Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[backport 1.x][CVE-2022-0144] bump shelljs from 0.8.4 to 0.8.5 #2511

Merged
merged 1 commit into from
Oct 6, 2022

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Oct 5, 2022

Signed-off-by: Anan Zhuang [email protected]

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from a team October 5, 2022 18:33
@ananzh ananzh changed the title bump shelljs [backpack 1.x] bump shelljs from 0.8.4 to 0.8.5 Oct 5, 2022
@ananzh ananzh self-assigned this Oct 5, 2022
@ananzh ananzh added the cve Security vulnerabilities detected by Dependabot or Mend label Oct 5, 2022
@kavilla
Copy link
Member

kavilla commented Oct 5, 2022

Is this a backport or just bumping on the 1.x branch?

Can the commit message be a little more descriptive and include the CVE resolved? Can be accomplished before merging when we have one last chance when editing the commit message.

@joshuarrrr
Copy link
Member

Also, is backpack something different than a backport, or just a typo?

@ananzh
Copy link
Member Author

ananzh commented Oct 5, 2022

2.0 has bump to 0.8.5
I am not sure why it is not backpacked to 1.x

@kavilla
Copy link
Member

kavilla commented Oct 5, 2022

2.0 has bump to 0.8.5 I am not sure why it is not backpacked to 1.x

Gotcha, do we have the original PR that this was cherry picked from? Also, #2512 implies it was able to resolve this without touching moment resolutions.

@ananzh ananzh changed the title [backpack 1.x] bump shelljs from 0.8.4 to 0.8.5 [backport 1.x] bump shelljs from 0.8.4 to 0.8.5 Oct 5, 2022
@ananzh
Copy link
Member Author

ananzh commented Oct 5, 2022

Also, is backpack something different than a backport, or just a typo?

yeah updated to backport

@ananzh
Copy link
Member Author

ananzh commented Oct 5, 2022

will update commit msg after CI check done

@ananzh
Copy link
Member Author

ananzh commented Oct 5, 2022

2.0 has bump to 0.8.5 I am not sure why it is not backpacked to 1.x

Gotcha, do we have the original PR that this was cherry picked from? Also, #2512 implies it was able to resolve this without touching moment resolutions.

It is not a cve fix PR, here is the original PR for 2.0:#1409

the moment is changed by running yarn osd bootstrap automatically

yeah just do a quick CI run to see if there is any conflicts. I will update commit msg

@ananzh
Copy link
Member Author

ananzh commented Oct 5, 2022

@joshuarrrr @kavilla do I need to update 1.3.6 release not as well?

@ananzh ananzh added the v1.3.6 label Oct 5, 2022
@joshuarrrr
Copy link
Member

As far as I know, it's too late to get this to 1.3.6 now - you'd need to reach out the build team to coordinate if it has to be squeezed into the release.

@zelinh
Copy link
Member

zelinh commented Oct 5, 2022

We will pick this change into our 1.3.6 release and re-generate the release candidate for OSD. Please also update the release notes to include this. Thanks.

@ananzh
Copy link
Member Author

ananzh commented Oct 5, 2022

I see function test fail https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/3191842791/jobs/5210233465 due to SessionNotCreatedError, but I don't think it is caused by this PR.

@ananzh ananzh changed the title [backport 1.x] bump shelljs from 0.8.4 to 0.8.5 [backport 1.x][CVE-2022-0144] bump shelljs from 0.8.4 to 0.8.5 Oct 5, 2022
Resolves CVE-2022-0144 by bumping package shelljs to 0.8.5

Signed-off-by: Anan Zhuang <[email protected]>
@ananzh
Copy link
Member Author

ananzh commented Oct 5, 2022

@zelinh got it. I have fixed the functional test fail and include this change in the release note.

@ananzh ananzh merged commit 38790c5 into opensearch-project:1.x Oct 6, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 6, 2022
Resolves CVE-2022-0144 by bumping package shelljs to 0.8.5

Signed-off-by: Anan Zhuang <[email protected]>
(cherry picked from commit 38790c5)
ananzh added a commit that referenced this pull request Oct 6, 2022
Resolves CVE-2022-0144 by bumping package shelljs to 0.8.5

Signed-off-by: Anan Zhuang <[email protected]>
(cherry picked from commit 38790c5)

Co-authored-by: Anan Zhuang <[email protected]>
@ananzh ananzh added v1.3.7 and removed v1.3.6 labels Oct 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.3 cve Security vulnerabilities detected by Dependabot or Mend v1.3.7
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants