134f4" + integrity sha512-tP7u/Sn/dVxK2NnruI4H9BG+x+Wxz6oeZ1cJ8P6G/PZY0IKk4k/63TDsQf2kQq3+qoJeLm2kIBUNlZe3zgb4Zg== dependencies: - colorette "^1.2.2" - nanoid "^3.1.22" - source-map "^0.6.1" + nanoid "^3.3.4" + picocolors "^1.0.0" + source-map-js "^1.0.2" prelude-ls@~1.1.2: version "1.1.2" @@ -19181,6 +19190,11 @@ source-list-map@^2.0.0: resolved "https://registry.yarnpkg.com/source-list-map/-/source-list-map-2.0.1.tgz#3993bd873bfc48479cca9ea3a547835c7c154b34" integrity sha512-qnQ7gVMxGNxsiL4lEuJwe/To8UnK7fAnmbGEEH8RpLouuKbeEm0lhbQVFIrNSuB+G7tVrAlVsZgETT5nljf+Iw== +source-map-js@^1.0.2: + version "1.0.2" + resolved "https://registry.yarnpkg.com/source-map-js/-/source-map-js-1.0.2.tgz#adbc361d9c62df380125e7f161f71c826f1e490c" + integrity sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw== + source-map-resolve@^0.5.0, source-map-resolve@^0.5.2: version "0.5.2" resolved "https://registry.yarnpkg.com/source-map-resolve/-/source-map-resolve-0.5.2.tgz#72e2cc34095543e43b2c62b2c4c10d4a9054f259" From 65deacbe79825cddfac04ce653c3455d5578d371 Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Thu, 30 Mar 2023 17:13:18 -0700 Subject: [PATCH 3/3] [CVE-2022-1537][CVE-2022-0436][1.x]bump grunt from 1.4.1 to 1.5.3 (#3723) Main bump grunt via this PR: https://github.com/opensearch-project/OpenSearch-Dashboards/pull/1580 In 1.x, bump grunt is different because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we should be very specific and limit the bump range. Issue Resolve: https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1579 https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1450 Signed-off-by: Anan Zhuang Co-authored-by: Josh Romero --- CHANGELOG.md | 2 ++ package.json | 2 +- packages/osd-ui-framework/package.json | 2 +- yarn.lock | 16 ++++++++-------- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d280620fa06..225a83dc581d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### 🛡 Security +- [CVE-2022-1537] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723)) +- [CVE-2022-0436] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723)) - [CVE-2021-23382] Bump postcss from `8.2.10` to `8.2.13` ([#3739](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3739)) - [CVE-2021-3803] Bump nth-check from `1.0.2` to `2.0.1` ([#3729](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3729)) diff --git a/package.json b/package.json index 2cbc0a12f073..5c6cef6175b1 100644 --- a/package.json +++ b/package.json @@ -415,7 +415,7 @@ "fp-ts": "^2.3.1", "geckodriver": "^1.21.0", "getopts": "^2.2.5", - "grunt": "^1.4.1", + "grunt": "~1.5.3", "grunt-available-tasks": "^0.6.3", "grunt-cli": "^1.4.3", "grunt-contrib-watch": "^1.1.0", diff --git a/packages/osd-ui-framework/package.json b/packages/osd-ui-framework/package.json index f880b5b3dda4..4cd68147f8b8 100644 --- a/packages/osd-ui-framework/package.json +++ b/packages/osd-ui-framework/package.json @@ -42,7 +42,7 @@ "css-loader": "^3.4.2", "expose-loader": "^0.7.5", "file-loader": "^4.2.0", - "grunt": "^1.4.1", + "grunt": "~1.5.3", "grunt-babel": "^8.0.0", "grunt-contrib-clean": "^2.0.0", "grunt-contrib-copy": "^1.0.0", diff --git a/yarn.lock b/yarn.lock index 17f51440e675..ac340271def7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9593,7 +9593,7 @@ findup-sync@^4.0.0: findup-sync@~0.3.0: version "0.3.0" resolved "https://registry.yarnpkg.com/findup-sync/-/findup-sync-0.3.0.tgz#37930aa5d816b777c03445e1966cc6790a4c0b16" - integrity sha1-N5MKpdgWt3fANEXhlmzGeQpMCxY= + integrity sha512-z8Nrwhi6wzxNMIbxlrTzuUW6KWuKkogZ/7OdDVq+0+kxn77KUH1nipx8iU6suqkHqc4y6n7a9A8IpmxY/pTjWg== dependencies: glob "~5.0.0" @@ -10209,7 +10209,7 @@ glob@^7.0.0, glob@^7.0.3, glob@^7.1.1, glob@^7.1.2, glob@^7.1.3, glob@^7.1.4, gl glob@~5.0.0: version "5.0.15" resolved "https://registry.yarnpkg.com/glob/-/glob-5.0.15.tgz#1bc936b9e02f4a603fcc222ecf7633d30b8b93b1" - integrity sha1-G8k2ueAvSmA/zCIuz3Yz0wuLk7E= + integrity sha512-c9IPMazfRITpmAAKi22dK1VKxGDX9ehhqfABDriL/lzO92xcUKEJPQHrVA/2YHSNFB4iFlykVmWvwo48nr3OxA== dependencies: inflight "^1.0.4" inherits "2" @@ -10580,7 +10580,7 @@ grunt-babel@^8.0.0: resolved "https://registry.yarnpkg.com/grunt-babel/-/grunt-babel-8.0.0.tgz#92ef63aafadf938c488dc2f926ac9846e0c93d1b" integrity sha512-WuiZFvGzcyzlEoPIcY1snI234ydDWeWWV5bpnB7PZsOLHcDsxWKnrR1rMWEUsbdVPPjvIirwFNsuo4CbJmsdFQ== -grunt-cli@^1.4.3, grunt-cli@~1.4.2: +grunt-cli@^1.4.3, grunt-cli@~1.4.3: version "1.4.3" resolved "https://registry.yarnpkg.com/grunt-cli/-/grunt-cli-1.4.3.tgz#22c9f1a3d2780bf9b0d206e832e40f8f499175ff" integrity sha512-9Dtx/AhVeB4LYzsViCjUQkd0Kw0McN2gYpdmGYKtE2a5Yt7v1Q+HYZVWhqXc/kGnxlMtqKDxSwotiGeFmkrCoQ== @@ -10667,17 +10667,17 @@ grunt-run@0.8.1: dependencies: strip-ansi "^3.0.0" -grunt@^1.4.1: - version "1.4.1" - resolved "https://registry.yarnpkg.com/grunt/-/grunt-1.4.1.tgz#7d1e17db1f9c8108777f7273d6b9359755576f50" - integrity sha512-ZXIYXTsAVrA7sM+jZxjQdrBOAg7DyMUplOMhTaspMRExei+fD0BTwdWXnn0W5SXqhb/Q/nlkzXclSi3IH55PIA== +grunt@~1.5.3: + version "1.5.3" + resolved "https://registry.yarnpkg.com/grunt/-/grunt-1.5.3.tgz#3214101d11257b7e83cf2b38ea173b824deab76a" + integrity sha512-mKwmo4X2d8/4c/BmcOETHek675uOqw0RuA/zy12jaspWqvTp4+ZeQF1W+OTpcbncnaBsfbQJ6l0l4j+Sn/GmaQ== dependencies: dateformat "~3.0.3" eventemitter2 "~0.4.13" exit "~0.1.2" findup-sync "~0.3.0" glob "~7.1.6" - grunt-cli "~1.4.2" + grunt-cli "~1.4.3" grunt-known-options "~2.0.0" grunt-legacy-log "~3.0.0" grunt-legacy-util "~2.0.1"